Initialize verifier repo. #15
Conversation
Dependency Review✅ No vulnerabilities or license issues found.Scanned Manifest Files |
.licenseignore
Outdated
| solana-dapp | ||
| ethereum | ||
| iniparser | ||
| hardhat |
taotao-circle
force-pushed
the
k6-squash
branch
from
67c7c11 to
b888104
Compare
taotao-circle
force-pushed
the
k6-squash
branch
from
5d7a2a8 to
aa1fabc
Compare
.licenseignore
Outdated
| @@ -1 +1,14 @@ | |||
| pkg:npm/borsh | |||
| pkg:npm/borsh%40%5E0.2.2 | |||
There was a problem hiding this comment.
I don't think the @ between the package and the version should be percent-encoded. I tested using the purl parser from the dependency-review-action, and it ends up lumping the version in with the package name:
> parsePURL('pkg:npm/%40bcoe/v8-coverage%40%5E0.2.3')
{
type: 'npm',
namespace: '@bcoe',
name: 'v8-coverage@^0.2.3',
version: null,
original: 'pkg:npm/%40bcoe/v8-coverage%40%5E0.2.3',
error: null
}
Using the @ symbol there it parses correctly:
> parsePURL('pkg:npm/%40bcoe/v8-coverage@%5E0.2.3')
{
type: 'npm',
namespace: '@bcoe',
name: 'v8-coverage',
version: '^0.2.3',
original: 'pkg:npm/%40bcoe/v8-coverage@%5E0.2.3',
error: null
}
(incidentally, it doesn't look like the percent encoding is required at all with this action; 'pkg:npm/@bcoe/v8-coverage@^0.2.3' parses correctly)
It also doesn't look like it's necessary to specify version here at all as only the package type and name are matched in the dependency-review-action, so you could safely remove the versions entirely.
There was a problem hiding this comment.
@jscaltreto it's one of the check flow requires that (basic workflows/scan/...)
taotao-circle
force-pushed
the
k6-squash
branch
from
74d2447 to
ad1b399
Compare
|
@jscaltreto see I changed it back to the @. The basic flow fails. |
taotao-circle
force-pushed
the
k6-squash
branch
from
9d5320e to
9314e6b
Compare
I squash all history to prepare for the open source.