A TypeScript library for creating dependency snapshots.

Overview

Dependency Submission Toolkit

@github/dependency-submission-toolkit is a TypeScript library for creating dependency snapshots and submitting them to the dependency submission API. Snapshots are a set of dependencies grouped by manifest with some related metadata. A manifest can be a physical file or a more abstract representation of a dependency grouping (such the processing of program outputs). After submission to the API, the included dependencies appear in the repository's dependency graph.

Installation

npm install @github/dependency-submission-toolkit

Usage

Some useful commands to navigate using the library:

  • npm run build to compile TypeScript source
  • npm run test to run the tests
    • npm run test:watch to run the tests in watch-mode (tests re-run when files change)
  • npm run format to format files using prettier
  • npm run lint to lint files using ESLint
  • npm run package to compile the code into a single file using ncc
  • npm run all will do the above and additional commands (e.g. lint the code, test)

Writing Your Own Dependency Submission Action

You may use classes from @github/dependency-submission-toolkit to help in building your own GitHub Action for submitting dependencies to the Dependency Submission API. At a high level, the steps to use the classes are:

  1. Create a PackageCache of all of the packages that could be included in your manifest, as well define as the relationships between them.

  2. Using the packages defined in PackageCache, create a Manifest or a BuildTarget, which defines the dependencies of build environment or specific build artifact.

  3. Create a Snapshot to include one or more Manifests or BuildTargets. The snapshot is the base container for submitting dependencies to the Dependency Submission API.

  4. Follow the instructions for Creating a JavaScript Action. These include:

    • Defining an action.yml action metadata file
    • Compiling the JavaScript into a single script using ncc
    • Testing your action in a workflow

A full example action using this library is included in th example/ directory. This example uses the output from npm list to create an accurate and complete graph of the dependencies used in this library. This action is also included in a workflow in this repository and run for each commit to the main branch.

Testing

This library uses the jest testing framework with tests co-located with source files. To run the tests, you can use npm test to run tests. Otherwise you can use jest directly.

Comments
  • Publish package to npmjs.org

    Publish package to npmjs.org

    Can you publish the package to npmjs, because it is so much hassle using githubs internal repos, I can't afford jumping through all the hoops just to get started...

    opened by davidkarlsen 3
  • Clarify to need packageurl-js in example

    Clarify to need packageurl-js in example

    Update package.json with cd example && npm install packageurl-js

    --

    This PR might be just a question.

    The example of this repository and https://github.com/actions/go-dependency-submission/blob/9bdff38f6874dc21e2c3eeeaad61922c1fb23f33/package.json#L47 uses PackageURL as an exported class of https://github.com/package-url/packageurl-js. So writing *-dependency-submission actions always need it, is this correct understanding? 👀

    opened by kachick 2
  • Update `@actions/core` to fix deprecated `set-output` usage

    Update `@actions/core` to fix deprecated `set-output` usage

    Update @actions/core to v1.10.0 to replace the deprecated set-output method call

    Find more details here: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/


    This will resolve the deprecation warning being logged via the following setOutput API call: https://github.com/github/dependency-submission-toolkit/blob/main/src/snapshot.ts#L142

    opened by mikepenz 1
  • Bump undici from 5.5.1 to 5.8.0

    Bump undici from 5.5.1 to 5.8.0

    Bumps undici from 5.5.1 to 5.8.0.

    Release notes

    Sourced from undici's releases.

    v5.8.0

    ⚠️ Security Fixes ⚠️

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.7.0...v5.7.1

    v5.7.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.6.1...v5.7.0

    v5.6.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.6.0...v5.6.1

    v5.6.0

    What's Changed

    ... (truncated)

    Commits
    • 26f60b7 Bumped v5.8.0
    • 0a5bee9 Merge pull request from GHSA-q768-x9m6-m9qp
    • a29a151 Merge pull request from GHSA-3cvr-822r-rqcc
    • 722976c docs: updated proxy docs - renamed already used const proxy to proxyServer (#...
    • b6af4e6 fix(body mixin): only allow Uint8Array chunks (#1550)
    • 6c9e634 fix(mock utils): set Readable.abort (#1549)
    • 22e2f39 ci: fix up exclude (#1544)
    • 99205ec feat: use weighted round robin in balancedPool (#1069)
    • 5b57e8c chore: exclude windows node 16 (#1542)
    • 93e31a2 Drop PR title validation (#1543)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Example tsconfig: Don't require rebuild for example project, hide example project code from git

    Example tsconfig: Don't require rebuild for example project, hide example project code from git

    Very similar to what was done in https://github.com/actions/go-dependency-submission/pull/18 .

