GatherPress · mauteri · Aug 14, 2024 · Aug 14, 2024 · jeffpaul · Sep 26, 2024
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -17,8 +17,18 @@ jobs:
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
+
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # Version 4.3.3 # https://github.com/actions/dependency-review-action/releases/tag/v4.3.3
+        # Version 4.3.4 does not work with invalid license names in the config and since that version,
+        # SPDX expression licenses are considered invalid (see: https://github.com/actions/dependency-review-action/issues/792).
+        # In short, remove all SPDX expressions from the config!
+        #
+        # Note that if you have packages that use SPDX expressions, this will report them as invalid,
+        # as support is not yet implemented (see: https://github.com/actions/dependency-review-action/issues/263).
+        #
+        # In that case you need to downgrade to version 4.3.3 where SPDX expressions are handled as exact strings !!
+        # @source https://github.com/actions/dependency-review-action/issues/809#issuecomment-2285930024
         with:
           license-check: true
           vulnerability-check: false