Describe the bug
When using two different dependency review workflows with GitHub Actions Dependency Review Action, inconsistent results are observed for the same set of dependencies.
Specifically, one workflow flags only axios as malicious, while another correctly flags both axios and plain-crypto-js as malicious. This leads to inconsistent PR blocking behavior and unreliable security enforcement.
To Reproduce
Create a PR adding vulnerable dependencies:
- axios@1.14.1
- plain-crypto-js@4.2.1
Using workflow 1: Observe that only axios is flagged as malicious and the PR is blocked.
Using workflow 2: Observe that both axios and plain-crypto-js are flagged as malicious.
Expected behavior
Both workflows should produce consistent results and flag all vulnerable/malicious dependencies (in this case, both axios and plain-crypto-js), ensuring uniform PR blocking behavior.
Screenshots
Workflow 1 (direct action): only axios flagged
Workflow 2 (reusable workflow): both axios and plain-crypto-js flagged
Action version
First: https://github.com/actions/dependency-review-action/releases/tag/v4.8.3
Second: https://github.com/actions/dependency-review-action/releases/tag/v3
Examples
Workflow 1:
name: 'Dependency Review'
on:
workflow_call:
permissions:
contents: read
jobs:
dependency-review:
runs-on: appdirect-self-hosted-runners
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'push' && github.ref == 'refs/heads/master')
steps:
- name: 'Checkout Repository'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: 'Dependency Review'
id: dependency-review
uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803
with:
base-ref: "${{ github.event.pull_request.base.sha || 'master' }}"
head-ref: "${{ github.event.pull_request.head.sha || github.sha }}"
deny-licenses: GPL-3.0, LGPL-3.0
comment-summary-in-pr: always
show-openssf-scorecard: false
continue-on-error: true
Workflow 2:
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
Describe the bug
When using two different dependency review workflows with GitHub Actions Dependency Review Action, inconsistent results are observed for the same set of dependencies.
Specifically, one workflow flags only axios as malicious, while another correctly flags both axios and plain-crypto-js as malicious. This leads to inconsistent PR blocking behavior and unreliable security enforcement.
To Reproduce
Create a PR adding vulnerable dependencies:
Using workflow 1: Observe that only axios is flagged as malicious and the PR is blocked.
Using workflow 2: Observe that both axios and plain-crypto-js are flagged as malicious.
Expected behavior
Both workflows should produce consistent results and flag all vulnerable/malicious dependencies (in this case, both axios and plain-crypto-js), ensuring uniform PR blocking behavior.
Screenshots
Workflow 1 (direct action): only axios flagged
Workflow 2 (reusable workflow): both axios and plain-crypto-js flagged
Action version
First: https://github.com/actions/dependency-review-action/releases/tag/v4.8.3
Second: https://github.com/actions/dependency-review-action/releases/tag/v3
Examples
Workflow 1:
Workflow 2: