From 62efda4ca82cfef50cedb4f18014d8447038c0ae Mon Sep 17 00:00:00 2001 From: Erik Burton Date: Tue, 10 Feb 2026 12:43:27 -0800 Subject: [PATCH 1/3] fix: (dependency review) allow BUSL-1.1 license for certain deps --- .changeset/tiny-tigers-sip.md | 6 ++++++ .../configs/license-deny-vulnerability-high.yml | 4 ++++ 2 files changed, 10 insertions(+) create mode 100644 .changeset/tiny-tigers-sip.md diff --git a/.changeset/tiny-tigers-sip.md b/.changeset/tiny-tigers-sip.md new file mode 100644 index 000000000..28b953ad6 --- /dev/null +++ b/.changeset/tiny-tigers-sip.md @@ -0,0 +1,6 @@ +--- +"dependency-review": patch +--- + +allow dependencies chainlink/contracts and arbitrum/nitro-contracts BUSL-1.1 +license diff --git a/actions/dependency-review/configs/license-deny-vulnerability-high.yml b/actions/dependency-review/configs/license-deny-vulnerability-high.yml index fc4995ad8..4c5a71891 100644 --- a/actions/dependency-review/configs/license-deny-vulnerability-high.yml +++ b/actions/dependency-review/configs/license-deny-vulnerability-high.yml @@ -4,6 +4,10 @@ vulnerability_check: true fail_on_severity: "high" # low, moderate, high, critical license_check: true +# Allow specific dependencies with licenses that would otherwise be denied. +allow_dependencies_licenses: | + pkg:npm/@arbitrum/nitro-contracts: BUSL-1.1 + pkg:npm/@chainlink/contracts: BUSL-1.1 # Contains a list of prohibited licenses. The action will fail on pull requests # that introduce dependencies with licenses that match the list. deny_licenses: From 8ff62016076055c20405ffa5c2aaef2b70aeea4e Mon Sep 17 00:00:00 2001 From: Erik Burton Date: Tue, 10 Feb 2026 12:50:39 -0800 Subject: [PATCH 2/3] fix: config --- .../configs/license-deny-vulnerability-high.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/dependency-review/configs/license-deny-vulnerability-high.yml b/actions/dependency-review/configs/license-deny-vulnerability-high.yml index 4c5a71891..3470b6c2c 100644 --- a/actions/dependency-review/configs/license-deny-vulnerability-high.yml +++ b/actions/dependency-review/configs/license-deny-vulnerability-high.yml @@ -5,9 +5,9 @@ vulnerability_check: true fail_on_severity: "high" # low, moderate, high, critical license_check: true # Allow specific dependencies with licenses that would otherwise be denied. -allow_dependencies_licenses: | - pkg:npm/@arbitrum/nitro-contracts: BUSL-1.1 - pkg:npm/@chainlink/contracts: BUSL-1.1 +allow_dependencies_licenses: + - "pkg:npm/@arbitrum/nitro-contracts" + - "pkg:npm/@chainlink/contracts" # Contains a list of prohibited licenses. The action will fail on pull requests # that introduce dependencies with licenses that match the list. deny_licenses: From 2cf3654b072f94ca5013ee44900f2344da47e8f9 Mon Sep 17 00:00:00 2001 From: Erik Burton Date: Tue, 10 Feb 2026 13:31:35 -0800 Subject: [PATCH 3/3] fix: use custom config --- .changeset/tiny-tigers-sip.md | 3 +- ...license-deny-vulnerability-high-custom.yml | 145 ++++++++++++++++++ .../license-deny-vulnerability-high.yml | 6 +- 3 files changed, 148 insertions(+), 6 deletions(-) create mode 100644 actions/dependency-review/configs/license-deny-vulnerability-high-custom.yml diff --git a/.changeset/tiny-tigers-sip.md b/.changeset/tiny-tigers-sip.md index 28b953ad6..e3999b887 100644 --- a/.changeset/tiny-tigers-sip.md +++ b/.changeset/tiny-tigers-sip.md @@ -2,5 +2,4 @@ "dependency-review": patch --- -allow dependencies chainlink/contracts and arbitrum/nitro-contracts BUSL-1.1 -license +custom preset allowing excluded licenses for dependencies chainlink/contracts and arbitrum/nitro-contracts diff --git a/actions/dependency-review/configs/license-deny-vulnerability-high-custom.yml b/actions/dependency-review/configs/license-deny-vulnerability-high-custom.yml new file mode 100644 index 000000000..56c8db61b --- /dev/null +++ b/actions/dependency-review/configs/license-deny-vulnerability-high-custom.yml @@ -0,0 +1,145 @@ +# Note: This is an extension of 'license-deny-vulnerability-high' preset. Changes there should be propagated here. + +# CUSTOM ENTRIES +# --- +# Allow specific