Skip to content

chore(deps): bump actions/dependency-review-action from 4 to 5#61

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/dependency-review-action-5
Open

chore(deps): bump actions/dependency-review-action from 4 to 5#61
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/dependency-review-action-5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 10, 2026

Bumps actions/dependency-review-action from 4 to 5.

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

... (truncated)

Commits
  • a1d282b Merge pull request #1098 from actions/ahpook/v5-release
  • eb6c199 update examples to show @​v5
  • 3943c2c v5.0.0 release branch
  • 454943c Merge pull request #1094 from actions/ashelytc/security-findings
  • 6d92a12 revert @​typescript-eslint/parser update
  • a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
  • b6b7079 update @​typescript-eslint/parser to 8.40.0
  • 821a21d update more dependencies
  • 05aaaae run npm audit fix
  • 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump actions/dependency-review-action from 4 to 5
7e23379 
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4 to 5.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@v4...v5)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 10, 2026

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests updating dependencies label May 10, 2026
@dependabot dependabot Bot requested a review from KooshaPari as a code owner May 10, 2026 11:03
@dependabot dependabot Bot added the dependencies Pull requests updating dependencies label May 10, 2026
@codeant-ai
Copy link
Copy Markdown

codeant-ai Bot commented May 10, 2026

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 10, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@kilo-code-bot
Copy link
Copy Markdown

kilo-code-bot Bot commented May 10, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

This is a Dependabot PR bumping actions/dependency-review-action from v4 to v5.

Change Analysis:

  • Single line change in .github/workflows/dependency-review.yml
  • Updates action version from @v4 to @v5

Key v5 Release Notes:

  • Updates Node.js runtime from 20 to 24
  • Requires minimum Actions Runner version v2.327.1 (standard for GitHub-hosted runners)
  • No breaking changes to workflow inputs or configuration

Recommendation: This is a routine dependency update. The v5 major version bump reflects infrastructure updates (Node 24 runtime) rather than API changes. Safe to merge.

Files Reviewed (1 files)
  • .github/workflows/dependency-review.yml - workflow configuration

Reviewed by laguna-m.1-20260312:free · 163,810 tokens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KooshaPari KooshaPari Awaiting requested review from KooshaPari KooshaPari is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests updating dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants