chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0

[dependabot]

Bumps actions/dependency-review-action from 4.9.0 to 5.0.0.

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated the dependency review automation workflow to use a newer version of the review action.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the pinned revision of the actions/dependency-review-action GitHub Actions action in the dependency review workflow. The change modifies the commit SHA on line 27 of .github/workflows/dependency-review.yml while preserving the major version reference (v4) and all existing step configuration for severity levels, allowed licenses, and PR failure behavior.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete relative to the required template. It includes release notes and Dependabot metadata, but is missing all required sections: Summary, Scope checkboxes, Checks, Linked issue, and Deploy impact.	Add the required template sections: Summary (1-3 sentences explaining the change), Scope (check 'Repo tooling' or similar), Checks (verify applicable items are complete), Linked issue, and Deploy impact (check 'No on-chain change' as applicable).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: bumping a dependency from version 4.9.0 to 5.0.0, which matches the PR objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/dependency-review-action-5.0.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Line 27: Update the inline version annotation for the dependency-review action
so the comment matches the pinned SHA: change the trailing comment on the
actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 line
from "# v4" to "# v5.0.0" (or "# v5") so the annotation correctly reflects
v5.0.0.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6ba5ac29-5a0b-431a-836b-395c2770d769

📥 Commits

Reviewing files that changed from the base of the PR and between 3e189f4 and eca82fe.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Which release tag contains commit a1d282b36b6f3519aa1f3fc636f609c47dddb294 in actions/dependency-review-action, and is it part of v5.0.0?

💡 Result:

Commit a1d282b36b6f3519aa1f3fc636f609c47dddb294 corresponds to the release tag v5.0.0 of actions/dependency-review-action, and yes—it is part of v5.0.0. Evidence: the repository’s tags page shows v5.0.0 [1]. The latest release on the main repository page is v5.0.0 [2]. Also, a workflow example explicitly pins actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 and labels it as v5.0.0 in its comment context [3].

Citations:

• 1: https://github.com/actions/dependency-review-action/tags
• 2: https://github.com/actions/dependency-review-action
• 3: https://github.com/ossf/fuzz-introspector/blob/main/.github/workflows/depsreview.yaml

---

Update the version annotation to reflect v5.0.0.

Line 27 pins the action to SHA a1d282b36b6f3519aa1f3fc636f609c47dddb294, which corresponds to v5.0.0, but the inline comment still says # v4. Update the annotation to match.

Suggested edit

-      - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4
+      - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4
	- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 27, Update the inline
version annotation for the dependency-review action so the comment matches the
pinned SHA: change the trailing comment on the
actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 line
from "# v4" to "# v5.0.0" (or "# v5") so the annotation correctly reflects
v5.0.0.