dependencies with licenses that would otherwise be denied. +allow_dependencies_licenses: + - "pkg:npm/@arbitrum/nitro-contracts" + - "pkg:npm/@chainlink/contracts" + +# ORIGINAL PRESET (license-deny-vulnerability-high) +# --- +# Fails when: +# - a dependency is found with a license that is in the deny_licenses list +# - vulnerabilities are found in the dependency tree with specified severity or grater +vulnerability_check: true +fail_on_severity: "high" # low, moderate, high, critical +license_check: true + +# Contains a list of prohibited licenses. The action will fail on pull requests +# that introduce dependencies with licenses that match the list. +deny_licenses: + - AGPL-1.0-only + - AGPL-1.0-or-later + - AGPL-3.0-only + - AGPL-3.0-or-later + - APL-1.0 + - Aladdin + - BUSL-1.1 + - CC-BY-1.0 + - CC-BY-2.0 + - CC-BY-2.5 + - CC-BY-2.5-AU + - CC-BY-3.0 + - CC-BY-3.0-AT + - CC-BY-3.0-DE + - CC-BY-3.0-IGO + - CC-BY-3.0-NL + - CC-BY-3.0-US + - CC-BY-4.0 + - CC-BY-NC-1.0 + - CC-BY-NC-2.0 + - CC-BY-NC-2.5 + - CC-BY-NC-3.0 + - CC-BY-NC-3.0-DE + - CC-BY-NC-4.0 + - CC-BY-NC-ND-1.0 + - CC-BY-NC-ND-2.0 + - CC-BY-NC-ND-2.5 + - CC-BY-NC-ND-3.0 + - CC-BY-NC-ND-3.0-DE + - CC-BY-NC-ND-3.0-IGO + - CC-BY-NC-ND-4.0 + - CC-BY-NC-SA-1.0 + - CC-BY-NC-SA-2.0 + - CC-BY-NC-SA-2.0-DE + - CC-BY-NC-SA-2.0-FR + - CC-BY-NC-SA-2.0-UK + - CC-BY-NC-SA-2.5 + - CC-BY-NC-SA-3.0 + - CC-BY-NC-SA-3.0-DE + - CC-BY-NC-SA-3.0-IGO + - CC-BY-NC-SA-4.0 + - CC-BY-ND-1.0 + - CC-BY-ND-2.0 + - CC-BY-ND-2.5 + - CC-BY-ND-3.0 + - CC-BY-ND-3.0-DE + - CC-BY-ND-4.0 + - CC-BY-SA-1.0 + - CC-BY-SA-2.0 + - CC-BY-SA-2.0-UK + - CC-BY-SA-2.1-JP + - CC-BY-SA-2.5 + - CC-BY-SA-3.0 + - CC-BY-SA-3.0-AT + - CC-BY-SA-3.0-DE + - CC-BY-SA-3.0-IGO + - CC-BY-SA-4.0 + - CC-PDDC + - copyleft-next-0.3.0 + - copyleft-next-0.3.1 + - CPAL-1.0 + - CPL-1.0 + - EPL-1.0 + - EPL-2.0 + - EUPL-1.0 + - EUPL-1.1 + - EUPL-1.2 + - ErlPL-1.1 + - GFDL-1.1-invariants-only + - GFDL-1.1-invariants-or-later + - GFDL-1.1-no-invariants-only + - GFDL-1.1-no-invariants-or-later + - GFDL-1.1-only + - GFDL-1.1-or-later + - GFDL-1.2-invariants-only + - GFDL-1.2-invariants-or-later + - GFDL-1.2-no-invariants-only + - GFDL-1.2-no-invariants-or-later + - GFDL-1.2-only + - GFDL-1.2-or-later + - GFDL-1.3-invariants-only + - GFDL-1.3-invariants-or-later + - GFDL-1.3-no-invariants-only + - GFDL-1.3-no-invariants-or-later + - GFDL-1.3-only + - GFDL-1.3-or-later + - GPL-1.0-only + - GPL-1.0-or-later + - GPL-2.0-only + - GPL-2.0-or-later + - GPL-3.0-only + - GPL-3.0-or-later + - IPL-1.0 + - LGPL-2.0-only + - LGPL-2.0-or-later + - LGPL-2.1-only + - LGPL-2.1-or-later + - LGPL-3.0-only + - LGPL-3.0-or-later + - MPL-1.0 + - MPL-1.1 + - MPL-2.0 + - MPL-2.0-no-copyleft-exception + - OFL-1.0 + - OFL-1.0-RFN + - OFL-1.0-no-RFN + - OFL-1.1 + - OFL-1.1-RFN + - OFL-1.1-no-RFN + - OSL-1.0 + - OSL-1.1 + - OSL-2.0 + - OSL-2.1 + - OSL-3.0 + - RPL-1.1 + - RPL-1.5 + - RPSL-1.0 + - SISSL + - SISSL-1.2 + - SPL-1.0 + - SunPro + - Watcom-1.0 + - YPL-1.0 + - YPL-1.1 diff --git a/actions/dependency-review/configs/license-deny-vulnerability-high.yml b/actions/dependency-review/configs/license-deny-vulnerability-high.yml index 3470b6c2c..9cb13994f 100644 --- a/actions/dependency-review/configs/license-deny-vulnerability-high.yml +++ b/actions/dependency-review/configs/license-deny-vulnerability-high.yml @@ -1,13 +1,11 @@ +# Note: If updating this file, ensure to propagate changes to 'license-deny-vulnerability-high-custom' preset. + # Fails when: # - a dependency is found with a license that is in the deny_licenses list # - vulnerabilities are found in the dependency tree with specified severity or grater vulnerability_check: true fail_on_severity: "high" # low, moderate, high, critical license_check: true -# Allow specific dependencies with licenses that would otherwise be denied. -allow_dependencies_licenses: - - "pkg:npm/@arbitrum/nitro-contracts" - - "pkg:npm/@chainlink/contracts" # Contains a list of prohibited licenses. The action will fail on pull requests # that introduce dependencies with licenses that match the list. deny_licenses: