-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
warn_only
Does Not Apply When Using a Deny List
#734
Labels
enhancement
New feature or request
Comments
Hi @AlexWilson-GIS thank you for the suggestion. It's an interesting suggested workaround to what seems like the bigger issue to focus on, what you said of packages being misidentified. When you encounter problems of this nature please be sure to file issues for us so that we can see what's going on. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Following up on the conclusion of #706 and the following statement by @febuiles:
This is an interesting problem to consider. There may be a situation where you want to warn on any vulnerabilities that are found, but still fail if denied packages are found. So perhaps the answer is a different option to enable warning on denied packages, or creating a separate package warning list.
The reason this matters to me is because I have only just started rolling out the use of this action within my company's repositories, and we are already running into situations where packages are being misidentified by Dependency Graph, which has caused this check to block PR's unnecessarily. It's nice to have the awareness that the action brings, but in some cases the maturity of the ecosystem is not yet at a level where I can feel comfortable telling other development teams that they should always block.
The text was updated successfully, but these errors were encountered: