Flag security alerts and pass versions through

README.md

@@ -43,6 +43,16 @@ Subsequent actions will have access to the following outputs:
   - The `package-ecosystem` configuration that was used by dependabot for this updated Dependency.
 - `steps.dependabot-metadata.outputs.target-branch`
   - The `target-branch` configuration that was used by dependabot for this updated Dependency.
+- `steps.dependabot-metadata.outputs.previous-version`
+  - The version that this PR updates the dependency from.
+- `steps.dependabot-metadata.outputs.new-version`
+  - The version that this PR updates the dependency to.
+- `steps.dependabot-metadata.outputs.alert-state`
+  - If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
+- `steps.dependabot-metadata.outputs.ghsa-id`
+  - If this PR is associated with a security alert, this contains the GHSA-ID of that alert.
+- `steps.dependabot-metadata.outputs.cvss`
+  - If this PR is associated with a security alert, this contains the CVSS value of that alert (otherwise it contains 0).
 
 **Note:** These outputs will only be populated if the target Pull Request was opened by Dependabot and contains
 **only** Dependabot-created commits.

action.yml

@@ -22,6 +22,16 @@ outputs:
     description: 'The `package-ecosystem` configuration that was used by dependabot for this updated Dependency.'
   target-branch:
     description: 'The `target-branch` configuration that was used by dependabot for this updated Dependency.'
+  previous-version:
+    description: 'The version that this PR updates the dependency from.'
+  new-version:
+    description: 'The version that this PR updates the dependency to.'
+  alert-state:
+    description: 'If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
+  ghsa-id:
+    description: 'If this PR is associated with a security alert, this contains the GHSA-ID of that alert.'
+  cvss:
+    description: 'If this PR is associated with a security alert, this contains the CVSS value of that alert (otherwise it contains 0).'
 runs:
   using: 'node12'
   main: 'dist/index.js'

src/dependabot/output.test.ts

@@ -9,6 +9,20 @@ beforeEach(() => {
   jest.spyOn(core, 'startGroup').mockImplementation(jest.fn())
 })
 
+const baseDependency = {
+  dependencyName: '',
+  dependencyType: '',
+  updateType: '',
+  directory: '',
+  packageEcosystem: '',
+  targetBranch: '',
+  prevVersion: '',
+  newVersion: '',
+  alertState: '',
+  ghsaId: '',
+  cvss: 0
+}
+
 test('when given a single dependency it sets its values', async () => {
   const updatedDependencies = [
     {
@@ -17,7 +31,12 @@ test('when given a single dependency it sets its values', async () => {
       updateType: 'version-update:semver-minor',
       directory: 'wwwroot',
       packageEcosystem: 'nuget',
-      targetBranch: 'main'
+      targetBranch: 'main',
+      prevVersion: '1.0.2',
+      newVersion: '1.1.3-beta',
+      alertState: 'FIXED',
+      ghsaId: 'VERY_LONG_ID',
+      cvss: 4.6
     }
   ]
 
@@ -35,41 +54,38 @@ test('when given a single dependency it sets its values', async () => {
   expect(core.setOutput).toBeCalledWith('directory', 'wwwroot')
   expect(core.setOutput).toBeCalledWith('package-ecosystem', 'nuget')
   expect(core.setOutput).toBeCalledWith('target-branch', 'main')
+  expect(core.setOutput).toBeCalledWith('previous-version', '1.0.2')
+  expect(core.setOutput).toBeCalledWith('new-version', '1.1.3-beta')
+  expect(core.setOutput).toBeCalledWith('alert-state', 'FIXED')
+  expect(core.setOutput).toBeCalledWith('ghsa-id', 'VERY_LONG_ID')
+  expect(core.setOutput).toBeCalledWith('cvss', 4.6)
 })
 
 test('when given a multiple dependencies, it uses the highest values for types', async () => {
   const updatedDependencies = [
     {
+      ...baseDependency,
       dependencyName: 'rspec',
       dependencyType: 'direct:development',
-      updateType: 'version-update:semver-minor',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      updateType: 'version-update:semver-minor'
     },
     {
+      ...baseDependency,
       dependencyName: 'coffee-rails',
       dependencyType: 'indirect',
-      updateType: 'version-update:semver-minor',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      updateType: 'version-update:semver-minor'
     },
     {
+      ...baseDependency,
       dependencyName: 'coffeescript',
       dependencyType: 'indirect',
-      updateType: 'version-update:semver-major',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      updateType: 'version-update:semver-major'
     },
     {
+      ...baseDependency,
       dependencyName: 'rspec-coffeescript',
       dependencyType: 'indirect',
-      updateType: 'version-update:semver-patch',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      updateType: 'version-update:semver-patch'
     }
   ]
 
@@ -83,17 +99,19 @@ test('when given a multiple dependencies, it uses the highest values for types',
   expect(core.setOutput).toBeCalledWith('directory', '')
   expect(core.setOutput).toBeCalledWith('package-ecosystem', '')
   expect(core.setOutput).toBeCalledWith('target-branch', '')
+  expect(core.setOutput).toBeCalledWith('previous-version', '')
+  expect(core.setOutput).toBeCalledWith('new-version', '')
+  expect(core.setOutput).toBeCalledWith('alert-state', '')
+  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
+  expect(core.setOutput).toBeCalledWith('cvss', 0)
 })
 
 test('when the dependency has no update type', async () => {
   const updatedDependencies = [
     {
+      ...baseDependency,
       dependencyName: 'coffee-rails',
-      dependencyType: 'direct:production',
-      updateType: '',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      dependencyType: 'direct:production'
     }
   ]
 
@@ -111,41 +129,36 @@ test('when the dependency has no update type', async () => {
   expect(core.setOutput).toBeCalledWith('directory', '')
   expect(core.setOutput).toBeCalledWith('package-ecosystem', '')
   expect(core.setOutput).toBeCalledWith('target-branch', '')
+  expect(core.setOutput).toBeCalledWith('previous-version', '')
+  expect(core.setOutput).toBeCalledWith('new-version', '')
+  expect(core.setOutput).toBeCalledWith('alert-state', '')
+  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
+  expect(core.setOutput).toBeCalledWith('cvss', 0)
 })
 
 test('when given a multiple dependencies, and some do not have update types', async () => {
   const updatedDependencies = [
     {
+      ...baseDependency,
       dependencyName: 'rspec',
-      dependencyType: 'direct:development',
-      updateType: '',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      dependencyType: 'direct:development'
     },
     {
+      ...baseDependency,
       dependencyName: 'coffee-rails',
       dependencyType: 'indirect',
-      updateType: 'version-update:semver-minor',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      updateType: 'version-update:semver-minor'
     },
     {
+      ...baseDependency,
       dependencyName: 'coffeescript',
-      dependencyType: 'indirect',
-      updateType: '',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      dependencyType: 'indirect'
     },
     {
+      ...baseDependency,
       dependencyName: 'rspec-coffeescript',
       dependencyType: 'indirect',
-      updateType: 'version-update:semver-patch',
-      directory: '',
-      packageEcosystem: '',
-      targetBranch: ''
+      updateType: 'version-update:semver-patch'
     }
   ]
 
@@ -159,4 +172,9 @@ test('when given a multiple dependencies, and some do not have update types', as
   expect(core.setOutput).toBeCalledWith('directory', '')
   expect(core.setOutput).toBeCalledWith('package-ecosystem', '')
   expect(core.setOutput).toBeCalledWith('target-branch', '')
+  expect(core.setOutput).toBeCalledWith('previous-version', '')
+  expect(core.setOutput).toBeCalledWith('new-version', '')
+  expect(core.setOutput).toBeCalledWith('alert-state', '')
+  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
+  expect(core.setOutput).toBeCalledWith('cvss', 0)
 })

src/dependabot/output.ts

@@ -24,6 +24,11 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
   const directory = firstDependency?.directory
   const ecosystem = firstDependency?.packageEcosystem
   const target = firstDependency?.targetBranch
+  const prevVersion = firstDependency?.prevVersion
+  const newVersion = firstDependency?.newVersion
+  const alertState = firstDependency?.alertState
+  const ghsaId = firstDependency?.ghsaId
+  const cvss = firstDependency?.cvss
 
   core.startGroup(`Outputting metadata for ${Pluralize('updated dependency', updatedDependencies.length, true)}`)
   core.info(`outputs.dependency-names: ${dependencyNames}`)
@@ -32,6 +37,11 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
   core.info(`outputs.directory: ${directory}`)
   core.info(`outputs.package-ecosystem: ${ecosystem}`)
   core.info(`outputs.target-branch: ${target}`)
+  core.info(`outputs.previous-version: ${prevVersion}`)
+  core.info(`outputs.new-version: ${newVersion}`)
+  core.info(`outputs.alert-state: ${alertState}`)
+  core.info(`outputs.ghsa-id: ${ghsaId}`)
+  core.info(`outputs.cvss: ${cvss}`)
   core.endGroup()
 
   core.setOutput('updated-dependencies-json', updatedDependencies)
@@ -41,6 +51,11 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
   core.setOutput('directory', directory)
   core.setOutput('package-ecosystem', ecosystem)
   core.setOutput('target-branch', target)
+  core.setOutput('previous-version', prevVersion)
+  core.setOutput('new-version', newVersion)
+  core.setOutput('alert-state', alertState)
+  core.setOutput('ghsa-id', ghsaId)
+  core.setOutput('cvss', cvss)
 }
 
 function maxDependencyTypes (updatedDependencies: Array<updatedDependency>): string {