build(deps): Bump actions/dependency-review-action from 4 to 5

[dependabot]

Bumps actions/dependency-review-action from 4 to 5.

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in actions/dependency-review-action#1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in actions/dependency-review-action#995

... (truncated)

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk: only updates the GitHub Actions dependency review workflow to a new major action version; potential impact is limited to CI execution (runner/node runtime compatibility).

Overview
Updates the 🚨 Dependency Review GitHub Actions workflow to use actions/dependency-review-action@v5 (from @v4) while keeping the existing license allow/deny configuration unchanged.

^{Reviewed by Cursor Bugbot for commit 8b331e9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how the action is used in this repo and inspecting the upstream v4→v5 changes for supply-chain risk.
Verdict: benign

Summary: This is a routine major-version bump of the official GitHub-maintained actions/dependency-review-action. No supply-chain compromise indicators were found.

Checklist review

Category	Finding
Classic obfuscation	dist/index.js is an expected ncc bundle. No eval() / new Function(). exec/spawn/btoa come from @actions/* and Octokit auth — normal for Actions.
Unexpected network hosts	URLs are expected: api.github.com, api.securityscorecards.dev, api.deps.dev, GitHub status/docs, Azure blob (artifacts).
Persistence / exfiltration	No writes to startup paths, no credential harvesting patterns beyond normal GitHub API usage with GITHUB_TOKEN.
npm lifecycle scripts	package.json has no preinstall/postinstall/install scripts.
Invisible Unicode / GlassWorm	Scanner’s 3 unicode hits are the visible ⚠️ emoji in README.md, src/summary.ts, and bundled dist/index.js — not zero-width, bidi, PUA, or homoglyph attacks.
Decoder heuristics (381 hits)	False positives from minified bundled libs (charCodeAt, base64, UTF-8). Scanner flagged them; manual review agrees they are not payload assembly.
Dependency integrity	Upstream v5.0.0 tag matches release notes. Changes are Node 20→24 runtime, minor dep bumps, and security overrides (undici, minimatch). No ghost version or typosquat.
Dependabot context	Local change is a version pin @v4 → @v5 in .github/workflows/dependency-review.yml only. Upstream changed files (dist/*, package-lock.json, package.json, README.md) match a normal action release.

Malware scanner: Status warn is driven by emoji unicode + bundled-JS heuristics, not IOCs, confusables, or suspicious scripts. Scanner interpretation and manual review align: not malicious.

Operational note (non-security): v5 requires Actions Runner ≥ v2.327.1 (Node 24). ubuntu-latest on GitHub-hosted runners satisfies this; self-hosted runners on old versions may fail.

Recommendation: Approve and merge after CI passes. No additional malware-mitigation steps required for this update.

Compatibility Analysis

Analyzing how actions/dependency-review-action is used in this repo and assessing v5 compatibility.

Compatibility Analysis

1) Usage in this repo

Single usage site: .github/workflows/dependency-review.yml.

      - name: "Dependency Review"
        uses: actions/dependency-review-action@v5
        with:
          allow-dependencies-licenses: pkg:npm/node-forge
          deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later

The PR changes one line: @v4 → @v5. No other references to this action exist (the similarly named dependency-cursor-review.yml is unrelated).

The workflow runs on ubuntu-latest, only on pull_request, and only when github.repository_owner == 'Chia-Network'. It scans dependency manifests in PRs (notably package.json / package-lock.json for this Docusaurus site).

---

2) Intersection with v5 changes

v5 change	Touches your config?
Node 20 → 24 runtime	Indirectly — affects how the action runs, not your inputs
allow-dependencies-licenses purl matching fixes	Yes — may improve matching for pkg:npm/node-forge
deny-licenses still supported (deprecated)	Yes — you use it; v5 still accepts it and shows a deprecation warning
show-patched-versions (new optional input)	No — not configured
Security / dependency updates	No config impact

Upstream action.yml in v5 keeps the same input surface; deny-licenses and allow-dependencies-licenses are unchanged at the API level. There is no library or runtime coupling in application code — this is CI-only.

