chore(deps): bump @openstreetmap/id-tagging-schema from 6.18.0 to 7.0.1 #170
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Review | |
| on: | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| dependency-review: | |
| name: review dependencies | |
| runs-on: ubuntu-latest | |
| # The dependency-review API requires a public repo (or GitHub Advanced | |
| # Security). Skip while the repo is private so PRs don't fail on a 403. | |
| if: ${{ !github.event.repository.private }} | |
| permissions: | |
| contents: read | |
| pull-requests: write # for the summary comment | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: Dependency review | |
| uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5 | |
| with: | |
| # Block PRs that introduce known-vulnerable dependencies. | |
| fail-on-severity: high | |
| comment-summary-in-pr: on-failure | |
| # License policy note: the product is AGPL-3.0-or-later (copyleft deps are | |
| # fine there) while the packages/* substrate is Apache-2.0. dependency-review | |
| # cannot scope a policy per package, so we surface licenses for review rather | |
| # than hard-deny. Once you've confirmed it won't flag intended copyleft deps | |
| # (e.g. the LGPL `opening_hours`), you can enforce a boundary by uncommenting: | |
| # deny-licenses: GPL-2.0, GPL-3.0, AGPL-3.0 |