chore(ci): bump actions/dependency-review-action from 4 to 5

[dependabot]

Bumps actions/dependency-review-action from 4 to 5.

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in actions/dependency-review-action#1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in actions/dependency-review-action#995

... (truncated)

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gno	Ready	Preview, Comment	May 26, 2026 1:39pm

[greptile-apps]

Greptile Summary

This is a routine Dependabot bump of actions/dependency-review-action from v4 to v5 in the security workflow. The only change is a single version tag on the uses: line; all configuration options (fail-on-severity, allow-licenses) remain unchanged.

• The v5 major update switches the action's runtime from Node.js 20 to Node.js 24, which requires Actions Runner v2.327.1 or later — standard hosted runners on GitHub Actions already meet this requirement.
• No behavioral changes to the dependency review logic itself are expected; the upgrade also includes a fix for patched-version display for non-strict semver ranges and security-finding resolutions.

Confidence Score: 5/5

Safe to merge — single-line version bump with no logic changes.

The change touches exactly one line in a CI workflow file, replacing the v4 tag with v5 on actions/dependency-review-action. The action's configuration and surrounding workflow logic are untouched, and the v5 release is a straightforward Node.js runtime upgrade with security fixes.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/security.yml	Bumps actions/dependency-review-action from v4 to v5, updating the Node.js runtime from 20 to 24 within the dependency review step.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR or Push to main] --> B{Event type?}
    B -->|pull_request| C[dependency-review job]
    B -->|push or schedule| D[codeql job]
    C --> E[actions/checkout v6]
    E --> F[dependency-review-action v5 - Node.js 24]
    F --> G{High or critical\nvulnerabilities?}
    G -->|Yes| H[Fail PR]
    G -->|No| I[Pass]
    D --> J[codeql-action init v4]
    J --> K[Autobuild]
    K --> L[CodeQL Analysis]

Loading

_{Reviews (1): Last reviewed commit: "chore(ci): bump actions/dependency-revie..." | Re-trigger Greptile}