RubyGems - licensed - Versions diffs - 5.0.0 → 5.0.2 - Mend

licensed 5.0.0 → 5.0.2

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 418a3151f8331f3377eb4ff5b1a322733c006478c1bb84de7c023b2b1e567876
-  data.tar.gz: ffceca317c9924f12d732781aec5a9311bccac316ca9cf0b4e5e2a02b5b5967a
+  metadata.gz: d20897c4058c8e9ad19047b9739d2a8e720bfbc89c905a6bfcb49d9fc7bc3e68
+  data.tar.gz: e9ca15847323c009380cdb7aef13eb20115f70e9794cd789e1154d5b64521040
 SHA512:
-  metadata.gz: d6a33da199f2e60fd5ed19c08ad830aab62b8c2c0016c40844af94ba7b002ba58a2aa87e05b7a771054f9e95b333ed7f9bab7934d0cee6bdf981482f0b1f4a82
-  data.tar.gz: 60da525db6d11b5df8aef42042ad11e0d796bae937e894510764ab8c3eb2dcea36501441382f97d2896f8f9d3fea162e788516038c07156b584c090a61ac9d4f
+  metadata.gz: 7beedc9a4c747ce3a915afd5f1b22555e59c0e96d025e184cffa8255a61b8d908ef5eaf3d29471e48c6e592e1fa19e4afbc90b647601e488ef8d67495077b988
+  data.tar.gz: 6a02a0c4a839d4fb907fccc6f7893e324cc9d53b9ac9aea3c7781d6a876ced89a88f7a08173fe26aa48a756addc477404037012991199f4b809d5228baefaf8f

data/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,5 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
@@ -6,6 +7,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
+## 5.0.2
+- Pin setup-ruby and set permissions in test workflow (<https://github.com/licensee/licensed/pull/768>)
+- Pin action versions in test.yml (<https://github.com/licensee/licensed/pull/776>)
+- Add `csv` as a dependency for Ruby 3.4+ (<https://github.com/licensee/licensed/pull/786>)
+- Fix `nil` bug when there's no `dependency` key in `package.json` (<https://github.com/licensee/licensed/pull/791>)
+## 5.0.1
+- Updated dependencies as needed for security fixes
 ## 5.0.0
 ### Breaking change
@@ -27,145 +39,145 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- Licensed status command will alert on stale cached dependency records (https://github.com/github/licensed/pull/657)
+- Licensed status command will alert on stale cached dependency records (<https://github.com/github/licensed/pull/657>)
 ## 4.3.1
 ### Changed
-- Bump nokogiri to resolve vulnerabilities (https://github.com/github/licensed/pull/648)
+- Bump nokogiri to resolve vulnerabilities (<https://github.com/github/licensed/pull/648>)
 ## 4.3.0
 ### Added
-- Cocoapods support has been re-enabled using a cocoapods plugin (https://github.com/github/licensed/pull/644)
+- Cocoapods support has been re-enabled using a cocoapods plugin (<https://github.com/github/licensed/pull/644>)
 ## 4.2.0
 ### Added
-- Reviewed and ignored configuration lists support matching on versions and version ranges (https://github.com/github/licensed/pull/629)
+- Reviewed and ignored configuration lists support matching on versions and version ranges (<https://github.com/github/licensed/pull/629>)
 ### Fixed
-- Licensed should more reliably source dependencies from Gradle >= 8.0 (https://github.com/github/licensed/pull/630)
+- Licensed should more reliably source dependencies from Gradle >= 8.0 (<https://github.com/github/licensed/pull/630>)
 ## 4.1.0
 ### Added
-- Custom license terms can be added to dependencies via new configuration options (https://github.com/github/licensed/pull/624)
-- Licensed is now integrated with pnpm to enumerate dependencies (https://github.com/github/licensed/pull/626)
+- Custom license terms can be added to dependencies via new configuration options (<https://github.com/github/licensed/pull/624>)
+- Licensed is now integrated with pnpm to enumerate dependencies (<https://github.com/github/licensed/pull/626>)
 ## 4.0.4
 ### Changed
-- Dependency version requirements are more relaxed (https://github.com/github/licensed/pull/619)
+- Dependency version requirements are more relaxed (<https://github.com/github/licensed/pull/619>)
 ## 4.0.3
 ### Changed
-- Cocoapods dependency enumeration has been disabled (https://github.com/github/licensed/pull/616)
+- Cocoapods dependency enumeration has been disabled (<https://github.com/github/licensed/pull/616>)
 ### Fixed
-- Fixed method signature change in Bundler API with Bundler >= 2.4.4 (:tada: @CvX https://github.com/github/licensed/pull/614)
-- Fixed installation dependency compatibility with Rails >= 7.0 (https://github.com/github/licensed/pull/616)
+- Fixed method signature change in Bundler API with Bundler >= 2.4.4 (:tada: @CvX <https://github.com/github/licensed/pull/614>)
+- Fixed installation dependency compatibility with Rails >= 7.0 (<https://github.com/github/licensed/pull/616>)
 ## 4.0.2
 ### Fixed
-- The path to a gradlew executable can be configured when enumerating gradle dependencies (:tada: @LouisBoudreau https://github.com/github/licensed/pull/610)
+- The path to a gradlew executable can be configured when enumerating gradle dependencies (:tada: @LouisBoudreau <https://github.com/github/licensed/pull/610>)
 ## 4.0.1
 ### Fixed
-- Running gradle tests will no longer fail when gradle is not available (https://github.com/github/licensed/pull/606)
+- Running gradle tests will no longer fail when gradle is not available (<https://github.com/github/licensed/pull/606>)
 ## 4.0.0
 ### Added
-- Licensed supports Cocoapods as a dependency source (:tada: @LouisBoudreau https://github.com/github/licensed/pull/584)
-- Licensed supports Gradle multi-project builds (:tada: @LouisBoudreau https://github.com/github/licensed/pull/583)
+- Licensed supports Cocoapods as a dependency source (:tada: @LouisBoudreau <https://github.com/github/licensed/pull/584>)
+- Licensed supports Gradle multi-project builds (:tada: @LouisBoudreau <https://github.com/github/licensed/pull/583>)
 ### Fixed
-- Licensed no longer crashes when run with Bundler >= 2.4.0 (:tada: @JoshReedSchramm https://github.com/github/licensed/pull/597)
+- Licensed no longer crashes when run with Bundler >= 2.4.0 (:tada: @JoshReedSchramm <https://github.com/github/licensed/pull/597>)
 ### Changed
-- BREAKING: Licensed no longer ships executables with releases (https://github.com/github/licensed/pull/586)
-- BREAKING: Licensed no longer includes support for Go <= 1.11 (https://github.com/github/licensed/pull/602)
+- BREAKING: Licensed no longer ships executables with releases (<https://github.com/github/licensed/pull/586>)
+- BREAKING: Licensed no longer includes support for Go <= 1.11 (<https://github.com/github/licensed/pull/602>)
 ## 3.9.1
 ### Fixed
-- Updating cached dependency records will more accurately apply `review_changed_license` flag (https://github.com/github/licensed/pull/578)
+- Updating cached dependency records will more accurately apply `review_changed_license` flag (<https://github.com/github/licensed/pull/578>)
 ## 3.9.0
 ### Added
-- `NOTICE` files can now be generated without cached files in a repository (https://github.com/github/licensed/pull/572)
+- `NOTICE` files can now be generated without cached files in a repository (<https://github.com/github/licensed/pull/572>)
 ## 3.8.0
 ### Added
-- Licensing compliance status checks can now be used without cached files in a repository (https://github.com/github/licensed/pull/560)
+- Licensing compliance status checks can now be used without cached files in a repository (<https://github.com/github/licensed/pull/560>)
 ## 3.7.5
 ### Fixed
-- Python dependency metadata will be correctly parsed from the ouput of `pip show` (https://github.com/github/licensed/pull/555)
+- Python dependency metadata will be correctly parsed from the ouput of `pip show` (<https://github.com/github/licensed/pull/555>)
 ## 3.7.4
 ### Fixed
-- Licenses for Python dependencies built with Hatchling are correctly found (https://github.com/github/licensed/pull/547)
+- Licenses for Python dependencies built with Hatchling are correctly found (<https://github.com/github/licensed/pull/547>)
 ## 3.7.3
 ### Fixed
-- Swift test fixtures build artifacts are now ignored (:tada: @CvX https://github.com/github/licensed/pull/524)
-- Running cargo test fixture setup no longer deletes test files (:tada: @CvX https://github.com/github/licensed/pull/525)
-- Bundler test fixtures are compatible with latest macOS silicon(:tada: @CvX https://github.com/github/licensed/pull/528)
-- Fix segfaults seen using licensed with ruby 3.0.4 (https://github.com/github/licensed/pull/530)
-- Fix compatibility with latest versions of bundler 2.3 (https://github.com/github/licensed/pull/535)
-- Fix compatibility with latest versions of bundler 2.3 (:tada: @CvX https://github.com/github/licensed/pull/522)
+- Swift test fixtures build artifacts are now ignored (:tada: @CvX <https://github.com/github/licensed/pull/524>)
+- Running cargo test fixture setup no longer deletes test files (:tada: @CvX <https://github.com/github/licensed/pull/525>)
+- Bundler test fixtures are compatible with latest macOS silicon(:tada: @CvX <https://github.com/github/licensed/pull/528>)
+- Fix segfaults seen using licensed with ruby 3.0.4 (<https://github.com/github/licensed/pull/530>)
+- Fix compatibility with latest versions of bundler 2.3 (<https://github.com/github/licensed/pull/535>)
+- Fix compatibility with latest versions of bundler 2.3 (:tada: @CvX <https://github.com/github/licensed/pull/522>)
 ## 3.7.2
 ### Fixed
-- Comparing dependency license contents now finds matching contents regardless of the order of the licenses (https://github.com/github/licensed/pull/516)
-- Fixed typo in a link in README.md (https://github.com/github/licensed/pull/514)
+- Comparing dependency license contents now finds matching contents regardless of the order of the licenses (<https://github.com/github/licensed/pull/516>)
+- Fixed typo in a link in README.md (<https://github.com/github/licensed/pull/514>)
 ### Changed
-- Elixir testing setup is migrated to erlef/setup-beam (https://github.com/github/licensed/pull/512)
+- Elixir testing setup is migrated to erlef/setup-beam (<https://github.com/github/licensed/pull/512>)
 ## 3.7.1
 ### Fixed
-- Dependencies' legal notice file matching has been made more strict to reduce false positives on code files containing the word `legal` (https://github.com/github/licensed/pull/510)
+- Dependencies' legal notice file matching has been made more strict to reduce false positives on code files containing the word `legal` (<https://github.com/github/licensed/pull/510>)
 ## 3.7.0
 ### Changed
-- Pip and pipenv sources will find dependency licenses under `dist-info/license_files` when available (https://github.com/github/licensed/pull/504)
+- Pip and pipenv sources will find dependency licenses under `dist-info/license_files` when available (<https://github.com/github/licensed/pull/504>)
 ## 3.6.0
@@ -173,17 +185,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- Composer dev dependencies can optionally be included in enumerated PHP dependencies (:tada: @digilist https://github.com/github/licensed/pull/486)
-- Getting started usage documentation (https://github.com/github/licensed/pull/483)
-- Initial support for NPM workspaces (https://github.com/github/licensed/pull/485)
+- Composer dev dependencies can optionally be included in enumerated PHP dependencies (:tada: @digilist <https://github.com/github/licensed/pull/486>)
+- Getting started usage documentation (<https://github.com/github/licensed/pull/483>)
+- Initial support for NPM workspaces (<https://github.com/github/licensed/pull/485>)
 ### Changed
-- Transitive dependencies are now enumerated by the `pip` source (https://github.com/github/licensed/pull/480)
+- Transitive dependencies are now enumerated by the `pip` source (<https://github.com/github/licensed/pull/480>)
 ### Fixed
-- `licensed cache --force` will now correctly overwrite existing license classifications (https://github.com/github/licensed/pull/473)
+- `licensed cache --force` will now correctly overwrite existing license classifications (<https://github.com/github/licensed/pull/473>)
 ## 3.5.0
@@ -191,7 +203,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- [Licensee](https://github.com/licensee/licensee) confidence thresholds can be configured in the licensed configuration file (https://github.com/github/licensed/pull/455)
+- [Licensee](https://github.com/licensee/licensee) confidence thresholds can be configured in the licensed configuration file (<https://github.com/github/licensed/pull/455>)
 ## 3.4.4
@@ -199,7 +211,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- The npm and pip sources have better protection from strings causing crashes in `Hash#dig` (https://github.com/github/licensed/pull/450)
+- The npm and pip sources have better protection from strings causing crashes in `Hash#dig` (<https://github.com/github/licensed/pull/450>)
 ## 3.4.3
@@ -207,7 +219,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- The npm source handles more cases of missing, optional, peer dependencies (https://github.com/github/licensed/pull/443)
+- The npm source handles more cases of missing, optional, peer dependencies (<https://github.com/github/licensed/pull/443>)
 ## 3.4.2
@@ -215,7 +227,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- The yarn source will no longer evaluate package.json files that do not represent project dependencies (https://github.com/github/licensed/pull/439)
+- The yarn source will no longer evaluate package.json files that do not represent project dependencies (<https://github.com/github/licensed/pull/439>)
 ## 3.4.1
@@ -223,7 +235,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- Malformed package.json files will no longer crash yarn dependency detection (https://github.com/github/licensed/pull/431)
+- Malformed package.json files will no longer crash yarn dependency detection (<https://github.com/github/licensed/pull/431>)
 ## 3.4.0
@@ -231,17 +243,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- New Yarn enumerator with support for berry versions (https://github.com/github/licensed/pull/423)
+- New Yarn enumerator with support for berry versions (<https://github.com/github/licensed/pull/423>)
 ### Fixed
-- Error handling cases return correct values in the Yarn enumerator (https://github.com/github/licensed/pull/425)
-- Fixed link in command documentation (:tada: @chibicco https://github.com/github/licensed/pull/416)
-- Fixed minor backwards compatibility issue for Ruby 2.3 support (:tada: @dzunk https://github.com/github/licensed/pull/414)
+- Error handling cases return correct values in the Yarn enumerator (<https://github.com/github/licensed/pull/425>)
+- Fixed link in command documentation (:tada: @chibicco <https://github.com/github/licensed/pull/416>)
+- Fixed minor backwards compatibility issue for Ruby 2.3 support (:tada: @dzunk <https://github.com/github/licensed/pull/414>)
 ### Changed
-- Licensed's own dependencies are cached in the repository and kept up to date with GitHub Actions (https://github.com/github/licensed/pull/421)
+- Licensed's own dependencies are cached in the repository and kept up to date with GitHub Actions (<https://github.com/github/licensed/pull/421>)
 ## 3.3.1
@@ -249,11 +261,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- Fix evaluation of peer dependencies with npm 7 (:tada: @manuelpuyol https://github.com/github/licensed/pull/411)
+- Fix evaluation of peer dependencies with npm 7 (:tada: @manuelpuyol <https://github.com/github/licensed/pull/411>)
 ### Changed
-- Manifest source evaluation performance improvements (https://github.com/github/licensed/pull/407)
+- Manifest source evaluation performance improvements (<https://github.com/github/licensed/pull/407>)
 ## 3.3.0
@@ -261,11 +273,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- New cargo source enumerates rust dependencies (https://github.com/github/licensed/pull/404)
+- New cargo source enumerates rust dependencies (<https://github.com/github/licensed/pull/404>)
 ### Changed
-- Removed non-functional files from gem builds (https://github.com/github/licensed/pull/405)
+- Removed non-functional files from gem builds (<https://github.com/github/licensed/pull/405>)
 ## 3.2.3
@@ -273,8 +285,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- Bundler source will no longer infinitely recurse when enumerating specifications (https://github.com/github/licensed/pull/402)
-- Using the `--sources` command line option will no longer delete skipped sources' cached files (https://github.com/github/licensed/pull/401)
+- Bundler source will no longer infinitely recurse when enumerating specifications (<https://github.com/github/licensed/pull/402>)
+- Using the `--sources` command line option will no longer delete skipped sources' cached files (<https://github.com/github/licensed/pull/401>)
 ## 3.2.2
@@ -282,7 +294,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- Bundler source works properly again when used outside of `bundle exec` (https://github.com/github/licensed/pull/397)
+- Bundler source works properly again when used outside of `bundle exec` (<https://github.com/github/licensed/pull/397>)
 ## 3.2.1
@@ -290,13 +302,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
-- Updated multiple dependency versions (:tada: @mmorel-35 https://github.com/github/licensed/pull/385, https://github.com/github/licensed/pull/389)
-- Go homepage links use pkg.go.dev instead of godoc.org (:tada: @mmorel-35 https://github.com/github/licensed/commit/73cfbbe954a3e8c8cbaf8b68253053b157e01b79)
-- Local development ruby version changed to 2.7.4 (https://github.com/github/licensed/pull/393)
+- Updated multiple dependency versions (:tada: @mmorel-35 <https://github.com/github/licensed/pull/385>, <https://github.com/github/licensed/pull/389>)
+- Go homepage links use pkg.go.dev instead of godoc.org (:tada: @mmorel-35 <https://github.com/github/licensed/commit/73cfbbe954a3e8c8cbaf8b68253053b157e01b79>)
+- Local development ruby version changed to 2.7.4 (<https://github.com/github/licensed/pull/393>)
 ### Fixed
-- Bundler source correctly finds platform specific dependencies (https://github.com/github/licensed/pull/392)
+- Bundler source correctly finds platform specific dependencies (<https://github.com/github/licensed/pull/392>)
 ## 3.2.0
@@ -304,18 +316,18 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- Application names can be dynamically generated based on the path to the application source  (https://github.com/github/licensed/pull/375)
+- Application names can be dynamically generated based on the path to the application source  (<https://github.com/github/licensed/pull/375>)
 ### Changed
-- Updated command documentation (https://github.com/github/licensed/pull/378, https://github.com/github/licensed/pull/380/files)
-- Updated configuration documentation (https://github.com/github/licensed/pull/375)
-- Cache and status commands give additional diagnostic output when using JSON and YAML formatters (https://github.com/github/licensed/pull/378)
-- Status command will give users a link to documentation when compliance checks fail (https://github.com/github/licensed/pull/381)
+- Updated command documentation (<https://github.com/github/licensed/pull/378>, <https://github.com/github/licensed/pull/380/files>)
+- Updated configuration documentation (<https://github.com/github/licensed/pull/375>)
+- Cache and status commands give additional diagnostic output when using JSON and YAML formatters (<https://github.com/github/licensed/pull/378>)
+- Status command will give users a link to documentation when compliance checks fail (<https://github.com/github/licensed/pull/381>)
 ### Fixed
-- The bundler source correctly checks that the path bundler specifies a gem is loaded from is a file (https://github.com/github/licensed/pull/379)
+- The bundler source correctly checks that the path bundler specifies a gem is loaded from is a file (<https://github.com/github/licensed/pull/379>)
 ## 3.1.0
@@ -323,17 +335,18 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
-- Licensed supports Swift/Swift package manager as a dependency source (:tada: @mattt https://github.com/github/licensed/pull/363)'
+- Licensed supports Swift/Swift package manager as a dependency source (:tada: @mattt <https://github.com/github/licensed/pull/363>)'
 ### Changed
-- The `source_path` configuration property accepts arrays of inclusion and exclusion glob patterns (https://github.com/github/licensed/pull/368)
-- The Nuget source now uses configured fallback folders to find dependencies that are not in found in the project folder (https://github.com/github/licensed/pull/366)
-- The Nuget source supports a configurable property for the path from the project source path to the project's `obj` folder (https://github.com/github/licensed/pull/365)
+- The `source_path` configuration property accepts arrays of inclusion and exclusion glob patterns (<https://github.com/github/licensed/pull/368>)
+- The Nuget source now uses configured fallback folders to find dependencies that are not in found in the project folder (<https://github.com/github/licensed/pull/366>)
+- The Nuget source supports a configurable property for the path from the project source path to the project's `obj` folder (<https://github.com/github/licensed/pull/365>)
 ### Fixed
-- The Go source's checks for local packages will correctly find paths in case-insensitive file systems (https://github.com/github/licensed/pull/370)
-- The Bundler source will no longer unnecessarily reset the local Bundler environment configuration (https://github.com/github/licensed/pull/372)
+- The Go source's checks for local packages will correctly find paths in case-insensitive file systems (<https://github.com/github/licensed/pull/370>)
+- The Bundler source will no longer unnecessarily reset the local Bundler environment configuration (<https://github.com/github/licensed/pull/372>)
 ## 3.0.1
@@ -341,7 +354,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- The bundler source will correctly enumerate dependencies pulled with a `git:` directive (https://github.com/github/licensed/pull/360)
+- The bundler source will correctly enumerate dependencies pulled with a `git:` directive (<https://github.com/github/licensed/pull/360>)
 ## 3.0.0
@@ -359,7 +372,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
-- The pip source works with package names containing periods (:tada: @bcskda https://github.com/github/licensed/pull/350)
+- The pip source works with package names containing periods (:tada: @bcskda <https://github.com/github/licensed/pull/350>)
 ## 2.15.1
@@ -367,161 +380,209 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
-- The npm source will ignore dependencies that are marked as both extraneous and missing (https://github.com/github/licensed/pull/347)
+- The npm source will ignore dependencies that are marked as both extraneous and missing (<https://github.com/github/licensed/pull/347>)
 ## 2.15.0
 2021-03-24
 ### Added
-- Support for npm 7 (https://github.com/github/licensed/pull/341)
+- Support for npm 7 (<https://github.com/github/licensed/pull/341>)
 ### Fixed
-- Files in the manifest source will be found correctly for apps that are not at the repository root (https://github.com/github/licensed/pull/345)
+- Files in the manifest source will be found correctly for apps that are not at the repository root (<https://github.com/github/licensed/pull/345>)
 ## 2.14.4
 2021-02-09
 ### Added
-- `list` and `cache` commands optionally print output in JSON or YML formats using the `--format/-f` flag (https://github.com/github/licensed/pull/334)
-- `list` command will include detected license keys using the `--licenses/-l` flag (https://github.com/github/licensed/pull/334)
+- `list` and `cache` commands optionally print output in JSON or YML formats using the `--format/-f` flag (<https://github.com/github/licensed/pull/334>)
+- `list` command will include detected license keys using the `--licenses/-l` flag (<https://github.com/github/licensed/pull/334>)
 ## 2.14.3
 2020-12-11
 ### Fixed
-- Auto-generating license text for a known license will no longer raise an error if the found license has no text (:tada: @Eun https://github.com/github/licensed/pull/328)
+- Auto-generating license text for a known license will no longer raise an error if the found license has no text (:tada: @Eun <https://github.com/github/licensed/pull/328>)
 ## 2.14.2
 2020-11-20
 ### Fixed
-- Yarn source correctly finds dependency paths on disk (https://github.com/github/licensed/pull/326)
-- Go source better handles finding dependencies that have been vendored (https://github.com/github/licensed/pull/323)
+- Yarn source correctly finds dependency paths on disk (<https://github.com/github/licensed/pull/326>)
+- Go source better handles finding dependencies that have been vendored (<https://github.com/github/licensed/pull/323>)
 ## 2.14.1
 2020-10-09
 ### Fixed
-- Shell command output is encoded to UTF8 (https://github.com/github/licensed/pull/319)
+- Shell command output is encoded to UTF8 (<https://github.com/github/licensed/pull/319>)
 ## 2.14.0
 2020-10-04
 ### Added
-- `reviewed` dependencies can use glob pattern matching (https://github.com/github/licensed/pull/313)
