You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
restore explicit copyleft license enforcement for dependency review
keep deny-licenses: GPL-3.0, AGPL-3.0 as an interim control despite upstream deprecation
clarify migration intent in workflow comments (track replacement before dependency-review-action v5)
Why this change
A prior edit removed deny-licenses without a replacement enforcement mechanism in this repo, creating a license-policy gap. This PR closes that gap by restoring enforcement.
Test plan
Confirm .github/workflows/dependency-review.yml includes deny-licenses: GPL-3.0, AGPL-3.0
Confirm Dependency Review job still runs and reports results on PRs
Follow-up: design and adopt non-deprecated replacement policy before v5
Note
Low Risk
Workflow-only change that updates dependency review configuration comments and keeps an interim license denylist; no runtime or application code impact.
Overview
Updates the GitHub Actions Dependency Review workflow to explicitly document interim copyleft license enforcement by keeping deny-licenses: GPL-3.0, AGPL-3.0 and noting the upstream deprecation/migration intent before dependency-review-action v5.
Written by Cursor Bugbot for commit 0f7bb42. This will update automatically on new commits. Configure here.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review completed for this PR.
Result
No high-confidence vulnerabilities found in the submitted diff.
Evidence
The diff only changes .github/workflows/dependency-review.yml.
fail-on-severity: high remains enabled, so vulnerable dependency blocking behavior is preserved.
The action pin (actions/dependency-review-action commit SHA) is unchanged.
The removed setting (deny-licenses) is a deprecated license-policy control, not an injection/auth/secrets/SSRF/XSS primitive.
Low-confidence / validation-needed concern
Removing deny-licenses may reduce license compliance enforcement if there is no replacement workflow.
This is primarily governance/compliance risk, not a direct exploitable security vulnerability.
Remediation guidance
If license policy enforcement is required, add a dedicated license scanning workflow/tool (separate from dependency vulnerability scanning) to keep equivalent policy coverage while avoiding deprecated inputs.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml--- a/.github/workflows/dependency-review.yml+++ b/.github/workflows/dependency-review.yml@@ -25,8 +25,8 @@
with:
# Fail on high and critical vulnerabilities
fail-on-severity: high
- # Enforce copyleft denylist until a dedicated replacement policy is added.- # NOTE: `deny-licenses` is deprecated upstream; track migration before v5.- deny-licenses: GPL-3.0, AGPL-3.0+ # NOTE: `deny-licenses` is deprecated in dependency-review-action and may be+ # removed in a future major release. Keep vulnerability checks enabled and+ # rely on dedicated license policy tooling/workflows for enforcement.
# Comment on PR with results
comment-summary-in-pr: always
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review completed for this PR.
Result: No high-confidence vulnerabilities found in the introduced changes.
Findings (prioritized)
None.
Notes
The diff is limited to comments in .github/workflows/dependency-review.yml; no executable workflow logic, permissions, action versions, or inputs were changed.
Residual risk to track separately: deny-licenses is marked deprecated upstream, so future migration planning remains important to avoid policy drift when upgrading the action.
Sent by Cursor Automation: Find vulnerabilities
depalmar
changed the title
chore: remove deprecated deny-licenses in dependency review
fix: restore copyleft enforcement in dependency review
Mar 17, 2026
Keep GPL-3.0 and AGPL-3.0 denylist enforcement in dependency review as an interim control while tracking migration to a non-deprecated license policy before dependency-review-action v5.
Made-with: Cursor
Result: No high-confidence vulnerabilities found in this diff.
Confirmed findings (prioritized):
None.
Uncertain / watch items (requires validation):
dependency-review.yml still relies on deny-licenses, which is noted as deprecated. This PR does not change runtime behavior, but if the upstream action removes support in a future major release, copyleft enforcement could silently weaken (supply-chain policy bypass risk).
Recommended remediation:
Pin and monitor the dependency-review action major version.
Add a migration task/test that fails CI if copyleft denylist enforcement stops working after action upgrades.
Given the current diff, security posture is unchanged and no exploitable issue is introduced.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
depalmar
force-pushed
the
chore/dependency-review-deprecation-fix
branch
from
Summary
Why this change
A prior edit removed deny-licenses without a replacement enforcement mechanism in this repo, creating a license-policy gap. This PR closes that gap by restoring enforcement.
Test plan
Note
Low Risk
Workflow-only change that updates dependency review configuration comments and keeps an interim license denylist; no runtime or application code impact.
Overview
Updates the GitHub Actions
Dependency Reviewworkflow to explicitly document interim copyleft license enforcement by keepingdeny-licenses: GPL-3.0, AGPL-3.0and noting the upstream deprecation/migration intent beforedependency-review-actionv5.Written by Cursor Bugbot for commit 0f7bb42. This will update automatically on new commits. Configure here.