---

3) Risks / unknowns

• Runner version (main v5 requirement): v5 needs Actions Runner ≥ v2.327.1 for Node 24. You use GitHub-hosted ubuntu-latest, which satisfies this. Self-hosted runners (k8s-public, etc.) are not used by this workflow, so they are not a blocker.
• deny-licenses deprecation: Pre-existing config; v5 still honors it but logs a deprecation warning. Removal is flagged for a future major (likely v6), not this bump.
• Behavior on real PRs: License policy and vulnerability gating should behave the same; purl allowlist matching may be slightly more reliable. Confirm on the next npm dependency PR if you want extra confidence.
• No app/build impact: The docs site’s Node 18+ engine requirement and Docusaurus build are unaffected.

---

4) Recommendation: merge

This is a low-risk, single-workflow version bump with no input or permissions changes. v5’s breaking change (Node 24) is satisfied by ubuntu-latest. The configured inputs remain valid.

Optional follow-up (not blocking): Plan migration from deny-licenses to allow-licenses before v6, and remove the duplicate AGPL-1.0-or-later entry in the deny list.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 6
• Resolution strategy: commit_list
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 3
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 381

Top findings

• README.md:120 unicode :: | deny-licenses\* | ⚠️ This option is deprecated for possible removal in the next major release. See [Deprecate the deny-licenses option #938](https://github.com/actions/dependency-review-action/issues/938) for more information. <br> Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) ...[truncated]
• dist/index.js.map:1 unicode :: {"version":3,"file":"index.js","mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;...[truncated]
• dist/index.js:1696 unicode :: warning: '⚠️'
• dist/index.js.map:1 codepoint_decoder :: {"version":3,"file":"index.js","mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;...[truncated]
• dist/index.js:15088 codepoint_decoder :: return "%" + c.charCodeAt(0).toString(16).toUpperCase();
• dist/index.js:22852 codepoint_decoder :: decTable[encTable[i].charCodeAt(0)] = i;
• dist/index.js:22854 codepoint_decoder :: decTable["-".charCodeAt(0)] = encTable.indexOf("+");
• dist/index.js:22855 codepoint_decoder :: decTable["_".charCodeAt(0)] = encTable.indexOf("/");
• dist/index.js:22882 codepoint_decoder :: b = decTable[base64Str.charCodeAt(i)];
• dist/index.js:39398 codepoint_decoder :: for(var i = 0, L = bstr.length; i < L;) C = (C>>>8) ^ T0[(C^bstr.charCodeAt(i++))&0xFF];
• dist/index.js:39420 codepoint_decoder :: c = str.charCodeAt(i++);
• dist/index.js:39427 codepoint_decoder :: c = (c&1023)+64; d = str.charCodeAt(i++)&1023;
• dist/index.js:39926 codepoint_decoder :: hash = ((hash << 5) - hash) + namespace.charCodeAt(i);
• dist/index.js:44650 codepoint_decoder :: function e(e){this.message=e}e.prototype=new Error,e.prototype.name="InvalidCharacterError";var r="undefined"!=typeof window&&window.atob&&window.atob.bind(window)||function(r){var t=String(r).replace(/=+$/,"");if(t.length%4==1)throw new e("'atob' failed: The string to be decoded is not correctly encoded.");for(var n,o,a=0,i=0,c="";o=t.charAt(i++);~o&&(n=a%4?64*n+o:o,a++%4)?c+=String.fromCharCode(255&n>>(-2*a&6)):0)o="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".indexOf(o);...[truncated]
• dist/index.js:47391 codepoint_decoder :: var c = r.charCodeAt(r.length - 1);
• dist/index.js:65292 codepoint_decoder :: var c = r.charCodeAt(r.length - 1);
• dist/index.js:65935 codepoint_decoder :: const ZERO_OFFSET = '0'.charCodeAt(0)
• dist/index.js:66741 codepoint_decoder :: result += String.fromCodePoint(this.codePoint)
• dist/index.js:71059 codepoint_decoder :: const code = this.code = key.charCodeAt(index)
• dist/index.js:71083 codepoint_decoder :: const code = key.charCodeAt(index)

[dependabot]

Looks like actions/dependency-review-action is up-to-date now, so this is no longer needed.