+- `reviewed` dependencies can use glob pattern matching (<https://github.com/github/licensed/pull/313>)
 ### Fixed
-- Fix configuring source path globs that expand into a single directory (https://github.com/github/licensed/pull/312)
+- Fix configuring source path globs that expand into a single directory (<https://github.com/github/licensed/pull/312>)
 ## 2.13.0
 2020-09-23
 ### Added
-- `status` command results can be output in YAML and JSON formats (:tada: @julianvilas https://github.com/github/licensed/pull/303)
+- `status` command results can be output in YAML and JSON formats (:tada: @julianvilas <https://github.com/github/licensed/pull/303>)
 ### Fixed
-- `licensed` no longer crashes when parsing invalid YAML from cached records (https://github.com/github/licensed/pull/306)
-- NPM source will no longer crash when invalid JSON is returned from npm CLI calls (https://github.com/github/licensed/pull/300)
-- Bundler source is fixed to work properly with `gems.rb` lockfiles (https://github.com/github/licensed/pull/299)
+- `licensed` no longer crashes when parsing invalid YAML from cached records (<https://github.com/github/licensed/pull/306>)
+- NPM source will no longer crash when invalid JSON is returned from npm CLI calls (<https://github.com/github/licensed/pull/300>)
+- Bundler source is fixed to work properly with `gems.rb` lockfiles (<https://github.com/github/licensed/pull/299>)
 ## 2.12.2
 2020-07-07
 ### Changed
-- Cleaned up ruby 2.7 warnings (:tada: @jurre https://github.com/github/licensed/pull/292)
-- Cleaned up additional warnings in tests (https://github.com/github/licensed/pull/293)
+- Cleaned up ruby 2.7 warnings (:tada: @jurre <https://github.com/github/licensed/pull/292>)
+- Cleaned up additional warnings in tests (<https://github.com/github/licensed/pull/293>)
 ## 2.12.1
 2020-06-30
 ### Fixed
-- `licensed` no longer exits an error code when using the `--sources` CLI argument (https://github.com/github/licensed/pull/290)
+- `licensed` no longer exits an error code when using the `--sources` CLI argument (<https://github.com/github/licensed/pull/290>)
 ## 2.12.0
 2020-06-19
 ### Added
-- `--sources` argument for cache, list, status and notices commands to filter running sources (https://github.com/github/licensed/pull/287)
+- `--sources` argument for cache, list, status and notices commands to filter running sources (<https://github.com/github/licensed/pull/287>)
 ### Fixed
-- `cache` command will not remove files outside of enabled source cache paths (https://github.com/github/licensed/pull/287)
+- `cache` command will not remove files outside of enabled source cache paths (<https://github.com/github/licensed/pull/287>)
 ## 2.11.1
 2020-06-09
 ### Fixed
-- `notices` command properly reads cached dependency notices contents (https://github.com/github/licensed/pull/283)
+- `notices` command properly reads cached dependency notices contents (<https://github.com/github/licensed/pull/283>)
 ## 2.11.0
 2020-06-02
 ### Added
-- `notices` command to create a `NOTICE` file for each configured app (https://github.com/github/licensed/pull/277)
+- `notices` command to create a `NOTICE` file for each configured app (<https://github.com/github/licensed/pull/277>)
 ### Fixed
-- NuGet source no longer crashes on a non-existent dependency path (https://github.com/github/licensed/pull/280)
-- Go source no longer crashes on a non-existent dependency package path (https://github.com/github/licensed/pull/274)
+- NuGet source no longer crashes on a non-existent dependency path (<https://github.com/github/licensed/pull/280>)
+- Go source no longer crashes on a non-existent dependency package path (<https://github.com/github/licensed/pull/274>)
 ## 2.10.0
 2020-05-15
 ### Changed
-- NPM source ignores missing peer dependencies (https://github.com/github/licensed/pull/267)
+- NPM source ignores missing peer dependencies (<https://github.com/github/licensed/pull/267>)
 ### Added
-- NuGet source (:tada: @zarenner https://github.com/github/licensed/pull/261)
-- Multiple apps can share a single cache location (https://github.com/github/licensed/pull/263)
+- NuGet source (:tada: @zarenner <https://github.com/github/licensed/pull/261>)
+- Multiple apps can share a single cache location (<https://github.com/github/licensed/pull/263>)
 ## 2.9.2
 2020-04-28
 ### Changed
-- `licensee` minimum version bumped to 9.13.2 (https://github.com/github/licensed/pull/256)
+- `licensee` minimum version bumped to 9.13.2 (<https://github.com/github/licensed/pull/256>)
 ## 2.9.1
 2020-03-24
 ### Changed
-- relaxed gem version restrictions on Thor (:tada: @eileencodes https://github.com/github/licensed/pull/254)
+- relaxed gem version restrictions on Thor (:tada: @eileencodes <https://github.com/github/licensed/pull/254>)
 ## 2.9.0
 2020-03-19
 ### Added
-- Source paths use glob pattern matching (https://github.com/github/licensed/pull/245)
+- Source paths use glob pattern matching (<https://github.com/github/licensed/pull/245>)
 ### Fixed
-- Mix source supports updates to mix.lock format (:tada: @bruce https://github.com/github/licensed/pull/242)
-- Go source supports `go list` format changes in go 1.14 (https://github.com/github/licensed/pull/247)
+- Mix source supports updates to mix.lock format (:tada: @bruce <https://github.com/github/licensed/pull/242>)
+- Go source supports `go list` format changes in go 1.14 (<https://github.com/github/licensed/pull/247>)
 ### Changed
-- `licensed cache` will flag dependencies for re-review when license text changes (https://github.com/github/licensed/pull/248)
-- `licensed status` will raise errors on dependencies that need re-review (https://github.com/github/licensed/pull/248)
-- `licensee` minimum version bumped to 9.13.1 (https://github.com/github/licensed/pull/251)
+- `licensed cache` will flag dependencies for re-review when license text changes (<https://github.com/github/licensed/pull/248>)
+- `licensed status` will raise errors on dependencies that need re-review (<https://github.com/github/licensed/pull/248>)
+- `licensee` minimum version bumped to 9.13.1 (<https://github.com/github/licensed/pull/251>)
 ## 2.8.0
 2020-01-03
