[release/v7.6] Bump actions/dependency-review-action from 4.8.3 to 4.9.0#26974
Merged
daxian-dbw merged 2 commits intoPowerShell:release/v7.6from Mar 9, 2026
Merged
Conversation
daxian-dbw
added
the
CL-BuildPackaging
daxian-dbw
added
the
CL-BuildPackaging
Contributor
There was a problem hiding this comment.
Pull request overview
Backports the Dependabot update for the actions/dependency-review-action GitHub Action to the release/v7.6 branch to keep dependency scanning up to date.
Changes:
- Updates
actions/dependency-review-actionpin to the commit for v4.9.0 in the dependency review workflow.
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| - name: 'Dependency Review' | ||
| uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3 | ||
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 |
There was a problem hiding this comment.
The PR title/description says this bumps actions/dependency-review-action from 4.8.3 -> 4.9.0, but in this release branch the workflow was previously pinned to a commit commented as v4.7.3 (per the diff). Please align the PR metadata (or add a brief note) so reviewers can see the actual version bump being applied to release/v7.6.
adityapatwardhan
approved these changes
Mar 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #26938 to release/v7.6
Triggered by @daxian-dbw on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates dependency-review-action to v4.9.0, bringing improvements to dependency vulnerability scanning and reporting.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Automated dependabot update validated in master branch. No functional changes to workflows, only dependency version update. The conflict was auto-resolved using git rerere from previous successful backports to v7.4 and v7.5.
Risk
REQUIRED: Check exactly one box.
Low risk as this is a minor version bump of a GitHub Actions dependency (4.8.3 to 4.9.0). The update includes improvements to purl matching, scorecard fetching optimization, and patched version display. No breaking changes or significant behavior modifications.
Merge Conflicts
Merge conflict in .github/workflows/dependency-review.yml was auto-resolved by git rerere using a previous resolution.