deps(ci)(deps): bump actions/dependency-review-action from 4 to 5 in the actions-core group across 1 directory

[dependabot]

Bumps the actions-core group with 1 update in the / directory: actions/dependency-review-action.

Updates actions/dependency-review-action from 4 to 5

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in actions/dependency-review-action#1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in actions/dependency-review-action#995

... (truncated)

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

[github-actions]

📋 Unreleased Changelog Preview

This is what the next release notes will look like based on commits in this PR.

Changelog

All notable changes to this project will be documented in this file.

[Unreleased]

✨ Features

• Added integrations tests — @nil-malh

• Add integration test classes and configure JaCoCo for code coverage — @nil-malh

⬆️ Dependency Updates

• Updated KTestify Core to 0.1.0-rc1 — @nil-malh

• Bump com.azure:azure-storage-blob (deps) — @dependabot[bot]

🐛 Bug Fixes

• Fixed integration-tests.yml that was failing trying to install ktestify-core from local — @nil-malh

🔧 Miscellaneous

• Migrated workflows from GitHub PAT to GITHUB_TOKEN — @nil-malh

🎉 New Contributors

• @nil-malh made their first contribution in #1

---

Generated by git-cliff

---

🔄 Run #24 · Mon, 18 May 2026 11:33:40 GMT

[github-actions]

✅ Test Results

	Metric	Count
✅	Passed	103
❌	Failed	0
⏭️	Skipped	0
📊	Total	103

✅ Coverage

	Type	Coverage	Covered / Total
📏	Lines	80.8%	286 / 354
🌿	Branches	64.8%	92 / 142
🔧	Methods	95.5%	64 / 67

---

🔄 CI run #43 · Mon, 15 Jun 2026 07:15:47 GMT

[github-actions]

📋 Unreleased Changelog Preview

This is what the next release notes will look like based on commits in this PR.

Changelog

All notable changes to this project will be documented in this file.

[Unreleased]

Bug Fixes

• Fixed integration-tests.yml that was failing trying to install ktestify-core from local — @nil-malh

Miscellaneous

• Migrated workflows from GitHub PAT to GITHUB_TOKEN — @nil-malh

• Removed codeql.yml to use GitHub's & fixed an issue with the release workflow. — @nil-malh

✨ Features

• Added integrations tests — @nil-malh

• Add integration test classes and configure JaCoCo for code coverage — @nil-malh

• Add README.md and update changelog configuration — @nil-malh

⬆️ Dependency Updates

• Updated KTestify Core to 0.1.0-rc1 — @nil-malh

• Bump com.azure:azure-storage-blob (deps) — @dependabot[bot]

New Contributors

• @nil-malh made their first contribution in #15

---

Generated by git-cliff

---

🔄 Run #38 · Mon, 15 Jun 2026 07:14:41 GMT

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/dependency-review.yml

Package	Version	License	Issue Type
actions/dependency-review-action	5.*.*	Null	Unknown License

Allowed Licenses:

Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, ISC, LGPL-2.0-only, LGPL-2.1-only, LGPL-2.1-or-later, EPL-1.0, EPL-2.0, CDDL-1.0, CC0-1.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/dependency-review-action	5.*.*	🟢 7.7	Details Check Score Reason Maintained 🟢 10 17 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/dependency-review.yml