 ### Added
-- Yarn source (https://github.com/github/licensed/pull/232, https://github.com/github/licensed/pull/233, https://github.com/github/licensed/pull/236)
-- NPM source has a new option to include non-production dependencies (https://github.com/github/licensed/pull/231)
+- Yarn source (<https://github.com/github/licensed/pull/232>, <https://github.com/github/licensed/pull/233>, <https://github.com/github/licensed/pull/236>)
+- NPM source has a new option to include non-production dependencies (<https://github.com/github/licensed/pull/231>)
 ### Fixed
-- Cabal source will no longer crash if packages aren't found (https://github.com/github/licensed/pull/230)
+- Cabal source will no longer crash if packages aren't found (<https://github.com/github/licensed/pull/230>)
 ## 2.7.0
 2019-11-10
 ### Added
-- License text is automatically generated for known licenses when not otherwise available (https://github.com/github/licensed/pull/223)
+- License text is automatically generated for known licenses when not otherwise available (<https://github.com/github/licensed/pull/223>)
 ### Changed
-- Ignoring dependencies uses glob pattern matching (https://github.com/github/licensed/pull/225)
+- Ignoring dependencies uses glob pattern matching (<https://github.com/github/licensed/pull/225>)
 ## 2.6.2
 2019-11-03
 ### Changed
 - A number of improvements to the go dependency enumerator
   - use `go env GOPATH` as a default if no other GOPATH is found
   - better compatibility with go modules when finding license content
@@ -530,94 +591,121 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   - better checks for standard packages, reducing the amount of cached content
 ## 2.6.1
 2019-10-26
 ### Changed
-- Performance improvements during dependency enumeration (:tada: @krzysztof-pawlik-gat https://github.com/github/licensed/pull/204, https://github.com/github/licensed/pull/207) (https://github.com/github/licensed/pull/210)
+- Performance improvements during dependency enumeration (:tada: @krzysztof-pawlik-gat <https://github.com/github/licensed/pull/204>, <https://github.com/github/licensed/pull/207>) (<https://github.com/github/licensed/pull/210>)
 ## 2.6.0
 2019-10-22
 ### Added
-- Mix source for Elixir (:tada: @bruce https://github.com/github/licensed/pull/195)
+- Mix source for Elixir (:tada: @bruce <https://github.com/github/licensed/pull/195>)
 ## 2.5.0
 2019-09-26
 ### Added
-- `env` command to output application environment configuration (https://github.com/github/licensed/pull/187, https://github.com/github/licensed/pull/191)
+- `env` command to output application environment configuration (<https://github.com/github/licensed/pull/187>, <https://github.com/github/licensed/pull/191>)
 ### Changed
-- `status` command will pass if multiple allowed licenses are found (https://github.com/github/licensed/pull/188)
+- `status` command will pass if multiple allowed licenses are found (<https://github.com/github/licensed/pull/188>)
 ## 2.4.0
 2019-09-15
 ### Added
-- Composer source for PHP (https://github.com/github/licensed/pull/182)
+- Composer source for PHP (<https://github.com/github/licensed/pull/182>)
 ## 2.3.2
 2019-08-26
 ### Fixed
 - Bundler with/without array settings are properly handled for bundler 1.15.x
 ## 2.3.1
 2019-08-20
 ### Changed
-- Using the npm source with yarn, "missing" dependencies are no longer considered errors (:tada: @krzysztof-pawlik-gat https://github.com/github/licensed/pull/170)
-- The bundler source now calls `gem specification` with dependency version requirements (https://github.com/github/licensed/pull/173)
+- Using the npm source with yarn, "missing" dependencies are no longer considered errors (:tada: @krzysztof-pawlik-gat <https://github.com/github/licensed/pull/170>)
+- The bundler source now calls `gem specification` with dependency version requirements (<https://github.com/github/licensed/pull/173>)
 ## 2.3.0
 2019-05-19
 ### Added
-- New Pipenv dependency source enumerator (:tada: @krzysztof-pawlik-gat https://github.com/github/licensed/pull/167)
+- New Pipenv dependency source enumerator (:tada: @krzysztof-pawlik-gat <https://github.com/github/licensed/pull/167>)
 ## 2.2.0
 2019-05-11
 ### Added
-- Content hash versioning strategy for go and manifest sources (https://github.com/github/licensed/pull/164)
+- Content hash versioning strategy for go and manifest sources (<https://github.com/github/licensed/pull/164>)
 ### Fixed
-- Python source handles urls and package names with "-" in requirements.txt (:tada: @krzysztof-pawlik-gat https://github.com/github/licensed/pull/165)
+- Python source handles urls and package names with "-" in requirements.txt (:tada: @krzysztof-pawlik-gat <https://github.com/github/licensed/pull/165>)
 ## 2.1.0
 2019-04-16
 ### Added
-- New Gradle dependency source enumerator (:tada: @dbussink https://github.com/github/licensed/pull/150, @jandersson-svt https://github.com/github/licensed/pull/159)
-- Metadata added to distributed packages (https://github.com/github/licensed/pull/160)
+- New Gradle dependency source enumerator (:tada: @dbussink <https://github.com/github/licensed/pull/150>, @jandersson-svt <https://github.com/github/licensed/pull/159>)
+- Metadata added to distributed packages (<https://github.com/github/licensed/pull/160>)
 ### Changes
-- Bundler dependency source loads license key from a gem's cached gemspec file as a fallback (https://github.com/github/licensed/pull/154)
-- Licensed will only raise errors on an empty dependency path when caching records (https://github.com/github/licensed/pull/149)
+- Bundler dependency source loads license key from a gem's cached gemspec file as a fallback (<https://github.com/github/licensed/pull/154>)
+- Licensed will only raise errors on an empty dependency path when caching records (<https://github.com/github/licensed/pull/149>)
 ### Fixed
-- Migrating to v2 will no longer crash trying to migrate cached records that don't exist (https://github.com/github/licensed/pull/148)
-- Reported warnings will no longer crash licensed when caching records (https://github.com/github/licensed/pull/147)
+- Migrating to v2 will no longer crash trying to migrate cached records that don't exist (<https://github.com/github/licensed/pull/148>)
+- Reported warnings will no longer crash licensed when caching records (<https://github.com/github/licensed/pull/147>)
 ## 2.0.1
 2019-02-14
 ### Changes
 - Dependency paths that don't exist on the local disk are reported as warnings
 - Cache, status and list output is sorted by app name, source type and dependency name
 - Bumped `licensee` gem requirement
 ## 2.0.0
 2019-02-09
 **This is a major release and includes breaking changes to the configuration and cached record file formats**
 ### Added
 - New `migrate` command to automatically update configuration and cached record file formats
 - New extensible reporting infrastructure
 - New base command and source classes to abstract away implementation details
 ### Changes
 - Cached dependency metadata files are now stored entirely as YAML, with `.dep.yml` extension
 - The Bundler dependency source is now identified in configuration files and output as `bundler` instead of `rubygem`
 - Refactored sources for better consistency between classes
@@ -626,134 +714,171 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Updated Dependency classes for better integration with `licensee`
 ### Fixed
 - Licensed no longer exits on errors when evaluating dependency sources or finding dependencies
 - The Bundler dependency source correctly finds the `bundler` gem as a dependency in more cases
 ## 1.5.2
 2018-12-27
 ### Changes
-- Go source added support for Go modules and Golang 1.11+ (https://github.com/github/licensed/pull/113)
+- Go source added support for Go modules and Golang 1.11+ (<https://github.com/github/licensed/pull/113>)
 ### Fixed
-- Licensed will have a non-zero exit code when commands fail (:tada: @parkr https://github.com/github/licensed/pull/111)
+- Licensed will have a non-zero exit code when commands fail (:tada: @parkr <https://github.com/github/licensed/pull/111>)
 ## 1.5.1
 2018-10-30
 ### Fixed
-- Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable due to a ruby version mismatch (https://github.com/github/licensed/pull/106)
+- Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable due to a ruby version mismatch (<https://github.com/github/licensed/pull/106>)
 ## 1.5.0
 2018-10-24
 ### Added
-- `licensed (version | -v | --version)` command to see the current licensed version (:tada: @mwagz! https://github.com/github/licensed/pull/101)
+- `licensed (version | -v | --version)` command to see the current licensed version (:tada: @mwagz! <https://github.com/github/licensed/pull/101>)
 ### Fixed
-- NPM source no longer raises an error when ignored dependencies aren't found (:tada: @mwagz! https://github.com/github/licensed/pull/100)
-- Checking for a Git repo will no longer possibly modify `.git/index` (:tada: @dbussink https://github.com/github/licensed/pull/102)
-- Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable (https://github.com/github/licensed/pull/103)
+- NPM source no longer raises an error when ignored dependencies aren't found (:tada: @mwagz! <https://github.com/github/licensed/pull/100>)
+- Checking for a Git repo will no longer possibly modify `.git/index` (:tada: @dbussink <https://github.com/github/licensed/pull/102>)
+- Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable (<https://github.com/github/licensed/pull/103>)
 ## 1.4.0
 2018-10-20
 ### Added
 - Git Submodules dependency source :tada:
 - Configuration option to explicitly set a root absolute path
 ### Changes
 - `COPYING` file is no longer matched as a legal file
 ### Fixed
 - NPM source will enumerate multiple versions of the same dependency
 - Running Licensed outside of a Git repository no longer raises an error
 - Packaging scripts will correctly return to the previous branch when the script is finished
 ## 1.3.4
 2018-09-20
 ### Changes
 - Bundler source will avoid looking for a gemspec file when possible
 ## 1.3.3
 2018-09-07
 ### Fixed
 - Manifest source configuration globs correctly enumerates files from within submodules
 - The manifest source no longer errors when getting version information from submodules
 ## 1.3.2
 2018-08-15
 ### Fixed
 - Fixed issue when multiple versions of a cabal package are found
 ## 1.3.1
 2018-08-01
 ### Fixed
 - Fixed regression finding ruby gems by path
 ## 1.3.0
 2018-07-25
 ### Added
 - Manifests for the manifest dependency source can be specified using glob patterns in the configuration
 - Paths to licenses for dependencies from the manifest dependency source can be specified in the configuration
 - Manifest dependency source looks for license content in C-style comments if a license file isn't found
 ## Changes
 - GitHub is no longer queried to find remote license information
 - Removed custom logic around determining whether to use the license key from `licensee`
 - NPM dependency enumeration doesn't use `npm list`
 - Licensed now tracks content from multiple license files when available
 ### Fixed
 - Fixed regression finding platform-specific ruby gems
 ## 1.2.0
 2018-06-22
 ### Added
 - Building and packaging distributable exes for licensed releases
 - Can now configure which Gemfile groups are excluded from dependency enumeration
 ### Fixed
 - Bundler is no longer always reported as a dependency
 - Set the minimum required ruby version for licensed
 ## 1.1.0
 2018-06-04
 ### Added
 - Pip dependency source :tada:
 - Go Dep dependency source :tada:
 ### Changed
 - Changed how `sources` configuration property affects which sources are enabled
 - Raise informative error messages when shell commands fail
 ### Fixed
 - Don't reuse cached license when cached version metadata is missing
 - Disable dependency sources when dependent tools are not available
 - Vendored packages from the go std library are properly excluded
 - Cabal dependency enumeration properly includes executable targets
 ## 1.0.1
 2018-04-26
 ### Added
 - GOPATH settable in configuration file
 ### Changed
 - Reuse "license" metadata property when license text has not changed
 ### Fixed
 - Path expansion for cabal "ghc_package_db" configuration setting occurs from repository root
 - Local Gemfile(.lock) files correctly used in enumerating Bundler source dependencies
 ## 1.0.0
 2018-02-20
 Initial release :tada:

data/Gemfile.lock CHANGED Viewed

@@ -1,12 +1,13 @@
 PATH
   remote: .
   specs:
-    licensed (5.0.0)
+    licensed (5.0.2)
+      csv (~> 3.3)
       json (~> 2.6)
       licensee (~> 9.16)
       parallel (~> 1.22)
       pathname-common_prefix (~> 0.0.1)
-      reverse_markdown (~> 2.1)
+      reverse_markdown (>= 2.1, < 4.0)
       ruby-xxHash (~> 0.4.0)
       thor (~> 1.2)
       tomlrb (~> 2.0)
@@ -24,56 +25,61 @@ GEM
       minitest (>= 5.1)
       mutex_m
       tzinfo (~> 2.0)
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     ast (2.4.2)
     base64 (0.2.0)
     bigdecimal (3.1.7)
     byebug (11.1.3)
     concurrent-ruby (1.2.3)
     connection_pool (2.4.1)
-    dotenv (2.8.1)
+    csv (3.3.2)
+    dotenv (3.1.4)
     drb (2.2.1)
-    faraday (2.7.4)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
+    faraday (2.12.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
     i18n (1.14.4)
       concurrent-ruby (~> 1.0)
-    json (2.7.2)
-    licensee (9.16.0)
-      dotenv (~> 2.0)
-      octokit (>= 4.20, < 7.0)
-      reverse_markdown (>= 1, < 3)
+    json (2.9.1)
+    licensee (9.18.0)
+      dotenv (>= 2, < 4)
+      octokit (>= 4.20, < 10.0)
+      reverse_markdown (>= 1, < 4)
       rugged (>= 0.24, < 2.0)
       thor (>= 0.19, < 2.0)
-    mini_portile2 (2.8.1)
-    minitest (5.25.1)
+    logger (1.6.1)
+    mini_portile2 (2.8.8)
+    minitest (5.25.4)
     minitest-hooks (1.5.2)
       minitest (> 5.3)
-    mocha (2.4.5)
+    mocha (2.7.1)
       ruby2_keywords (>= 0.0.5)
     mutex_m (0.2.0)
-    nokogiri (1.16.5)
-      mini_portile2 (~> 2.8.0)
+    net-http (0.5.0)
+      uri
+    nokogiri (1.16.7)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    octokit (6.1.0)
+    octokit (9.2.0)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     parallel (1.26.3)
     parser (3.2.0.0)
       ast (~> 2.4.1)
     pathname-common_prefix (0.0.2)
-    public_suffix (5.0.1)
-    racc (1.6.2)
+    public_suffix (6.0.1)
+    racc (1.8.1)
     rack (3.0.9.1)
     rainbow (3.1.1)
     rake (13.2.1)
     regexp_parser (2.6.2)
-    reverse_markdown (2.1.1)
+    reverse_markdown (3.0.0)
       nokogiri
-    rexml (3.3.6)
-      strscan
+    rexml (3.3.9)
     rubocop (1.45.1)
       json (~> 2.3)
       parallel (~> 1.10)
@@ -100,16 +106,16 @@ GEM
     ruby-progressbar (1.11.0)
     ruby-xxHash (0.4.0.2)
     ruby2_keywords (0.0.5)
-    rugged (1.5.1)
+    rugged (1.7.2)
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
-    strscan (3.1.0)
     thor (1.3.2)
     tomlrb (2.0.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.4.2)
+    uri (1.0.2)
 PLATFORMS
   ruby

data/docs/migrations/v3.md CHANGED Viewed

@@ -16,7 +16,7 @@ Using licensed to enumerate bundler dependencies in a GitHub Actions workflow wi
 If you are using licensed in a GitHub Actions workflow, [github/setup-licensed](https://github.com/github/setup-licensed) has been updated according to this breaking change.  `setup-licensed` will install the licensed gem when ruby is available, or the licensed executable when ruby is not available.  Alternatively, you can `gem install` licensed directly as an actions step.
-This is an example workflow definition that runs [github/licensed-ci](https://github.com/github/licensed-ci)'s opinionated license compliance workflow in CI.  It includes jobs that demonstrate installing licensed using
+This is an example workflow definition that runs [github/licensed-ci](https://github.com/github/licensed-ci)'s opinionated license compliance workflow in CI.  It includes jobs that demonstrate installing licensed using
 - `gem install`
 - [github/setup-licensed](https://github.com/github/setup-licensed)
 - installing when included in a bundler gem file
@@ -43,9 +43,9 @@ jobs:
     steps:
       # checkout the repo
       - uses: actions/checkout@v1
       # install ruby
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc
         with:
           ruby-version: "3.0"
@@ -60,8 +60,8 @@ jobs:
       # run licensed-ci to cache any metadata changes and verify compliance
       - uses: github/licensed-ci@v1
-  # OR
+  # OR
   # install licensed using gem install
   licensed-ci-gem:
     runs-on: ubuntu-latest
@@ -69,9 +69,9 @@ jobs:
     steps:
       # checkout the repo
       - uses: actions/checkout@v1
       # install ruby and bundler
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc
         with:
           ruby-version: "3.0"
@@ -93,9 +93,9 @@ jobs:
     steps:
       # checkout the repo
       - uses: actions/checkout@v1
       # install ruby and bundler
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc
         with:
           ruby-version: "3.0"

data/lib/licensed/sources/npm.rb CHANGED Viewed

@@ -48,7 +48,7 @@ module Licensed
       end
       def packages
-        root_dependencies = package_metadata["dependencies"]
+        root_dependencies = package_metadata["dependencies"] || {}
         recursive_dependencies(root_dependencies).each_with_object({}) do |(name, results), hsh|
           results.uniq! { |package| package["version"] }
           if results.size == 1

data/lib/licensed/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "5.0.0".freeze
+  VERSION = "5.0.2".freeze
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec CHANGED Viewed

@@ -23,13 +23,14 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 3.0.0"
+  spec.add_dependency "csv", "~> 3.3"
   spec.add_dependency "licensee", "~> 9.16"
   spec.add_dependency "thor", "~> 1.2"
   spec.add_dependency "pathname-common_prefix", "~> 0.0.1"
   spec.add_dependency "tomlrb", "~> 2.0"
   spec.add_dependency "ruby-xxHash", "~> 0.4.0"
   spec.add_dependency "parallel", "~> 1.22"
-  spec.add_dependency "reverse_markdown", "~> 2.1"
+  spec.add_dependency "reverse_markdown", ">= 2.1", "< 4.0"
   spec.add_dependency "json", "~> 2.6"
   spec.add_development_dependency "rake", "~> 13.0"

metadata CHANGED Viewed

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.0.2
 platform: ruby
 authors:
 - GitHub
-autorequire:
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-10-04 00:00:00.000000000 Z
+date: 2025-02-06 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: csv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
 - !ruby/object:Gem::Dependency
   name: licensee
   requirement: !ruby/object:Gem::Requirement
@@ -98,16 +112,22 @@ dependencies:
   name: reverse_markdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -327,7 +347,7 @@ homepage: https://github.com/github/licensed
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -343,7 +363,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.26
-signing_key:
+signing_key:
 specification_version: 4
 summary: Extract and validate the licenses of dependencies.
 test_files: []