-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
warn_only
Does Not Apply When Using a Deny List
#734
Comments
Hi @AlexWilson-GIS thank you for the suggestion. It's an interesting suggested workaround to what seems like the bigger issue to focus on, what you said of packages being misidentified. When you encounter problems of this nature please be sure to file issues for us so that we can see what's going on. Thanks! |
👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the |
Following up on the conclusion of #706 and the following statement by @febuiles:
This is an interesting problem to consider. There may be a situation where you want to warn on any vulnerabilities that are found, but still fail if denied packages are found. So perhaps the answer is a different option to enable warning on denied packages, or creating a separate package warning list.
The reason this matters to me is because I have only just started rolling out the use of this action within my company's repositories, and we are already running into situations where packages are being misidentified by Dependency Graph, which has caused this check to block PR's unnecessarily. It's nice to have the awareness that the action brings, but in some cases the maturity of the ecosystem is not yet at a level where I can feel comfortable telling other development teams that they should always block.
The text was updated successfully, but these errors were encountered: