{"id":15755277,"url":"https://github.com/zkoppert/dependency-review-action","last_synced_at":"2026-03-18T03:57:50.356Z","repository":{"id":111957324,"uuid":"470655085","full_name":"zkoppert/dependency-review-action","owner":"zkoppert","description":null,"archived":false,"fork":false,"pushed_at":"2022-03-16T18:48:37.000Z","size":1249,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-10T21:12:18.137Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zkoppert.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-16T16:02:52.000Z","updated_at":"2023-03-09T03:10:06.000Z","dependencies_parsed_at":"2023-05-03T08:17:04.231Z","dependency_job_id":null,"html_url":"https://github.com/zkoppert/dependency-review-action","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/zkoppert/dependency-review-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zkoppert%2Fdependency-review-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zkoppert%2Fdependency-review-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zkoppert%2Fdependency-review-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zkoppert%2Fdependency-review-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zkoppert","download_url":"https://codeload.github.com/zkoppert/dependency-review-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zkoppert%2Fdependency-review-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30646396,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-18T02:48:56.676Z","status":"ssl_error","status_checked_at":"2026-03-18T02:48:55.747Z","response_time":104,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-04T08:21:03.266Z","updated_at":"2026-03-18T03:57:50.332Z","avatar_url":"https://github.com/zkoppert.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Dependency Review Action\n\nThis Action scans for vulnerable versions of dependencies introduced\nby package version changes in Pull Requests, and warns you about the\nassociated security vulnerabilities.\n\nThe Action makes an authenticated query to the Dependency Graph Diff\nAPI endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)\nto find out the set of added and removed vulnerabilities for each dependency.\n\n\n## Usage\n\n1. Create a new [Personal Access Token\n   (PAT)](https://github.com/settings/tokens) with the `repo` permissions. Copy this for use in step 2\n2. Create a new Actions Secret on your repo at `https://github.com/\u003cOWNER\u003e/\u003cREPO\u003e/settings/secrets/actions`\n3. Name it `REPO_TOKEN` and set its value to the previously generated PAT from step 1\n4. Add a new YAML workflow to your `.github/workflows` folder:\n\n```yaml\nname: 'Dependency Review'\non: [pull_request]\n\njobs:\n  dependency-review:\n    runs-on: ubuntu-latest\n    steps:\n      - name: 'Checkout Repository'\n        uses: actions/checkout@v3\n      - name: 'Dependency Review'\n        uses: dsp-testing/dependency-review-action@main\n        with:\n          repo-token: ${{ secrets.REPO_TOKEN }}\n```\n\n## Rough Edges\n\nThe DR workflow will execute when ever a Pull Request on the target\nrepo receives a push. Upon install, the Action will not execute\nautomatically on existing in-flight PRs until they receive a push.\n\n\nOnce installed, any changes to DR-eligible manifest files in a PR that\n_do not address existing vulnerable dependencies declared there_ will\ncause this Action to fail CI. This is slated to be addressed during\nthe staff ship, and should not effect your ability to merge such PRs.\n\n\nIf you encounter undue friction and need assistance, contact the DR\nmaintainers using the methods outlined in the staff ship annoucement,\nor in Slack at `#dependency-graph`.\n\n\n_Note_: We are using the `@main` release since this is still under\nactive development. Once we're ready to ship to production we'll\nchange this to a proper version number.\n\n## Bugs and Suggestions\n\nPlease file a new issue if you encounter a bug, or if this is behaving\nin an unexpected way. You can also find us in Slack in the\n#dependency-graph channel.\n\n## Local Development\n\nThis will get you running the Action locally for stubbed development:\n\n```sh\n$ GITHUB_TOKEN=\u003ctoken\u003e ./scripts/dev \u003cowner\u003e/\u003crepo\u003e\n```\n\n## Releases\n\nDon't forget to package your code when doing a new release!\n\n```\n$ npm run build \u0026\u0026 npm run package\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzkoppert%2Fdependency-review-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzkoppert%2Fdependency-review-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzkoppert%2Fdependency-review-action/lists"}