    • This doesn't solve the slightly unintuitive usage of workspaces (we have only modeled the example as a workspace but it really seems like we have 2, example + toolkit)
    • The example tsconfig is configured to point directly at the toolkit folder, meaning we don't have to do a build loop for the example code to reflect changes (it's just sharing source)
    • This repo (different than go-dependency-submission) .gitignore's dist folders, so I added the actions output too and updated the workflow to build before running submission
    opened by brphelps 1
  • Adding a contributor's guide

    Adding a contributor's guide

    Adding a CONTRIBUTING.md outlining the basic steps to run tests and do local development. It also includes instructions on how to release a new version, which could be helpful for other folks getting involved with the project.

    This document was copy/pasted from another project and needs to be tweaked/improved for this specific tool, but I feel it's better than nothing.

    TODO

    • [x] Cut a new version (1.2.7). The PR also includes a bump to the action's version and should be followed by a new release, 1.2.6 did not update the version field in package.json.
    opened by febuiles 0
  • Use github.getOctokit

    Use github.getOctokit

    I think we should use github.getOctokit instead of new Octokit to obtain an Octokit instance that works well with GitHub Enterprise.

    See also: https://github.com/actions/toolkit/tree/main/packages/github#readme

    opened by aibaars 0
  • Fix possible exceptions by matching the type of Snapshot job to the spec

    Fix possible exceptions by matching the type of Snapshot job to the spec

    https://docs.github.com/en/rest/dependency-graph/dependency-submission#create-a-snapshot-of-dependencies-for-a-repository

    Error: HTTP Status 422 for request POST https://api.github.com/repos/smorimoto/opam-dependency-submission/dependency-graph/snapshots
    Error: Response body:
    {
      "message": "Invalid request.\n\nInvalid property /job/id: `3116879171` is not of type `string`.",
      "documentation_url": "https://docs.github.com/rest/reference/dependency-graph#create-a-snapshot-of-dependencies-for-a-repository"
    }
    Error: Invalid request.
    
    opened by smorimoto 0
  • Bump @actions/core from 1.6.0 to 1.9.1

    Bump @actions/core from 1.6.0 to 1.9.1

    Bumps @actions/core from 1.6.0 to 1.9.1.

    Changelog

    Sourced from @​actions/core's changelog.

    1.9.1

    • Randomize delimiter when calling core.exportVariable

    1.9.0

    • Added toPosixPath, toWin32Path and toPlatformPath utilities #1102

    1.8.2

    • Update to v2.0.1 of @actions/http-client #1087

    1.8.1

    • Update to v2.0.0 of @actions/http-client

    1.8.0

    1.7.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump undici from 5.5.1 to 5.9.1

    Bump undici from 5.5.1 to 5.9.1

    Bumps undici from 5.5.1 to 5.9.1.

    Release notes

    Sourced from undici's releases.

    v5.9.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.8.2...v5.9.1

    v5.8.2

    ⚠️ Security Release ⚠️

    • CRLF Injection in Nodejs ‘undici’ via Content-Type GHSA-f772-66g8-q5h3 CVE-2022-35948
    • undici.request vulnerable to SSRF using absolute URL on pathname GHSA-8qr4-xgw6-wmr3 CVE-2022-35949

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.8.1...v5.8.2

    v5.8.1

    What's Changed

    New Contributors

    ... (truncated)

    Commits
    • 5890e16 5.9.1
    • ecae314 fix: don't timeout while waiting for client to send request (#1604)
    • fa9fd90 fix(File): respect typed array byteOffset and byteLength (#1601)
    • ae6f554 fix: add support for integrity option to Fetch (#1596)
    • deed628 fix(fetch): implement fully read body algorithm (#1597)
    • 0d1419c Fix array headers (#1598)
    • 52d1ce5 Bumped v5.8.2
    • 66165d6 Merge pull request from GHSA-f772-66g8-q5h3
    • 124f7eb Merge pull request from GHSA-8qr4-xgw6-wmr3
    • aef314c feat(webidl): better error message for ByteString converter (#1591)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Update package.lock

    Update package.lock

    This PR merges merges https://github.com/github/dependency-submission-toolkit/pull/10/ (thanks @kachick!) and runs an npm audit fix on top of our deps to get rid of some vulnerabilities.

    opened by febuiles 0
  • Add Dependabot config file

    Add Dependabot config file

    :wave: Hello from the Product Security Engineering team! As recently announced in our engineering discussion post, we're opening up this PR to enable Dependabot actions updates by adding (or updating) the [Dependabot Config File](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.

    This is an automatically generated PR and we need your help getting it merged! Service owners are responsible for reviewing and merging this PR.

    Why is this happening?

    Your repository has a CodeQL workflow configured. The PSE team would like to assist repository maintainers in keeping their CodeQL workflow up to date, as the CodeQL workflow will be deprecated in December of 2022. This PR will allow Dependabot to keep the action used in the workflow up to date. The current version of the CodeQL workflow will be deprecated in December of 2022. This will also have the additional benefit of using Dependabot to keep other actions up to date as well.

    opened by sentinel 0
  • The npm registry is missing version v1.2.4

    The npm registry is missing version v1.2.4

    The npm registry is missing the 1.2.4 version of this, which has been tagged on the repository.

