Skip to content

chore(deps): bump anyhow from 1.0.102 to 1.0.103 #78

chore(deps): bump anyhow from 1.0.102 to 1.0.103

chore(deps): bump anyhow from 1.0.102 to 1.0.103 #78

name: Dependency review
# Runs GitHub's dependency-review-action on PRs. Diffs the lockfile changes
# in the PR vs the base branch and BLOCKS merge if newly-introduced
# dependencies have vulnerabilities OR licenses outside our allowlist.
#
# Pair with Dependabot: Dependabot opens upgrade PRs; this gate enforces
# nothing bad slips in through manual deps changes that bypass Dependabot.
# Complements the existing `deny` job in ci.yml — that runs against the
# full dep tree post-merge; this one runs against the diff pre-merge.
on:
pull_request:
branches: [main]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
name: Dependency review
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
with:
fail-on-severity: high
# Mirror deny.toml [licenses].allow.
allow-licenses: MIT, Apache-2.0, Apache-2.0 WITH LLVM-exception, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, Unicode-DFS-2016, Unicode-3.0, CC0-1.0, Zlib, 0BSD, BUSL-1.1, CDLA-Permissive-2.0
allow-dependencies-licenses: pkg:githubactions/Swatinem/rust-cache
comment-summary-in-pr: on-failure