Bump actions/dependency-review-action from 4 to 4.9.0

[dependabot]

Bumps actions/dependency-review-action from 4 to 4.9.0.

Release notes

Sourced from actions/dependency-review-action's releases.

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in actions/dependency-review-action#1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in actions/dependency-review-action#995
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in actions/dependency-review-action#1003
• Bump actions/setup-node from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1005
• Upgrade glob to address a vulnerability by @​brrygrdn in actions/dependency-review-action#1024
• Bump js-yaml by @​dependabot[bot] in actions/dependency-review-action#1020
• Addressing vulnerabilities by @​Ahmed3lmallah in actions/dependency-review-action#1036
• Bump fast-xml-parser from 5.3.3 to 5.3.5 by @​dependabot[bot] in actions/dependency-review-action#1050
• Bump fast-xml-parser from 5.3.5 to 5.3.6 by @​dependabot[bot] in actions/dependency-review-action#1053
• Properly truncate long summaries and catch errors by @​juxtin in actions/dependency-review-action#1052
• Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @​dependabot[bot] in actions/dependency-review-action#931
• Changes for Release 4.8.3 by @​ahpook in actions/dependency-review-action#1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Minor fixes:

• Fix PURL parsing for scoped packages (#1008 from @​danielhardej)
• Fix for large summaries (#1007 from @​gitulisca)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk: only changes a CI workflow action version, with no impact on application/runtime code. Potential risk is limited to slightly different dependency review behavior in PR checks.

Overview
Updates the Dependency Review GitHub Actions workflow to use actions/dependency-review-action@v4.9.0 instead of the generic v4 tag, effectively pinning the dependency-review step to a specific release.

^{Reviewed by Cursor Bugbot for commit 7d178c1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how the action is referenced in the repository workflows.

Verdict: benign

Why this is safe

1. Canonical action — actions/dependency-review-action is the official GitHub action (repository). Your workflow only references that ID and pins v4.9.0, which is a normal way to move off a floating v4 ref.

2. Scanner vs reality — The report’s version_jump_anomaly (4→4.9.0) and maintainer_drift are heuristic misfires: those rules assume npm-style semver and maintainer metadata. For Actions, 4 is a movable major ref; resolving to 4.9.0 is not an abnormal skip or publisher change—it's pinning an existing release line.

3. No substantive red flags — Post-allowlist counts are 0 for unicode, confusable, and IOC findings. 0 changed lockfiles/vendor paths in the scan scope you were given.

4. Checklist (supply chain) — Classic obfuscation / exfil: not indicated by pinning a known action tag; no repo package.json install hooks involved in your change. Unicode/bidi tricks: scanner clean. Lockfile/transitive churn: none flagged for this update. Workflow edits: expected for “bump this action,” not an extra unexplained workflow.

5. Local usage — The job is scoped (if: github.repository_owner == 'Chia-Network'), uses permissions: contents: read, and only adds the standard dependency-review step with license allow/deny—consistent with documented usage.

Actionable note: Treat the two heuristic warnings as noise unless you adopt separate Action-specific scanning rules; they disagree with standard interpretation here and should not block merge on their own.

Compatibility Analysis

Searching the repo for dependency-review-action usage and inspecting workflow inputs against upstream changes.

1) Where it’s used

Only one tracked workflow references the action:

      - name: "Dependency Review"
        uses: actions/dependency-review-action@v4.9.0
        with:
          allow-dependencies-licenses: pkg:pypi/pyinstaller
          deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later

Runs on PRs, gated with if: github.repository_owner == 'Chia-Network'.

2) Overlap with 4 → 4.9.0 changes

Your usage	Notes
allow-dependencies-licenses with pkg:pypi/pyinstaller	Release work on normalized / case-insensitive PURLs aligns with license-exemption parsing; expectation is stricter correctness, not intentional behavior removal. Release text’s “allow-package-dependency” wording points at analogous allow/deny-by-package flows; same PURL machinery likely applies.
deny-licenses (SPDX-style strings)	Unrelated to PURL fixes; unchanged contract in upstream action.yml.
OpenSSF scorecard	Not enabled in your workflow; you only skip extra network work now.
show-patched-versions	New optional input in upstream action.yml; you don’t need it unless you want the extra column.

Upstream still documents the inputs you use (allow-dependencies-licenses, deny-licenses) in action.yml equivalently.

3) Risks / unknowns

• Action runtime: This repo’s pinned upstream copy declares runs using: node24. Hosted ubuntu-latest on github.com normally supports Node 24 for JS actions; older self-hosted Actions runners or lagging GHES could theoretically be incompatible—worth a one-off check only if that applies.
• allow-dependencies-licenses semantics: Improved PURL matching could narrow or broaden exemption matching in edge cases (encoding/casing); unlikely for plain pkg:pypi/pyinstaller but is the main subtle surface.
• v4 → v4.9.0 pin: Aligns with upstream’s move toward a stable v4 ref model; pinning an explicit patch is reasonable and predictable.

No build/test surface is affected locally—workflow-only.

4) Recommendation

Merge. Single call site, only standard inputs already supported in v4, changes are incremental fixes/features with no indication your config depends on obsolete behavior.

Use merge-with-caveats only if runs happen on infra that might not support Node 24 JS actions; then confirm one green Dependency Review run on that environment after merge.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 0
• Resolution strategy: to_version_single_commit
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=2031cfc080254a8a887f58cffee85186f0e49e48
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• actions/dependency-review-action:0 version_jump_anomaly :: 4->4.9.0
• actions/dependency-review-action:0 maintainer_drift :: 4->4.9.0

[hoffmang9]

Close and reopen for CI run

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how the action is referenced in repository workflows (excluding Dependabot artifact files).

Verdict: benign

Evidence

• Publisher / typosquatting: Ref points at GitHub’s own repo actions/dependency-review-action, not a look-alike name or fork masquerading as the action.

• Repo change surface: Only .github/workflows/dependency-review.yml is touched in the usual Dependabot pattern—pinning uses: actions/dependency-review-action@v4.9.0 with existing with: blocks (license allow/deny); nothing suggests injected steps, secrets exfiltration, or hostile scripts.

      - name: "Dependency Review"
        uses: actions/dependency-review-action@v4.9.0
        with:
          allow-dependencies-licenses: pkg:pypi/pyinstaller
          deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later

• Scanner vs interpretation: The report’s Unicode / confusable / IOC counts are zero. The two heuristic hits (version_jump_anomaly, maintainer_drift for 4->4.9.0) conflict with normal semver/GitHub Actions semantics: Dependabot’s “from 4” is the v4 ref, not release 4.0.0, so “many minors skipped” is a labeling artifact; maintainer-drift patterns aimed at npm publishers don’t meaningfully apply to the actions/ org. Treat those as false positives, not compromise signals.

Practical note: Merge is reasonable after CI passes; optional hardening is pinning by commit SHA plus Dependabot SHA bumps if your policy requires immutable refs beyond @v4.9.0.

Compatibility Analysis

Searching the repo for dependency-review-action usage and reviewing workflow inputs for compatibility.

1) Where it’s used

Only in .github/workflows/dependency-review.yml, one step (uses: actions/dependency-review-action@…). The job named dependency-review in .github/workflows/dependency-cursor-review.yml is unrelated—it does not call this action.

      - name: "Dependency Review"
        uses: actions/dependency-review-action@v4.9.0
        with:
          allow-dependencies-licenses: pkg:pypi/pyinstaller
          deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later

2) Overlap with likely changes (4 → 4.9.0)

• show_patched_versions, scorecard fetching, and allow-package-dependency purl tweaks are documented as additive or internal optimizations; nothing in those notes implies removal/rename of allow-dependencies-licenses or deny-licenses.
• The workflow’s pkg:pypi/pyinstaller entry is purl-shaped; normalized/case-insensitive purl matching might slightly change whether that allowlist hits as intended—in practice this is aligned with fixing false mismatches, not a stated breaking change.

No production app code paths involved.

3) Risks / unknowns

• Low, CI-only: different dependency-review outcomes on edge-case manifests or allowlist matching (unlikely for this simple YAML).
• Pinning @v4.9.0: sharper than @v4, so you intentionally trade auto-updates on the floating ref for a fixed snapshot—operations choice, not a compatibility failure.
• deny-licenses list duplication in YAML is harmless pre-existing noise, not introduced by this bump.

4) Recommendation

Merge. Optional sanity check after merge: confirm the next 🚨 Dependency Review run still passes on a typical PR; only revisit if license allow/deny behaves unexpectedly around pkg:pypi/pyinstaller.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 0
• Resolution strategy: to_version_single_commit
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=2031cfc080254a8a887f58cffee85186f0e49e48
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• actions/dependency-review-action:0 version_jump_anomaly :: 4->4.9.0
• actions/dependency-review-action:0 maintainer_drift :: 4->4.9.0