chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0

[dependabot]

Bumps actions/dependency-review-action from 4.9.0 to 5.0.0.

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated dependency review workflow configuration.

---

Note: This release contains only internal maintenance updates with no changes to user-facing functionality.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the pinned commit SHA for the actions/dependency-review-action GitHub Action in the workflow file. The action version tag remains v4, and all surrounding configuration including vulnerability and license gating settings are unchanged. This is a dependency maintenance update to use a newer revision of the GitHub Action.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading a GitHub Action from version 4.9.0 to 5.0.0, which aligns with the changeset that updates the pinned commit for actions/dependency-review-action.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/dependency-review-action-5.0.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Line 24: Update the inline comment on the GitHub Actions step that pins the
dependency-review-action to the commit SHA
a1d282b36b6f3519aa1f3fc636f609c47dddb294 so the comment matches the actual
resolved release; change the trailing comment from "# v4" to "# v5.0.0" in the
line containing "uses:
actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 778fdfd1-78a6-4168-aadc-305ee9e32aba

📥 Commits

Reviewing files that changed from the base of the PR and between 1f92d45 and c3e26fe.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

PINNED_SHA="a1d282b36b6f3519aa1f3fc636f609c47dddb294"
REPO="actions/dependency-review-action"

echo "Pinned SHA: $PINNED_SHA"
echo

echo "Resolve tag commit SHAs (commit objects) for v4 and v5:"
gh api "/repos/${REPO}/tags?per_page=100" \
  --jq '.[] | select(.name=="v4" or .name=="v5" or .name=="v5.0.0" or .name=="v4.9.0") | {name: .name, commit: .commit.sha}'

echo
echo "Check if pinned SHA matches one of those commits:"
gh api "/repos/${REPO}/tags?per_page=100" \
  --jq --arg pin "$PINNED_SHA" '.[] | select(.commit.sha==$pin) | {matched_tag: .name, commit: .commit.sha}'

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 422

---

Update the inline annotation to reflect the actual pinned version.

The pinned SHA a1d282b36b6f3519aa1f3fc636f609c47dddb294 correctly resolves to v5.0.0 (not v4), but the inline comment still reads # v4. This should be updated to # v5.0.0 to align with the actual commit.

Suggested fix

      - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 24, Update the inline
comment on the GitHub Actions step that pins the dependency-review-action to the
commit SHA a1d282b36b6f3519aa1f3fc636f609c47dddb294 so the comment matches the
actual resolved release; change the trailing comment from "# v4" to "# v5.0.0"
in the line containing "uses:
actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294".