Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: add dependency review tool #27

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

inigomarquinez
Copy link
Contributor

Main Changes

This GitHub action will add an additional check when a PR is created in the project and will review any change in the dependencies.

This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
Source repository

Overall, this will prevent us from introducing vulnerable dependencies versions without the need to manually check that.

Impact in the OSSF Scorecard

Captura de pantalla 2024-03-14 a las 21 38 51

Note that our current score is 10/10, so this is a preventive measurement.

Context

Copy link
Member

@UlisesGascon UlisesGascon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants