warn_only Does Not Apply When Using a Deny List

[AlexWilson-GIS]

Following up on the conclusion of #706 and the following statement by @febuiles:

warn_only does not work in conjunction with deny_list. This is not a bug, but we might want to reconsider this interaction. The reasons for this behavior are historical, not technical.
...
If you feel we should change the behavior of warn_only to take deny_list into account (understandable!) please open a new issue (cc @jonjanego).

This is an interesting problem to consider. There may be a situation where you want to warn on any vulnerabilities that are found, but still fail if denied packages are found. So perhaps the answer is a different option to enable warning on denied packages, or creating a separate package warning list.

The reason this matters to me is because I have only just started rolling out the use of this action within my company's repositories, and we are already running into situations where packages are being misidentified by Dependency Graph, which has caused this check to block PR's unnecessarily. It's nice to have the awareness that the action brings, but in some cases the maturity of the ecosystem is not yet at a level where I can feel comfortable telling other development teams that they should always block.

[jonjanego]

Hi @AlexWilson-GIS thank you for the suggestion. It's an interesting suggested workaround to what seems like the bigger issue to focus on, what you said of packages being misidentified. When you encounter problems of this nature please be sure to file issues for us so that we can see what's going on. Thanks!