Sourced from actions/dependency-review-action's releases.

v4.7.1

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

v4.6.0

What's Changed

• Updating multiple dependency versions by @​Ahmed3lmallah in actions/dependency-review-action#870
• Grouping minor and patch dependabot updates to lessen the number of PRs by @​Ahmed3lmallah in actions/dependency-review-action#876
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in actions/dependency-review-action#878
• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in actions/dependency-review-action#877
• DR Action should link to the proxima stamp when appropriate in error messages by @​AshelyTC in actions/dependency-review-action#891
• Allow deny package removal by @​ellenfieldn in actions/dependency-review-action#888
• Fix typos by @​omahs in actions/dependency-review-action#893
• Bump esbuild from 0.19.5 to 0.25.0 by @​dependabot in actions/dependency-review-action#900
• Bump octokit and related dependencies by @​RomanIakovlev in actions/dependency-review-action#904
• Bump @​babel/helpers from 7.23.2 to 7.26.10 by @​dependabot in actions/dependency-review-action#905
• Bump @​octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @​dependabot in actions/dependency-review-action#899
• Update transitive dependency spdx-license-ids by @​ailox in actions/dependency-review-action#855
• To not print OpenSSF Scorecard section if no dependencies scanned by @​fabasoad in actions/dependency-review-action#884
• Improve usage of this action in dependency-review.yml by @​fabasoad in actions/dependency-review-action#883
• Clarify comment-summary-in-pr behaviour by @​Pantelis-Santorinios in actions/dependency-review-action#902
• Prepare 4.6.0 Release candidate by @​brrygrdn in actions/dependency-review-action#910

New Contributors

• @​AshelyTC made their first contribution in actions/dependency-review-action#891
• @​ellenfieldn made their first contribution in actions/dependency-review-action#888
• @​omahs made their first contribution in actions/dependency-review-action#893
• @​RomanIakovlev made their first contribution in actions/dependency-review-action#904
• @​ailox made their first contribution in actions/dependency-review-action#855
• @​fabasoad made their first contribution in actions/dependency-review-action#884
• @​Pantelis-Santorinios made their first contribution in actions/dependency-review-action#902
• @​brrygrdn made their first contribution in actions/dependency-review-action#910

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.5.0...v4.6.0

• da24556 Merge pull request #933 from actions/dangoor/471-release
• 9af0caf Bump version number for 4.7.1
• d8f2df2 Merge pull request #932 from actions/907-disallow-expression
• 6e9307a Discard allow list entries that are not SPDX IDs
• 8805179 Merge pull request #930 from actions/889-allow-no-license
• 014300b Update build
• 34486f3 Check namespaces when excluding license checks
• 9b155d6 Update build
• f199659 Allowing dependencies works with no licenses
• 38ecb5b Merge pull request #929 from actions/dangoor/4.7-release
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)