Skip to content

[BUG] Issues using Dependency-Review behind restrictive proxy #1018

New issue
New issue
Open
Open
[BUG] Issues using Dependency-Review behind restrictive proxy#1018
Labels
bugSomething isn't working
@i-cannot-figure-out-a-good-nick

Description

@i-cannot-figure-out-a-good-nick
i-cannot-figure-out-a-good-nick
opened on Nov 11, 2025

Describe the bug
We have a Github Enterprise server installed and working behind a proxy, when running Dependency Review Action it fails whilst trying to access deps.dev. There is a proxy server that we have added allow-listings for both api.deps.dev and the scorecard API.

Expected behavior
The action should be able to pull the version information from the api.deps.dev API

Screenshots
We have a step in our workflow (example below) that checks if we can reach the API without providing any additional proxy settings in the step (it is added globally):
Image

Action version
Tested with:

  • Latest
  • 4.3.X (found references that there was a proxy setting backtracked)

Examples

---
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read
  pull-requests: write

jobs:
  dependency-review:
    runs-on: [code-scanning]
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@<any commit SHA>

      - name: 'Test remote APIs'
        run: |
          curl -L https://api.deps.dev/v3/systems/npm/packages/%40colors%2Fcolors/versions/1.5.0 | jq

      - name: 'Dependency Review'
        uses: actions/dependency-review-action@<any commit SHA>
        with:
          fail-on-severity: critical
          comment-summary-in-pr: always
          license-check: true
          vulnerability-check: true
...

Failed step log

##[debug]Getting deps.dev data for org.apache.logging.log4j:log4j-core 2.12.4
Error: fetch failed

Working curl step

##[debug]Loading env
Run curl -L https://api.deps.dev/v3/systems/npm/packages/%40colors%2Fcolors/versions/1.5.0 | jq
##[debug]/usr/bin/bash -e /runner/_work/_temp/c8252840-6421-4eb5-9d89-9feb5ae0cbc2.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   816  100   816    0     0   4775      0 --:--:-- --:--:-- --:--:--  4800
{
  "versionKey": {
    "system": "NPM",
    "name": "@colors/colors",
    "version": "1.5.0"
  },
  "publishedAt": "2022-02-12T07:39:04Z",
  "isDefault": false,
  "licenses": [
    "MIT"
  ],

Additional context
It feels like TS/NodeJS is not using the proxy settings.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions