v4.6.0

What's Changed

• Updating multiple dependency versions by @Ahmed3lmallah in #870
• Grouping minor and patch dependabot updates to lessen the number of PRs by @Ahmed3lmallah in #876
• Bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #878
• Bump undici from 5.28.4 to 5.28.5 by @dependabot in #877
• DR Action should link to the proxima stamp when appropriate in error messages by @AshelyTC in #891
• Allow deny package removal by @ellenfieldn in #888
• Fix typos by @omahs in #893
• Bump esbuild from 0.19.5 to 0.25.0 by @dependabot in #900
• Bump octokit and related dependencies by @RomanIakovlev in #904
• Bump @babel/helpers from 7.23.2 to 7.26.10 by @dependabot in #905
• Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @dependabot in #899
• Update transitive dependency spdx-license-ids by @ailox in #855
• To not print OpenSSF Scorecard section if no dependencies scanned by @fabasoad in #884
• Improve usage of this action in dependency-review.yml by @fabasoad in #883
• Clarify comment-summary-in-pr behaviour by @Pantelis-Santorinios in #902
• Prepare 4.6.0 Release candidate by @brrygrdn in #910

New Contributors

• @AshelyTC made their first contribution in #891
• @ellenfieldn made their first contribution in #888
• @omahs made their first contribution in #893
• @RomanIakovlev made their first contribution in #904
• @ailox made their first contribution in #855
• @fabasoad made their first contribution in #884
• @Pantelis-Santorinios made their first contribution in #902
• @brrygrdn made their first contribution in #910

Full Changelog: v4.5.0...v4.6.0

v4.5.0

What's Changed

• Bump got from 14.4.2 to 14.4.3 by @dependabot in #844
• Bump nodemon from 3.1.0 to 3.1.7 by @dependabot in #847
• Bump @vercel/ncc from 0.38.1 to 0.38.3 by @dependabot in #849
• Overriding the cross-spawn dependency to use a safe version by @Ahmed3lmallah in #850
• fix: add summary comment on failure when warn-only: true by @ebickle in #827
• Prepare for 4.5.0 release by @Ahmed3lmallah in #851

New Contributors

• @ebickle made their first contribution in #827

Full Changelog: v4...v4.5.0

v4.4.0

What's Changed

• Fix for merge_group event bug by @Ahmed3lmallah in #846

Full Changelog: v4.3.5...v4.4.0

v4.3.5

What's Changed

• fix: getRefs function to handle merge_group events by @louis-bompart in #766
• Create pull_request_template.md by @jonjanego in #794
• Update CONTRIBUTING.md by @jonjanego in #793
• Bump @types/node from 20.11.28 to 20.16.0 by @dependabot in #815
• Upgrade transitive micromatch library by @elireisman in #829
• Do not list changed dependencies in summary by @hmaurer in #828
• Update stale.yaml by @jonjanego in #832
• Bump got from 14.4.1 to 14.4.2 by @dependabot in #822
• Bump eslint-plugin-jest and ts-jest by @Ahmed3lmallah in #840

New Contributors

• @louis-bompart made their first contribution in #766
• @Ahmed3lmallah made their first contribution in #840

Full Changelog: v4.3.4...v4.3.5

v4.3.4

What's Changed

• Include all added dependencies in scorecard entries by @elireisman in #783
• Update SPDX Expression Parsing by @febuiles in #719
  • This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.

Full Changelog: v4.3.3...v4.3.4

Notes for v4.3.3

What's Changed

• Allow slashes in purl package names by @juxtin in #765
• use the v3 version of the deps.dev API by @josieang in #741
• PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @am-stead in #773
• fix show-openssf-scorecard-levels input by @ramann in #776
• Updates to the contribution guidelines by @jonjanego in #778
• Create issue templates by @jonjanego in #777
• Fix the max comment length issue by @jhutchings1 and @elireisman in #767
• Bump project version to 4.3.3 in prep for a release by @elireisman in #781

New Contributors

• @josieang made their first contribution in #741
• @am-stead made their first contribution in #773
• @ramann made their first contribution in #776

Full Changelog: v4.3.2...v4.3.3

v4.3.2

What's Changed

• Fix package-url parsing for allow-dependencies-licenses by @juxtin in #761

Full Changelog: v4.3.1...v4.3.2

v4.3.1

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See #753.

Full Changelog: V4.3.0...v4.3.1

v4.3.0

New Features

• The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

• Fix action variable name for scorecard by @lukehinds in #735
• Fix extra https:// in summary by @jhutchings1 in #748
• Bump typescript from 5.3.3 to 5.4.5 by @dependabot in #744
• Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @dependabot in #737
• Show denied packages with red X by @juxtin in #750
• deny-packages configuration option can deny specified version or all packages by @febuiles and @bteng22 in #733

New Contributors

• @bteng22 made their first contribution in #733
• @lukehinds made their first contribution in #735

Full Changelog: v4.2.5...V4.3.0

4.2.5

What's Changed

• Fixed a bug where some configuration options in external files were not being properly picked up -- #722
• Bump eslint from 8.56.0 to 8.57.0

Full Changelog: v4.2.4...v4.2.5