    I need access to this version to complete the updates on the @actions/core version 1.10.0 to remove the set-output warnings when using this toolkit.

    Screenshot 2022-10-19 at 09 16 26

    opened by peter-murray 0
  • Support SBOM

    Support SBOM

    See discussion in https://github.com/orgs/github-community/discussions/18918 - it would be great if the toolkit could support SBOM standards out of the box, as this would enable a bridge from existing tooling into the github dependency submission api. By leveraging existing standards you have a short way from existing standards into the new github features.

    opened by davidkarlsen 8
Releases(v1.2.7)
  • v1.2.7(Oct 28, 2022)

    What's Changed

    • Adding a contributor's guide by @febuiles in https://github.com/github/dependency-submission-toolkit/pull/33
    • Update @actions/core to fix deprecated set-output usage by @mikepenz in https://github.com/github/dependency-submission-toolkit/pull/34

    Full Changelog: https://github.com/github/dependency-submission-toolkit/compare/v1.2.6...v1.2.7

    Source code(tar.gz)
    Source code(zip)
  • v1.2.6(Oct 26, 2022)

    What's Changed

    • Use github.getOctokit by @aibaars in https://github.com/github/dependency-submission-toolkit/pull/32

    Full Changelog: https://github.com/github/dependency-submission-toolkit/compare/v1.2.5...v1.2.6

    Source code(tar.gz)
    Source code(zip)
  • v1.2.4(Oct 20, 2022)

  • v1.2.3(Sep 26, 2022)

  • v1.2.2(Jun 28, 2022)

    Publish to npm

    What's Changed

    • Delete .npmrc by @hmaurer in https://github.com/github/dependency-submission-toolkit/pull/17
    • v1.2.2 by @theinterned in https://github.com/github/dependency-submission-toolkit/pull/18

    New Contributors

    • @hmaurer made their first contribution in https://github.com/github/dependency-submission-toolkit/pull/17

    Full Changelog: https://github.com/github/dependency-submission-toolkit/compare/v1.2.1...v1.2.2

    Source code(tar.gz)
    Source code(zip)
  • v1.2.1(Jun 28, 2022)

    What's Changed

    • Update README.md by @courtneycl in https://github.com/github/dependency-submission-toolkit/pull/1
    • Remove splitting command line by @lseppala in https://github.com/github/dependency-submission-toolkit/pull/2
    • Refactor and rework Dependency Submission Toolkit by @lseppala in https://github.com/github/dependency-submission-toolkit/pull/3
    • Adds the token to Action, adds required detector by @lseppala in https://github.com/github/dependency-submission-toolkit/pull/5
    • Remove Metadata by @lseppala in https://github.com/github/dependency-submission-toolkit/pull/6
    • Create service catalog entry via ownership.yaml by @annarosenthal in https://github.com/github/dependency-submission-toolkit/pull/7
    • Add Package matching function for finding packages with fields by @lseppala in https://github.com/github/dependency-submission-toolkit/pull/8
    • Fix typos by @kachick in https://github.com/github/dependency-submission-toolkit/pull/9
    • Fix signature of using core.getIDToken by @kachick in https://github.com/github/dependency-submission-toolkit/pull/11
    • Update package.lock by @febuiles in https://github.com/github/dependency-submission-toolkit/pull/13
    • Update package-lock.json with npm install by @kachick in https://github.com/github/dependency-submission-toolkit/pull/10
    • Add a publish action and prepack script by @theinterned in https://github.com/github/dependency-submission-toolkit/pull/16

    New Contributors

    • @courtneycl made their first contribution in https://github.com/github/dependency-submission-toolkit/pull/1
    • @lseppala made their first contribution in https://github.com/github/dependency-submission-toolkit/pull/2
    • @annarosenthal made their first contribution in https://github.com/github/dependency-submission-toolkit/pull/7
    • @kachick made their first contribution in https://github.com/github/dependency-submission-toolkit/pull/9
    • @febuiles made their first contribution in https://github.com/github/dependency-submission-toolkit/pull/13
    • @theinterned made their first contribution in https://github.com/github/dependency-submission-toolkit/pull/16

    Full Changelog: https://github.com/github/dependency-submission-toolkit/commits/v1.2.1

    Source code(tar.gz)
    Source code(zip)
Owner
GitHub
How people build software.
GitHub
Grupprojekt för kurserna 'Javascript med Ramverk' och 'Agil Utveckling'

JavaScript-med-Ramverk-Laboration-3 Grupprojektet för kurserna Javascript med Ramverk och Agil Utveckling. Utvecklingsguide För information om hur utv

Svante Jonsson IT-Högskolan 3 May 18, 2022
Hemsida för personer i Sverige som kan och vill erbjuda boende till människor på flykt

Getting Started with Create React App This project was bootstrapped with Create React App. Available Scripts In the project directory, you can run: np

null 4 May 3, 2022
Kurs-repo för kursen Webbserver och Databaser

Webbserver och databaser This repository is meant for CME students to access exercises and codealongs that happen throughout the course. I hope you wi

null 14 Jan 3, 2023
API and CLI tool to fetch and query Chome DevTools heap snapshots.

