Bump actions/dependency-review-action from 4.9.0 to 5.0.0

[dependabot]

Bumps actions/dependency-review-action from 4.9.0 to 5.0.0.

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🤖 Claude Code Review

PR Code Review

Change: Bumps actions/dependency-review-action from v4.9.0 to v5.0.0 in .github/workflows/maven-dependency-review.yaml.

---

Code Quality

• ✅ Style guide — Single-line change in a YAML workflow file; no style concerns.
• ✅ No commented-out code — None present.
• ✅ Meaningful variable names — N/A.
• ✅ DRY principle — N/A.
• ✅ Defects — No bugs, logic errors, or vulnerabilities introduced. This is a dependency version bump via Dependabot.
• ✅ CLAUDE.md — No issues; the project config is general and environment-agnostic.

Testing

• ✅ No application logic changed; unit/integration tests are not applicable to a CI action version bump.

Documentation

• ✅ README/API docs — No documentation changes required for a CI dependency bump.
• ✅ CHANGELOG.md — Not required for automated Dependabot bumps per standard practice.
• ✅ Markdown formatting — N/A.

Security

• ✅ No hardcoded credentials — None.
• ✅ No sensitive data — None.
• ✅ No license files (.lic) — None present.
• ⚠️ Major version bump (v4 → v5): dependency-review-action@v5.0.0 is a major version upgrade. Major releases can introduce breaking changes (e.g., removed or renamed inputs, changed default behavior for fail-on-severity, deny-licenses, etc.). The current workflow uses no explicit configuration beyond the action itself (line 31), so defaults apply — verify that v5 defaults remain compatible with the intended behavior. The v5 release notes should be checked before merging.

---

Summary: The change is low-risk but warrants a quick check of the v5 release notes since this is a major version bump. The workflow has no custom inputs, so any change to defaults in v5 would silently alter behavior. No blockers; recommend confirming v5 defaults are acceptable before merging.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

[github-actions]

🤖 Claude Code Review

PR Code Review

Change: Bumps actions/dependency-review-action from v4.9.0 to v5.0.0 in .github/workflows/maven-dependency-review.yaml.

---

Code Quality

• ✅ Style guide — Single-line change in YAML; no style concerns.
• ✅ No commented-out code — None present.
• ✅ Meaningful variable names — N/A.
• ✅ DRY principle — N/A.
• ✅ Defects — No logic errors. This is a straightforward dependency version bump via Dependabot. The action is pinned to a semver tag (not a SHA), which is acceptable but worth noting — pinning to a commit SHA is more secure against tag mutation attacks. Not blocking for a well-known action like this one.

Testing

• ✅ Unit/integration tests — N/A for a CI workflow version bump.
• ✅ Edge cases / coverage — N/A.

Documentation

• ✅ README/API docs — No updates needed.
• ✅ Inline comments — N/A.
• ✅ CHANGELOG — Not updated, but this is a routine Dependabot bump; acceptable.
• ✅ Markdown formatting — Only YAML changed; no Markdown files touched.

Security

• ✅ No hardcoded credentials — None.
• ✅ Input validation / error handling — N/A.
• ✅ No sensitive data in logs — N/A.
• ✅ No license files (.lic) — None present.

---

Summary

This is a routine Dependabot version bump with no concerns. The only minor note: consider pinning GitHub Actions to a commit SHA instead of a semver tag (e.g., actions/dependency-review-action@<sha>) to prevent tag-mutable supply chain risk, but this is a low-priority hardening concern and not blocking.

Verdict: Approve.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter