Deprecate deny lists #958
Deprecate deny lists #958
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR deprecates the deny-licenses configuration option by adding deprecation warnings and making minor lint improvements. The purpose is to guide users toward using the allow-licenses option instead as part of a planned phase-out of deny list functionality.
- Adds a deprecation warning message to the action summary output
- Updates README documentation to mark
deny-licensesas deprecated - Includes small lint fixes in test files (variable declaration improvements and unused import removal)
Reviewed Changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/summary.ts | Adds deprecation warning function and calls it in the main summary function |
| tests/summary.test.ts | Adds test for deprecation warning and includes lint fixes for variable declarations |
| README.md | Updates documentation to mark deny-licenses option as deprecated |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
|
To follow up on my comments after thinking it over a bit more, two points:
|
|
Thanks for both reviews! @ahpook Do you think we should also be somehow allowing users to suppress the message in the Summary? 
|
__tests__/summary.test.ts
Outdated
| @@ -119,8 +119,25 @@ test('adds deprecation warning for deny-licenses option', () => { | |||
| ) | |||
| const text = core.summary.stringify() | |||
|
|
|||
| expect(text).not.toContain( | |||
| '⚠️ <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated and will be removed in the next major version release, use <em>allow-licenses</em> instead.' | |||
There was a problem hiding this comment.
nit: For a not.toContain test, I'd check for something short like deny-licenses or Deprecation Warning because any little text change would make this test always pass and not tell us anything useful.
There was a problem hiding this comment.
Actually, looks like this is already the case… the deprecation warning could be there, but the text of the warning is different from what we're testing for.
There was a problem hiding this comment.
Corrected! Thank you for spotting this!
__tests__/summary.test.ts
Outdated
| expect(text).toContain( | ||
| '⚠️ <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated and will be removed in a future version, use <em>allow-licenses</em> instead.' | ||
| '⚠️ <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. See [Deprecate the deny-licenses option #938](https://github.com/actions/dependency-review-action/issues/938) for more information.' |
There was a problem hiding this comment.
This one is more personal preference, but I would make this test resilient to change just like in the negative case. I'd rather not see this test have to change every time there's a minor text edit.
There was a problem hiding this comment.
I like that as well
Ah ok, nevermind me then. I'd thought it was inline in the PR. |
…2 [skip ci] Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.7.1 to 4.7.2. Release notes *Sourced from [actions/dependency-review-action's releases](https://github.com/actions/dependency-review-action/releases).* > 4.7.2 > ----- > > What's Changed > -------------- > > * Add Missing Languages to CodeQL Advanced Configuration by [`@KyFaSt`](https://github.com/KyFaSt) in [actions/dependency-review-action#945](https://redirect.github.com/actions/dependency-review-action/pull/945) > * Deprecate deny lists by [`@claire153`](https://github.com/claire153) in [actions/dependency-review-action#958](https://redirect.github.com/actions/dependency-review-action/pull/958) > * Address discrepancy between docs and reality by [`@ahpook`](https://github.com/ahpook) in [actions/dependency-review-action#960](https://redirect.github.com/actions/dependency-review-action/pull/960) > > New Contributors > ---------------- > > * [`@KyFaSt`](https://github.com/KyFaSt) made their first contribution in [actions/dependency-review-action#945](https://redirect.github.com/actions/dependency-review-action/pull/945) > * [`@claire153`](https://github.com/claire153) made their first contribution in [actions/dependency-review-action#958](https://redirect.github.com/actions/dependency-review-action/pull/958) > * [`@ahpook`](https://github.com/ahpook) made their first contribution in [actions/dependency-review-action#960](https://redirect.github.com/actions/dependency-review-action/pull/960) > > **Full Changelog**: <actions/dependency-review-action@v4...v4.7.2> Commits * [`bc41886`](actions/dependency-review-action@bc41886) Cut 4.7.2 version release ([#964](https://redirect.github.com/actions/dependency-review-action/issues/964)) * [`1c73553`](actions/dependency-review-action@1c73553) Merge pull request [#960](https://redirect.github.com/actions/dependency-review-action/issues/960) from ahpook/ahpook/address-docs-dashes * [`fac3d41`](actions/dependency-review-action@fac3d41) Bump the minor-updates group across 1 directory with 5 updates ([#956](https://redirect.github.com/actions/dependency-review-action/issues/956)) * [`d8073c4`](actions/dependency-review-action@d8073c4) Merge pull request [#958](https://redirect.github.com/actions/dependency-review-action/issues/958) from actions/claire153/deprecate-deny-lists * [`77184c6`](actions/dependency-review-action@77184c6) Fix tests * [`5558c35`](actions/dependency-review-action@5558c35) Address discrepancy between docs and reality * [`e85d57a`](actions/dependency-review-action@e85d57a) Remove test code * [`3eb6279`](actions/dependency-review-action@3eb6279) Re-add test package. Only show warning in summary if option is used. Update c... * [`7cf33ac`](actions/dependency-review-action@7cf33ac) Remove test deny list * [`493bee0`](actions/dependency-review-action@493bee0) Remove test package * Additional commits viewable in [compare view](actions/dependency-review-action@da24556...bc41886) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Closes https://github.com/github/dependency-graph/issues/6488.