chore(deps): update actions/dependency-review-action action to v5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/dependency-review-action	action	major	v3 → v5.0.0

---

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

v5.0.0: 5.0.0

Compare Source

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in #​1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in #​1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in #​1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in #​1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in #​1076
• Resolve security findings by @​AshelyTC in #​1094
• v5.0.0 release branch by @​ahpook in #​1098

New Contributors

• @​scottschreckengaust made their first contribution in #​1084
• @​mongolyy made their first contribution in #​1091
• @​Marukome0743 made their first contribution in #​1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

v4.9.0: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in #​1056
• Make purl comparisons case insensitive by @​juxtin in #​1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in #​1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in #​1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in #​1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​1021
• Updates for release 4.9.0 by @​ahpook in #​1064

New Contributors

• @​jantiebot made their first contribution in #​1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

v4.8.3: 4.8.3

Compare Source

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in #​1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in #​995
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​1003
• Bump actions/setup-node from 4 to 6 by @​dependabot[bot] in #​1005
• Upgrade glob to address a vulnerability by @​brrygrdn in #​1024
• Bump js-yaml by @​dependabot[bot] in #​1020
• Addressing vulnerabilities by @​Ahmed3lmallah in #​1036
• Bump fast-xml-parser from 5.3.3 to 5.3.5 by @​dependabot[bot] in #​1050
• Bump fast-xml-parser from 5.3.5 to 5.3.6 by @​dependabot[bot] in #​1053
• Properly truncate long summaries and catch errors by @​juxtin in #​1052
• Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @​dependabot[bot] in #​931
• Changes for Release 4.8.3 by @​ahpook in #​1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Compare Source

Minor fixes:

• Fix PURL parsing for scoped packages (#​1008 from @​danielhardej)
• Fix for large summaries (#​1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

v4.7.3: 4.7.3

Compare Source

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in #​966
• Claire153/fix spamming mentioned issue by @​claire153 in #​974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

v4.7.2: 4.7.2

Compare Source

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in #​945
• Deprecate deny lists by @​claire153 in #​958
• Address discrepancy between docs and reality by @​ahpook in #​960

New Contributors

• @​KyFaSt made their first contribution in #​945
• @​claire153 made their first contribution in #​958
• @​ahpook made their first contribution in #​960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

v4.7.1

Compare Source

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #​889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

Compare Source

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #​809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

v4.6.0

Compare Source

What's Changed

• Updating multiple dependency versions by @​Ahmed3lmallah in #​870
• Grouping minor and patch dependabot updates to lessen the number of PRs by @​Ahmed3lmallah in #​876
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in #​878
• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​877
• DR Action should link to the proxima stamp when appropriate in error messages by @​AshelyTC in #​891
• Allow deny package removal by @​ellenfieldn in #​888
• Fix typos by @​omahs in #​893
• Bump esbuild from 0.19.5 to 0.25.0 by @​dependabot in #​900
• Bump octokit and related dependencies by @​RomanIakovlev in #​904
• Bump @​babel/helpers from 7.23.2 to 7.26.10 by @​dependabot in #​905
• Bump @​octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @​dependabot in #​899
• Update transitive dependency spdx-license-ids by @​ailox in #​855
• To not print OpenSSF Scorecard section if no dependencies scanned by @​fabasoad in #​884
• Improve usage of this action in dependency-review.yml by @​fabasoad in #​883
• Clarify comment-summary-in-pr behaviour by @​Pantelis-Santorinios in #​902
• Prepare 4.6.0 Release candidate by @​brrygrdn in #​910

New Contributors

• @​AshelyTC made their first contribution in #​891
• @​ellenfieldn made their first contribution in #​888
• @​omahs made their first contribution in #​893
• @​RomanIakovlev made their first contribution in #​904
• @​ailox made their first contribution in #​855
• @​fabasoad made their first contribution in #​884
• @​Pantelis-Santorinios made their first contribution in #​902
• @​brrygrdn made their first contribution in #​910

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

v4.5.0

Compare Source

What's Changed

• Bump got from 14.4.2 to 14.4.3 by @​dependabot in #​844
• Bump nodemon from 3.1.0 to 3.1.7 by @​dependabot in #​847
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​849
• Overriding the cross-spawn dependency to use a safe version by @​Ahmed3lmallah in #​850
• fix: add summary comment on failure when warn-only: true by @​ebickle in #​827
• Prepare for 4.5.0 release by @​Ahmed3lmallah in #​851

New Contributors

• @​ebickle made their first contribution in #​827

Full Changelog: actions/dependency-review-action@v4...v4.5.0

v4.4.0

Compare Source

What's Changed

• Fix for merge_group event bug by @​Ahmed3lmallah in #​846

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

v4.3.5

Compare Source

What's Changed

• fix: getRefs function to handle merge_group events by @​louis-bompart in #​766
• Create pull_request_template.md by @​jonjanego in #​794
• Update CONTRIBUTING.md by @​jonjanego in #​793
• Bump @​types/node from 20.11.28 to 20.16.0 by @​dependabot in #​815
• Upgrade transitive micromatch library by @​elireisman in #​829
• Do not list changed dependencies in summary by @​hmaurer in #​828
• Update stale.yaml by @​jonjanego in #​832
• Bump got from 14.4.1 to 14.4.2 by @​dependabot in #​822
• Bump eslint-plugin-jest and ts-jest by @​Ahmed3lmallah in #​840

New Contributors

• @​louis-bompart made their first contribution in #​766
• @​Ahmed3lmallah made their first contribution in #​840

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

• Include all added dependencies in scorecard entries by @​elireisman in #​783
• Update SPDX Expression Parsing by @​febuiles in #​719
  • This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

v4.3.3: Notes for v4.3.3

Compare Source

What's Changed

• Allow slashes in purl package names by @​juxtin in #​765
• use the v3 version of the deps.dev API by @​josieang in #​741
• PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @​am-stead in #​773
• fix show-openssf-scorecard-levels input by @​ramann in #​776
• Updates to the contribution guidelines by @​jonjanego in #​778
• Create issue templates by @​jonjanego in #​777
• Fix the max comment length issue by @​jhutchings1 and @​elireisman in #​767
• Bump project version to 4.3.3 in prep for a release by @​elireisman in #​781

New Contributors

• @​josieang made their first contribution in #​741
• @​am-stead made their first contribution in #​773
• @​ramann made their first contribution in #​776

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

v4.3.2

Compare Source

What's Changed

• Fix package-url parsing for allow-dependencies-licenses by @​juxtin in #​761

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

v4.3.1

Compare Source

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See #​753.

Full Changelog: actions/dependency-review-action@V4.3.0...v4.3.1

vV4.3.0

Compare Source

v4.3.0

Compare Source

New Features

• The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

• Fix action variable name for scorecard by @​lukehinds in #​735
• Fix extra https:// in summary by @​jhutchings1 in #​748
• Bump typescript from 5.3.3 to 5.4.5 by @​dependabot in #​744
• Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @​dependabot in #​737
• Show denied packages with red X by @​juxtin in #​750
• deny-packages configuration option can deny specified version or all packages by @​febuiles and @​bteng22 in #​733

New Contributors

• @​bteng22 made their first contribution in #​733
• @​lukehinds made their first contribution in #​735

Full Changelog: actions/dependency-review-action@v4.2.5...V4.3.0

v4.2.5: 4.2.5

Compare Source

What's Changed

• Fixed a bug where some configuration options in external files were not being properly picked up -- #​722
• Bump eslint from 8.56.0 to 8.57.0

Full Changelog: actions/dependency-review-action@v4.2.4...v4.2.5

v4.2.4

Compare Source

What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

New Contributors

• @​sporkmonger made their first contribution in #​721

Full Changelog: actions/dependency-review-action@v4.2.3...v4.2.4

v4.2.3: 4.2.3

Compare Source

What's Changed

• Set comment as output by @​jsoref in #​698
• Add support for calculating OpenSSF Scorecards by @​jhutchings1 in #​709
• Add outputs for the changes data by @​laughedelic in #​707

New Contributors

• @​jhutchings1 made their first contribution in #​709
• @​laughedelic made their first contribution in #​707

Full Changelog: actions/dependency-review-action@v4.1.3...v4.2.3

v4.1.3: 4.1.3

Compare Source

Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see #​697).

Full Changelog: actions/dependency-review-action@v4.1.2...v4.1.3

v4.1.2: 4.1.2

Compare Source

What's Changed

• Expose dependency comment content by @​jsoref in #​696

Full Changelog: actions/dependency-review-action@v4.1.1...v4.1.2

v4.1.1: 4.1.1

Compare Source

What's Changed

• Bump undici to fix GHSA-wqq4-5wpv-mx2g
• Bump @​types/node from 20.11.17 to 20.11.19 by @​dependabot in #​693

Full Changelog: actions/dependency-review-action@v4.1.0...v4.1.1

v4.1.0: 4.1.0

Compare Source

What's Changed

• Add warn-only by @​tgrall in #​432

Added a new configuration option (warn-only, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log.

• Create stale.yaml by @​jonjanego in #​671
• Use manual codeql config by @​juxtin in #​678
• Multiple dependency updates (see the changelog below for more information)

New Contributors

• @​jonjanego made their first contribution in #​671
• @​tgrall made their first contribution in #​432

Full Changelog: actions/dependency-review-action@v4...v4.1.0

v4.0.0

Compare Source

• Update action to Node 20 by @​takost in #​639
• Dependabot updates, see the full changelog for more details.

New Contributors

• @​takost made their first contribution in #​639

Full Changelog: actions/dependency-review-action@v3.1.5...v4.0.0

v3.1.5: 3.1.5

Compare Source

What's Changed

• Smaller per_page when requesting diff by @​hmaurer in #​649
• Update dependencies:
  • Bump @​typescript-eslint/parser from 6.10.0 to 6.13.1 by @​dependabot in #​630
  • Bump prettier from 3.0.3 to 3.1.0 by @​dependabot in #​629
  • Bump @​types/jest from 29.5.8 to 29.5.11 by @​dependabot in #​637
  • Bump nodemon from 3.0.1 to 3.0.2 by @​dependabot in #​636
  • Replace pip -> pypi in PURL examples by @​febuiles in #​638
  • Bump @​typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0 by @​dependabot in #​644
  • Bump eslint from 8.53.0 to 8.56.0 by @​dependabot in #​640
  • Bump @​typescript-eslint/parser from 6.13.1 to 6.16.0 by @​dependabot in #​645
  • Bump prettier from 3.1.0 to 3.1.1 by @​dependabot in #​646

Full Changelog: actions/dependency-review-action@v3.1.4...v3.1.5

v3.1.4: 3.1.4

Compare Source

What's Changed

• Fixed a bug with severity filtering when using the allow_ghsas option: #​623.

• Updates dependencies:

  • Bump @​types/node from 16.18.61 to 16.18.62 by @​dependabot in #​619
    action/pull/620
  • Bump @​typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0 by @​dependabot in #​625
  • Bump typescript from 5.2.2 to 5.3.2 by @​dependabot in #​624

Full Changelog: actions/dependency-review-action@v3...v3.1.4

v3.1.3: 3.1.3

Compare Source

What's Changed

• Fixes purl "version must be percent-encoded" by @​theztefan in #​617

Full Changelog: actions/dependency-review-action@v3...v3.1.3

v3.1.2: 3.1.2

Compare Source

What's Changed

• Fix a regression for setups using self-hosted runners behind HTTP proxies:@​febuiles in #​611

Full Changelog: actions/dependency-review-action@v3...v3.1.2

v3.1.1: 3.1.1

Compare Source

What's Changed

• Update a bunch of dependencies, including major version upgrades for octokit, @actions/github and typescript.

Full Changelog: actions/dependency-review-action@v3.1.0...v3.1.1

v3.1.0: 3.1.0

Compare Source

What's New

Added support for dependencies submitted through the dependency submission API. This includes two new configuration parameters: retry-on-snapshot-warnings and retry-on-snapshot-warnings-timeout.

What's Changed

• Fix(docs): Correct action input name by @​oerd in #​551

New Contributors

• @​oerd made their first contribution in #​551

Full Changelog: actions/dependency-review-action@v3...v3.1.0

v3.0.8: 3.0.8

Compare Source

What's Changed

Added on-failure option to comment-summary-in-pr setting by @​sgmurphy in #​540

Previous configuration files using true/false for comment-summary-in-pr will be mapped automatically to the new values, but we encourage you to update to always/on-failure/never.

New Contributors

• @​sgmurphy made their first contribution in #​540

Full Changelog: actions/dependency-review-action@v3...v3.0.8

v3.0.7: 3.0.7

Compare Source

What's Changed

• Make GHES support / setup more clear by @​rajbos in #​534
• Add an option to deny packages or groups of packages by @​adrienpessu in #​544

New Contributors

• @​rajbos made their first contribution in #​534
• @​adrienpessu made their first contribution in #​544

Full Changelog: actions/dependency-review-action@v3...v3.0.7

v3.0.6: 3.0.6

Compare Source

Fixes a bug introduced in 3.0.5 where we raised PURL errors when Dependency Graph returns an empty package_url.

v3.0.5: 3.0.5

Compare Source

What's Changed

Thanks to @​theztefan, we now have a new allow-dependencies-licenses option that takes a list of dependencies that will be excluded from license checks. See the configuration options for more information on how to use it.

• Exclude dependencies from license checks by @​theztefan in #​423
• Documentation examples by @​theztefan in #​423
• Show snapshot warnings in the summary by @​juxtin in #​439
• Fix default values for fail-on-severity by @​febuiles in #​451
• Updated dependencies.

New Contributors

• @​juxtin made their first contribution in #​439
• @​theztefan made their first contribution in #​423

Full Changelog: actions/dependency-review-action@v3...v3.0.5

v3.0.4: 3.0.4

Compare Source

What's New?

The Action can now publish a comment in the pull request if the comment-summary-in-pr option is set. More information can be found in the README.

New Contributors

• @​davelosert made their first contribution in #​393

Changelog

• Write Summary as comment to the pull request by @​davelosert in #​393
• Adjust summary format by @​davelosert in #​416
• Security updates.

Full Changelog: actions/dependency-review-action@v3...v3.0.4

v3.0.3: 3.0.3

Compare Source

What's Changed

• Use cache in check-dist.yml by @​jongwooo in #​359
• Fix Dependency Review API response error handling by @​felickz in #​370
• Security updates

New Contributors

• @​jongwooo made their first contribution in #​359
• @​felickz made their first contribution in #​370

Full Changelog: actions/dependency-review-action@v3...v3.0.3

v3.0.2: 3.0.2

Compare Source

This release fixes spelling errors #​348 and upgrades dependencies to fix known vulnerabilities

Full Changelog: actions/dependency-review-action@v3...v3.0.2

v3.0.1: 3.0.1

Compare Source

This release contains the following bugfixes:

• Fixing API URL for GHES: #​331
• Improve list handling for external config files: #​330

Full Changelog: actions/dependency-review-action@v3...v3.0.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

This issue has been marked stale, as it had no activity in the last 7 days. If the issue remains stale for an additional 7 days (a total of two weeks with no activity), it will be automatically closed.