Bump actions/dependency-review-action from 4 to 5

[dependabot]

Bumps actions/dependency-review-action from 4 to 5.

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in actions/dependency-review-action#1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in actions/dependency-review-action#995

... (truncated)

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk workflow-only change; main risk is CI failures if the GitHub Actions runner is below the minimum version required by actions/dependency-review-action@v5 (Node 24).

Overview
Updates the Dependency Review GitHub Actions workflow to use actions/dependency-review-action@v5 instead of @v4, keeping the existing license allow/deny configuration unchanged.

^{Reviewed by Cursor Bugbot for commit 1bb19d8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the PR change and upstream dependency artifacts for supply-chain risk.
Verdict: benign

Summary: This is a normal major bump of the official GitHub action actions/dependency-review-action (v4 → v5). Nothing in the scan or upstream diff points to compromise; the scanner’s warn status is from noisy heuristics on the prebuilt bundle, not real IOCs.

Malware scan (hard evidence)

• 0 confusable homoglyphs, 0 IOCs
• 3 unicode hits: visible ⚠️ in README and bundled output — not zero-width / PUA / bidi Trojan Source
• 381 codepoint_decoder hits in dist/index.js — expected in ncc-bundled deps (base64, URL encoding, UTF-8, lodash, etc.); not hidden-payload assembly
• Changed set is typical for a JS action release: dist/index.js, dist/index.js.map, package.json, package-lock.json, README.md, dist/licenses.txt — no new node_modules/ in your repo

Checklist (high signal)

Category	Result
Obfuscation / eval exfil	Bundled dist/ only; no new install scripts; package.json has build/test scripts only (no preinstall/postinstall)
Unexpected network	URLs are GitHub API, api.deps.dev, OpenSSF scorecards — aligned with dependency review
Persistence / shell abuse	exec/spawn in bundle trace to @actions/toolkit tool-runner — normal for Actions
GlassWorm Unicode	No ZWSP/PUA/bidi controls in actionable source; emoji warnings are visible
Lockfile / typosquat	Publisher remains GitHub; version 5.0.0 matches documented release (Node 24, runner ≥2.327.1)
Dependabot scope	Your change is the version pin in .github/workflows/dependency-review.yml (@v4 → @v5); workflow content/options unchanged

Operational note (not malware): v5 requires Actions runner ≥ v2.327.1 and Node 24 runtime. ubuntu-latest on GitHub-hosted runners is fine; only a concern for old self-hosted runners.

Recommendation: Safe to merge from a supply-chain perspective. After merge, confirm the Dependency Review workflow run succeeds once on a PR.

Compatibility Analysis

Searching the repo for how dependency-review-action is used and comparing that with the v5 upstream changes.

Compatibility analysis — actions/dependency-review-action v4 → v5

1) Where it’s used

Single call site: .github/workflows/dependency-review.yml

• Trigger: pull_request
• Runner: ubuntu-latest
• Guard: if: github.repository_owner == 'Chia-Network'
• Inputs in use:
  • allow-dependencies-licenses: pkg:pypi/pyinstaller
  • deny-licenses: … (GPL/AGPL list)
• Already on actions/checkout@v6

No other workflow references this action. dependency-cursor-review.yml is separate (Cursor/Dependabot automation).

2) Intersection with v5 changes

Upstream diff v4.9.0…v5.0.0 shows one functional breaking change in action.yml: runtime node20 → node24. All action inputs/outputs are unchanged.

Your config uses stable, documented inputs (deny-licenses, allow-dependencies-licenses). Those still exist in v5; deny-licenses remains supported but is deprecated (removal warned for a future major).

Release-note changes that may affect you (positively):

• PURL matching fixes (case/encoding) — can improve pkg:pypi/pyinstaller allowlist behavior
• Patched-version display fix — reporting only, if you enable show_patched_versions later
• Security/dependency updates in the action bundle — no repo code impact

No overlap with Rust/C++/Python build APIs; this action only talks to GitHub’s dependency-review API on PRs.

