5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @ahpook in #1067
• Update Node.js runtime from 20 to 24 by @scottschreckengaust in #1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @mongolyy in #1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @Marukome0743 in #1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @tspascoal in #1076
• Resolve security findings by @AshelyTC in #1094
• v5.0.0 release branch by @ahpook in #1098

New Contributors

• @scottschreckengaust made their first contribution in #1084
• @mongolyy made their first contribution in #1091
• @Marukome0743 made their first contribution in #1077

Full Changelog: v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @juxtin in #1056
• Make purl comparisons case insensitive by @juxtin in #1057
• Feat: Add Patched Version to Vulnerabilities summary by @felickz in #1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @jantiebot in #1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @dependabot[bot] in #1058
• Bump actions/checkout from 4 to 6 by @dependabot[bot] in #1021
• Updates for release 4.9.0 by @ahpook in #1064

New Contributors

• @jantiebot made their first contribution in #1060

Full Changelog: v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @dangoor in #1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @dependabot[bot] in #995
• Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #1003
• Bump actions/setup-node from 4 to 6 by @dependabot[bot] in #1005
• Upgrade glob to address a vulnerability by @brrygrdn in #1024
• Bump js-yaml by @dependabot[bot] in #1020
• Addressing vulnerabilities by @Ahmed3lmallah in #1036
• Bump fast-xml-parser from 5.3.3 to 5.3.5 by @dependabot[bot] in #1050
• Bump fast-xml-parser from 5.3.5 to 5.3.6 by @dependabot[bot] in #1053
• Properly truncate long summaries and catch errors by @juxtin in #1052
• Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @dependabot[bot] in #931
• Changes for Release 4.8.3 by @ahpook in #1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Minor fixes:

• Fix PURL parsing for scoped packages (#1008 from @danielhardej)
• Fix for large summaries (#1007 from @gitulisca)
• README includes a working example for allow-dependencies-licenses (#1009 from @danielhardej)

Dependency Review Action v4.8.1

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @ahpook in #1000
• Bump version for 4.8.1 release by @ahpook in #1001

Full Changelog: v4...v4.8.1

v4.8.0

What's Changed

• Make Ruby Code Scannable by @ljones140 in #978
• Batch some contributions for release by @brrygrdn in #986
  • Make license lists collapsable by @jasperkamerling
  • feat: add large summary handling with artifact upload by @MattMencel

New Contributors

• @ljones140 made their first contribution in #978
• @jasperkamerling made their first contribution in #986
• @MattMencel made their first contribution in #986

Full Changelog: v4...v4.8.0

4.7.3

What's Changed

• Add explicit permissions to workflow files by @AshelyTC in #966
• Claire153/fix spamming mentioned issue by @claire153 in #974

Full Changelog: v4...v4.7.3

4.7.2

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @KyFaSt in #945
• Deprecate deny lists by @claire153 in #958
• Address discrepancy between docs and reality by @ahpook in #960

New Contributors

• @KyFaSt made their first contribution in #945
• @claire153 made their first contribution in #958
• @ahpook made their first contribution in #960

Full Changelog: v4...v4.7.2

v4.7.1

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes