fix(deps): update actions/dependency-review-action action to v5 by renovate-bot · Pull Request #243 · cloudspannerecosystem/spanner-schema-diff-tool

renovate-bot · 2026-05-09T00:41:33Z

This PR contains the following updates:

Package	Type	Update	Change
actions/dependency-review-action	action	major	`v4` → `v5.0.0`

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

`v5.0.0`: 5.0.0

Compare Source

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

Add .github/copilot-instructions.md for Copilot coding agent by @ahpook in #1067
Update Node.js runtime from 20 to 24 by @scottschreckengaust in #1084
Bump spdx-license-ids from 3.0.20 to 3.0.23 by @mongolyy in #1091
docs: bump actions/checkout from v4 to v6 in workflow examples by @Marukome0743 in #1077
fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @tspascoal in #1076
Resolve security findings by @AshelyTC in #1094
v5.0.0 release branch by @ahpook in #1098

New Contributors

@scottschreckengaust made their first contribution in #1084
@mongolyy made their first contribution in #1091
@Marukome0743 made their first contribution in #1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

`v4.9.0`: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!
Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @jantiebot!
There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!

What's Changed

Compare normalized purls to account for encoding quirks by @juxtin in #1056
Make purl comparisons case insensitive by @juxtin in #1057
Feat: Add Patched Version to Vulnerabilities summary by @felickz in #1045
fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @jantiebot in #1060
Bump actions/stale from 10.1.0 to 10.2.0 by @dependabot[bot] in #1058
Bump actions/checkout from 4 to 6 by @dependabot[bot] in #1021
Updates for release 4.9.0 by @ahpook in #1064

New Contributors

@jantiebot made their first contribution in #1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

`v4.8.3`: 4.8.3

Compare Source

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

GitHub Actions can't push to our protected main by @dangoor in #1017
Bump actions/stale from 9.1.0 to 10.1.0 by @dependabot[bot] in #995
Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #1003
Bump actions/setup-node from 4 to 6 by @dependabot[bot] in #1005
Upgrade glob to address a vulnerability by @brrygrdn in #1024
Bump js-yaml by @dependabot[bot] in #1020
Addressing vulnerabilities by @Ahmed3lmallah in #1036
Bump fast-xml-parser from 5.3.3 to 5.3.5 by @dependabot[bot] in #1050
Bump fast-xml-parser from 5.3.5 to 5.3.6 by @dependabot[bot] in #1053
Properly truncate long summaries and catch errors by @juxtin in #1052
Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @dependabot[bot] in #931
Changes for Release 4.8.3 by @ahpook in #1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

`v4.8.2`

Compare Source

Minor fixes:

Fix PURL parsing for scoped packages (#1008 from @danielhardej)
Fix for large summaries (#1007 from @gitulisca)
README includes a working example for allow-dependencies-licenses (#1009 from @danielhardej)

`v4.8.1`: Dependency Review Action v4.8.1

Compare Source

What's Changed

(bug) Fix spamming link test in deprecation warning (again) by @ahpook in #1000
Bump version for 4.8.1 release by @ahpook in #1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

`v4.8.0`

Compare Source

What's Changed

Make Ruby Code Scannable by @ljones140 in #978
Batch some contributions for release by @brrygrdn in #986
- Make license lists collapsable by @jasperkamerling
- feat: add large summary handling with artifact upload by @MattMencel

New Contributors

@ljones140 made their first contribution in #978
@jasperkamerling made their first contribution in #986
@MattMencel made their first contribution in #986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

`v4.7.4`

Compare Source

`v4.7.3`: 4.7.3

Compare Source

What's Changed

Add explicit permissions to workflow files by @AshelyTC in #966
Claire153/fix spamming mentioned issue by @claire153 in #974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

`v4.7.2`: 4.7.2

Compare Source

What's Changed

Add Missing Languages to CodeQL Advanced Configuration by @KyFaSt in #945
Deprecate deny lists by @claire153 in #958
Address discrepancy between docs and reality by @ahpook in #960

New Contributors

@KyFaSt made their first contribution in #945
@claire153 made their first contribution in #958
@ahpook made their first contribution in #960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

`v4.7.1`

Compare Source

Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #889
License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

`v4.7.0`

Compare Source

Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)
Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

