dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard
verified publisher icon actions

`warn_only` Does Not Apply When Using a Deny List

Open AlexWilson-GIS opened this issue 1 year ago • 1 comments

Following up on the conclusion of #706 and the following statement by @febuiles:

warn_only does not work in conjunction with deny_list. This is not a bug, but we might want to reconsider this interaction. The reasons for this behavior are historical, not technical. ... If you feel we should change the behavior of warn_only to take deny_list into account (understandable!) please open a new issue (cc @jonjanego).

This is an interesting problem to consider. There may be a situation where you want to warn on any vulnerabilities that are found, but still fail if denied packages are found. So perhaps the answer is a different option to enable warning on denied packages, or creating a separate package warning list.

The reason this matters to me is because I have only just started rolling out the use of this action within my company's repositories, and we are already running into situations where packages are being misidentified by Dependency Graph, which has caused this check to block PR's unnecessarily. It's nice to have the awareness that the action brings, but in some cases the maturity of the ecosystem is not yet at a level where I can feel comfortable telling other development teams that they should always block.

AlexWilson-GIS avatar Mar 27 '24 19:03 AlexWilson-GIS

Hi @AlexWilson-GIS thank you for the suggestion. It's an interesting suggested workaround to what seems like the bigger issue to focus on, what you said of packages being misidentified. When you encounter problems of this nature please be sure to file issues for us so that we can see what's going on. Thanks!

jonjanego avatar Apr 01 '24 19:04 jonjanego

👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

github-actions[bot] avatar Sep 29 '24 00:09 github-actions[bot]

👋 This issue has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details.

github-actions[bot] avatar Oct 15 '24 00:10 github-actions[bot]