3) Risks / unknowns

Risk	Severity	Notes
Runner ≥ v2.327.1 required (Node 24)	Low for this repo	Job uses ubuntu-latest on GitHub-hosted runners; typically fine. Only material if you later run this on old self-hosted runners.
deny-licenses deprecation	Low	Still works in v5; plan migration to allow-licenses / config file before a future major.
First-run validation	Low	Confirm the “🚨 Dependency Review” check passes on this PR (or the next PR) under Chia-Network.
Org-only job	Info	Fork PRs won’t exercise the step.

No repo build/runtime risk: no Cargo/Python changes from this bump.

4) Recommendation

Merge (or merge-with-caveats only if you use self-hosted/GHES runners older than v2.327.1 for this workflow).

Post-merge: Let the dependency-review workflow run once on a real PR; no config changes required unless you want to drop deprecated deny-licenses proactively.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 6
• Resolution strategy: commit_list
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 3
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 381

Top findings

• README.md:120 unicode :: | deny-licenses\* | ⚠️ This option is deprecated for possible removal in the next major release. See [Deprecate the deny-licenses option #938](https://github.com/actions/dependency-review-action/issues/938) for more information. <br> Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) ...[truncated]
• dist/index.js.map:1 unicode :: {"version":3,"file":"index.js","mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;...[truncated]
• dist/index.js:1696 unicode :: warning: '⚠️'
• dist/index.js.map:1 codepoint_decoder :: {"version":3,"file":"index.js","mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;...[truncated]
• dist/index.js:15088 codepoint_decoder :: return "%" + c.charCodeAt(0).toString(16).toUpperCase();
• dist/index.js:22852 codepoint_decoder :: decTable[encTable[i].charCodeAt(0)] = i;
• dist/index.js:22854 codepoint_decoder :: decTable["-".charCodeAt(0)] = encTable.indexOf("+");
• dist/index.js:22855 codepoint_decoder :: decTable["_".charCodeAt(0)] = encTable.indexOf("/");
• dist/index.js:22882 codepoint_decoder :: b = decTable[base64Str.charCodeAt(i)];
• dist/index.js:39398 codepoint_decoder :: for(var i = 0, L = bstr.length; i < L;) C = (C>>>8) ^ T0[(C^bstr.charCodeAt(i++))&0xFF];
• dist/index.js:39420 codepoint_decoder :: c = str.charCodeAt(i++);
• dist/index.js:39427 codepoint_decoder :: c = (c&1023)+64; d = str.charCodeAt(i++)&1023;
• dist/index.js:39926 codepoint_decoder :: hash = ((hash << 5) - hash) + namespace.charCodeAt(i);
• dist/index.js:44650 codepoint_decoder :: function e(e){this.message=e}e.prototype=new Error,e.prototype.name="InvalidCharacterError";var r="undefined"!=typeof window&&window.atob&&window.atob.bind(window)||function(r){var t=String(r).replace(/=+$/,"");if(t.length%4==1)throw new e("'atob' failed: The string to be decoded is not correctly encoded.");for(var n,o,a=0,i=0,c="";o=t.charAt(i++);~o&&(n=a%4?64*n+o:o,a++%4)?c+=String.fromCharCode(255&n>>(-2*a&6)):0)o="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".indexOf(o);...[truncated]
• dist/index.js:47391 codepoint_decoder :: var c = r.charCodeAt(r.length - 1);
• dist/index.js:65292 codepoint_decoder :: var c = r.charCodeAt(r.length - 1);
• dist/index.js:65935 codepoint_decoder :: const ZERO_OFFSET = '0'.charCodeAt(0)
• dist/index.js:66741 codepoint_decoder :: result += String.fromCodePoint(this.codePoint)
• dist/index.js:71059 codepoint_decoder :: const code = this.code = key.charCodeAt(index)
• dist/index.js:71083 codepoint_decoder :: const code = key.charCodeAt(index)

[dependabot]

Looks like actions/dependency-review-action is up-to-date now, so this is no longer needed.