Skip to content
Latchkey

How to Block Risky Dependencies With dependency-review-action

dependency-review-action diffs the dependency changes in a PR and fails the check on vulnerable or disallowed packages.

Run actions/dependency-review-action on the pull_request event. It compares the base and head manifests, then blocks the PR if it introduces a dependency above your severity threshold or with a denied license.

Steps

  • Add a workflow triggered on pull_request.
  • Grant contents: read (and pull-requests: write for summary comments).
  • Set fail-on-severity and optional deny-licenses.

Workflow

.github/workflows/pr.yml
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: high
          deny-licenses: GPL-3.0, AGPL-3.0

Gotchas

  • The action needs the dependency graph enabled on the repository to diff manifests.
  • It only reviews changes in the PR, so run scanning separately for the full existing tree.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →