Federico Builes

The SPDX expression parser we use is brittle (see https://github.com/actions/dependency-review-action/issues/263). I think moving to something like https://www.npmjs.com/package/@onebeyond/spdx-license-satisfies would provide a better experience and fix the issues with `OR`. We don't...

@npushkarskii https://github.com/actions/dependency-review-action/pull/719 might need tweaks, but it fixes this bug. We hope it lands somewhere in the next week or two. If you want to start testing it today and...

@austimkelly looking at your example PR I see `Error: Dependency review detected denied packages.` [in the action logs](https://github.com/austimkelly/dependecy-review-study/actions/runs/8297118734/job/22707515953?pr=1) and the check failing (which is the purpose of `deny_packages`). Am I...

@austimkelly Thanks for the clarification. I think your suggestions make sense and would improve Do you mind opening a new issue with the feature request? This helps with our board's...

@wadells thank you for taking the time to share your ideas. I think this would be a nice thing to have, maybe added as a config option (another one 😅)...

Hi @AlekSi. Being able to ignore files seems natural after we add support for license ignoring (https://github.com/actions/dependency-review-action/pull/423). We don't have cycles atm to implement this, but if you want to...

I think the clarity of the error messages has been improved in https://github.com/actions/dependency-review-action/pull/370 (thanks again @felickz!). I'm closing this issue, please re-open if this still a problem.

The latest release (`v3`) is fully SPDX-compliant and now has support for `AND`/`OR` expressions. Sadly, your specific example is a [known bug in an upstream library](https://github.com/jslicense/spdx-satisfies.js/issues/14), so I'm not confident...

@JPLachance we can't proceed until https://github.com/jslicense/spdx-satisfies.js/issues/14 is fixed upstream. All ears if you have suggestions on how to improve the parsing of SPDX expressions!

@JPLachance Your excitement regarding the project is very motivating, thank you for your comment! It sounds like this issue is problematic for you as an Advanced Security customer (FOSS projects...