Puppeteer Heap Snapshot Capture heap snapshots and query the snapshot for objects matching a set of properties. Read more about it in this blog post.

Adrian Cooney 858 Jan 3, 2023
On-chain snapshots of the whole blockchain state

?? Snapshop ?? Snapshop is a tool for creating on-chain snapshots of the whole blockchain state. It lets your smart contracts read the storage of any

Igor Żuk 56 Sep 26, 2022
CDK construct to periodically take snapshots of RDS databases, sanitize them, and share with selected accounts.

CDK Construct for RDS Sanitized Snapshots Periodically take snapshots of RDS databases, sanitize them, and share with selected accounts. Use this to a

CloudSnorkel 6 Dec 7, 2022
A dependency-free JavaScript library for creating discreet pop-up notifications.

Polipop A dependency-free JavaScript library for creating discreet pop-up notifications. Demo See demo at minitek.github.io/polipop/. Documentation Se

Minitek 8 Aug 15, 2022
TypeScript CLI for creating HTML & CSS & TypeScript project with different bundlers, v2022.10.23 is ready on NPM

TSCI CLI TypeScript CLI for creating HTML & CSS & TypeScript project with different bundlers. Installation npm i -g tsci Usage Want to contribute? You

Samet ÇELİKBIÇAK 7 Dec 14, 2022
A lightweight Adobe Photoshop .psd/.psb file parser in typescript with zero-dependency for WebBrowser and NodeJS

@webtoon/psd A lightweight Adobe Photoshop .psd/.psb file parser in typescript with zero-dependency for WebBrowser and NodeJS Browser Support Chrome F

null 830 Jan 1, 2023
Shifty is a tiny zero-dependency secrets generator, built for the web using TypeScript.

Shifty is a tiny zero-dependency secrets generator, built for the web using TypeScript. Installation yarn add @deepsource/shifty Usage Shifty is built

DeepSource 46 Nov 24, 2022
Jsonup - This is a zero dependency compile-time JSON parser written in TypeScript

jsonup This is a zero dependency compile-time JSON parser written in TypeScript.

TANIGUCHI Masaya 39 Dec 8, 2022
This is another Express + TypeScript + DDD (Domain Driven Design patterns) + IoC/DI (Inversion of control and Dependency injection) + Primsa ORM + API REST boilerplate.

Express-TS-DDD REST API This is another Express + TypeScript + DDD (Domain Driven Design patterns) + IoC/DI (Inversion of control and Dependency injec

J.D. 6 Nov 3, 2022
Simple, fast, accessible accordion library with no dependency

React Fast Accordion ⚡️ Dynamic, fast, accessible & zero dependency accordion for React How it's fast? Instead of adding event listener on all the ite

Shivam 59 Oct 8, 2022
EggyJS is a Javascript micro Library for simple, lightweight toast popups focused on being dependency-less, lightweight, quick and efficient.

EggyJS EggyJS is a Javascript micro Library for simple, lightweight toast popups. The goal of this library was to create something that meets the foll

Sam 10 Jan 8, 2023
A functional, immutable, type safe and simple dependency injection library inspired by angular.

func-di English | 简体中文 A functional, immutable, type safe and simple dependency injection library inspired by Angular. Why func-di Installation Usage

null 24 Dec 11, 2022
🚀 A small JS no-dependency library for a cool download experience

JS File Downloader ?? Please remember to star this github repo if you like it. Thank you! ❤️ Introduction JS File Downloader is a simple no dependency

AleeeKoi 160 Dec 23, 2022
🛫 TypeScript Starter template to simplify creating your next npm package.

TypeScript Starter Kit This is an opinionated TypeScript Starter kit to help kick-start development of your next npm package. ?? Get Started Luckily,

Open Web 7 Sep 27, 2022
🛫 TypeScript Starter template to simplify creating your next npm package.

TypeScript Starter Kit This is an opinionated TypeScript Starter kit to help kick-start development of your next npm package. ?? Get Started Luckily,

Open Web Foundation 5 May 19, 2022
a lightweight, dependency-free JavaScript plugin which makes a HTML table interactive

JSTable The JSTable is a lightweight, dependency-free JavaScript plugin which makes a HTML table interactive. The plugin is similar to the jQuery data

null 63 Oct 20, 2022