Add Scopes to Scanned Manifest Files inventory
felickz opened this issue · 1 comments
When reporting out blocking vulnerable packages, it can be hard to know why a vulnerability might have been excluded from the policy. By default, we do not fail/alert on vulnerable dev dependencies but the dependency review UX in GitHub will show vulnerability information on those dependencies (both direct and transitive).
- Suggestion: Add
(runtime),(development), or(unknown)to the PR / Action Logs:
Scanned Manifest Files
.github/workflows/dependency-review.yml
actions/dependency-review-action@main (runtime)
actions/dependency-review-action@1.. (runtime)
docs/package-lock.json
json-logic-js@1.2.3 (runtime)
minimist@1.2.5 (development)
ansi-regex@4.1.0 (development)
lodash@4.17.20 (development)
tar@2.2.2 (development)
fstream@1.0.11 (development)
lodash.mergewith@4.6.1 (development)
tar@2.2.1 (development)
node-sass@4.14.1 (development)
request@2.88.2 (development)
Dependency Review GitHub - Files Changed rich view:
- would be nice to see scope here as well :)