`v4.6.0`

Compare Source

What's Changed

Updating multiple dependency versions by @Ahmed3lmallah in #870
Grouping minor and patch dependabot updates to lessen the number of PRs by @Ahmed3lmallah in #876
Bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #878
Bump undici from 5.28.4 to 5.28.5 by @dependabot in #877
DR Action should link to the proxima stamp when appropriate in error messages by @AshelyTC in #891
Allow deny package removal by @ellenfieldn in #888
Fix typos by @omahs in #893
Bump esbuild from 0.19.5 to 0.25.0 by @dependabot in #900
Bump octokit and related dependencies by @RomanIakovlev in #904
Bump @babel/helpers from 7.23.2 to 7.26.10 by @dependabot in #905
Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @dependabot in #899
Update transitive dependency spdx-license-ids by @ailox in #855
To not print OpenSSF Scorecard section if no dependencies scanned by @fabasoad in #884
Improve usage of this action in dependency-review.yml by @fabasoad in #883
Clarify comment-summary-in-pr behaviour by @Pantelis-Santorinios in #902
Prepare 4.6.0 Release candidate by @brrygrdn in #910

New Contributors

@AshelyTC made their first contribution in #891
@ellenfieldn made their first contribution in #888
@omahs made their first contribution in #893
@RomanIakovlev made their first contribution in #904
@ailox made their first contribution in #855
@fabasoad made their first contribution in #884
@Pantelis-Santorinios made their first contribution in #902
@brrygrdn made their first contribution in #910

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

`v4.5.0`

Compare Source

What's Changed

Bump got from 14.4.2 to 14.4.3 by @dependabot in #844
Bump nodemon from 3.1.0 to 3.1.7 by @dependabot in #847
Bump @vercel/ncc from 0.38.1 to 0.38.3 by @dependabot in #849
Overriding the cross-spawn dependency to use a safe version by @Ahmed3lmallah in #850
fix: add summary comment on failure when warn-only: true by @ebickle in #827
Prepare for 4.5.0 release by @Ahmed3lmallah in #851

New Contributors

@ebickle made their first contribution in #827

Full Changelog: actions/dependency-review-action@v4...v4.5.0

`v4.4.0`

Compare Source

What's Changed

Fix for merge_group event bug by @Ahmed3lmallah in #846

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

`v4.3.5`

Compare Source

What's Changed

fix: getRefs function to handle merge_group events by @louis-bompart in #766
Create pull_request_template.md by @jonjanego in #794
Update CONTRIBUTING.md by @jonjanego in #793
Bump @types/node from 20.11.28 to 20.16.0 by @dependabot in #815
Upgrade transitive micromatch library by @elireisman in #829
Do not list changed dependencies in summary by @hmaurer in #828
Update stale.yaml by @jonjanego in #832
Bump got from 14.4.1 to 14.4.2 by @dependabot in #822
Bump eslint-plugin-jest and ts-jest by @Ahmed3lmallah in #840

New Contributors

@louis-bompart made their first contribution in #766
@Ahmed3lmallah made their first contribution in #840

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

`v4.3.4`

Compare Source

What's Changed

Include all added dependencies in scorecard entries by @elireisman in #783
Update SPDX Expression Parsing by @febuiles in #719
- This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

`v4.3.3`: Notes for v4.3.3

Compare Source

What's Changed

Allow slashes in purl package names by @juxtin in #765
use the v3 version of the deps.dev API by @josieang in #741
PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @am-stead in #773
fix show-openssf-scorecard-levels input by @ramann in #776
Updates to the contribution guidelines by @jonjanego in #778
Create issue templates by @jonjanego in #777
Fix the max comment length issue by @jhutchings1 and @elireisman in #767
Bump project version to 4.3.3 in prep for a release by @elireisman in #781

New Contributors

@josieang made their first contribution in #741
@am-stead made their first contribution in #773
@ramann made their first contribution in #776

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

`v4.3.2`

Compare Source

What's Changed

Fix package-url parsing for allow-dependencies-licenses by @juxtin in #761

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

`v4.3.1`

Compare Source

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See #753.

Full Changelog: actions/dependency-review-action@V4.3.0...v4.3.1

`vV4.3.0`

Compare Source

`v4.3.0`

Compare Source

New Features

The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

Fix action variable name for scorecard by @lukehinds in #735
Fix extra https:// in summary by @jhutchings1 in #748
Bump typescript from 5.3.3 to 5.4.5 by @dependabot in #744
Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @dependabot in #737
Show denied packages with red X by @juxtin in #750
deny-packages configuration option can deny specified version or all packages by @febuiles and @bteng22 in #733