Update actions/dependency-review-action action to v4.5.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
actions/dependency-review-action	action	minor	v4 -> v4.5.0

---

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

v4.5.0

Compare Source

What's Changed

• Bump got from 14.4.2 to 14.4.3 by @​dependabot in https://github.com/actions/dependency-review-action/pull/844
• Bump nodemon from 3.1.0 to 3.1.7 by @​dependabot in https://github.com/actions/dependency-review-action/pull/847
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in https://github.com/actions/dependency-review-action/pull/849
• Overriding the cross-spawn dependency to use a safe version by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/850
• fix: add summary comment on failure when warn-only: true by @​ebickle in https://github.com/actions/dependency-review-action/pull/827
• Prepare for 4.5.0 release by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/851

New Contributors

• @​ebickle made their first contribution in https://github.com/actions/dependency-review-action/pull/827

Full Changelog: actions/dependency-review-action@v4...v4.5.0

v4.4.0

Compare Source

What's Changed

• Fix for merge_group event bug by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/846

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

v4.3.5

Compare Source

What's Changed

• fix: getRefs function to handle merge_group events by @​louis-bompart in https://github.com/actions/dependency-review-action/pull/766
• Create pull_request_template.md by @​jonjanego in https://github.com/actions/dependency-review-action/pull/794
• Update CONTRIBUTING.md by @​jonjanego in https://github.com/actions/dependency-review-action/pull/793
• Bump @​types/node from 20.11.28 to 20.16.0 by @​dependabot in https://github.com/actions/dependency-review-action/pull/815
• Upgrade transitive micromatch library by @​elireisman in https://github.com/actions/dependency-review-action/pull/829
• Do not list changed dependencies in summary by @​hmaurer in https://github.com/actions/dependency-review-action/pull/828
• Update stale.yaml by @​jonjanego in https://github.com/actions/dependency-review-action/pull/832
• Bump got from 14.4.1 to 14.4.2 by @​dependabot in https://github.com/actions/dependency-review-action/pull/822
• Bump eslint-plugin-jest and ts-jest by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/840

New Contributors

• @​louis-bompart made their first contribution in https://github.com/actions/dependency-review-action/pull/766
• @​Ahmed3lmallah made their first contribution in https://github.com/actions/dependency-review-action/pull/840

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

• Include all added dependencies in scorecard entries by @​elireisman in https://github.com/actions/dependency-review-action/pull/783
• Update SPDX Expression Parsing by @​febuiles in https://github.com/actions/dependency-review-action/pull/719
  • This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

v4.3.3: Notes for v4.3.3

Compare Source

What's Changed

• Allow slashes in purl package names by @​juxtin in https://github.com/actions/dependency-review-action/pull/765
• use the v3 version of the deps.dev API by @​josieang in https://github.com/actions/dependency-review-action/pull/741
• PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @​am-stead in https://github.com/actions/dependency-review-action/pull/773
• fix show-openssf-scorecard-levels input by @​ramann in https://github.com/actions/dependency-review-action/pull/776
• Updates to the contribution guidelines by @​jonjanego in https://github.com/actions/dependency-review-action/pull/778
• Create issue templates by @​jonjanego in https://github.com/actions/dependency-review-action/pull/777
• Fix the max comment length issue by @​jhutchings1 and @​elireisman in https://github.com/actions/dependency-review-action/pull/767
• Bump project version to 4.3.3 in prep for a release by @​elireisman in https://github.com/actions/dependency-review-action/pull/781

New Contributors

• @​josieang made their first contribution in https://github.com/actions/dependency-review-action/pull/741
• @​am-stead made their first contribution in https://github.com/actions/dependency-review-action/pull/773
• @​ramann made their first contribution in https://github.com/actions/dependency-review-action/pull/776

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

v4.3.2

Compare Source

What's Changed

• Fix package-url parsing for allow-dependencies-licenses by @​juxtin in https://github.com/actions/dependency-review-action/pull/761

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

v4.3.1

Compare Source

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See https://github.com/actions/dependency-review-action/pull/753.

Full Changelog: actions/dependency-review-action@V4.3.0...v4.3.1

v4.3.0

Compare Source

New Features

• The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

• Fix action variable name for scorecard by @​lukehinds in https://github.com/actions/dependency-review-action/pull/735
• Fix extra https:// in summary by @​jhutchings1 in https://github.com/actions/dependency-review-action/pull/748
• Bump typescript from 5.3.3 to 5.4.5 by @​dependabot in https://github.com/actions/dependency-review-action/pull/744
• Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @​dependabot in https://github.com/actions/dependency-review-action/pull/737
• Show denied packages with red X by @​juxtin in https://github.com/actions/dependency-review-action/pull/750
• deny-packages configuration option can deny specified version or all packages by @​febuiles and @​bteng22 in https://github.com/actions/dependency-review-action/pull/733

New Contributors

• @​bteng22 made their first contribution in https://github.com/actions/dependency-review-action/pull/733
• @​lukehinds made their first contribution in https://github.com/actions/dependency-review-action/pull/735

Full Changelog: actions/dependency-review-action@v4.2.5...V4.3.0

v4.2.5: 4.2.5

Compare Source

What's Changed

• Fixed a bug where some configuration options in external files were not being properly picked up -- https://github.com/actions/dependency-review-action/pull/722
• Bump eslint from 8.56.0 to 8.57.0

Full Changelog: actions/dependency-review-action@v4.2.4...v4.2.5

v4.2.4

Compare Source

What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

New Contributors

• @​sporkmonger made their first contribution in https://github.com/actions/dependency-review-action/pull/721

Full Changelog: actions/dependency-review-action@v4.2.3...v4.2.4

v4.2.3: 4.2.3

Compare Source

What's Changed

• Set comment as output by @​jsoref in https://github.com/actions/dependency-review-action/pull/698
• Add support for calculating OpenSSF Scorecards by @​jhutchings1 in https://github.com/actions/dependency-review-action/pull/709
• Add outputs for the changes data by @​laughedelic in https://github.com/actions/dependency-review-action/pull/707

New Contributors

• @​jhutchings1 made their first contribution in https://github.com/actions/dependency-review-action/pull/709
• @​laughedelic made their first contribution in https://github.com/actions/dependency-review-action/pull/707

Full Changelog: actions/dependency-review-action@v4.1.3...v4.2.3

v4.1.3: 4.1.3

Compare Source

Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see https://github.com/actions/dependency-review-action/issues/697).

Full Changelog: actions/dependency-review-action@v4.1.2...v4.1.3

v4.1.2: 4.1.2

Compare Source

What's Changed

• Expose dependency comment content by @​jsoref in https://github.com/actions/dependency-review-action/pull/696

Full Changelog: actions/dependency-review-action@v4.1.1...v4.1.2

v4.1.1: 4.1.1

Compare Source

What's Changed

• Bump undici to fix GHSA-wqq4-5wpv-mx2g
• Bump @​types/node from 20.11.17 to 20.11.19 by @​dependabot in https://github.com/actions/dependency-review-action/pull/693

Full Changelog: actions/dependency-review-action@v4.1.0...v4.1.1

v4.1.0: 4.1.0

Compare Source

What's Changed

• Add warn-only by @​tgrall in https://github.com/actions/dependency-review-action/pull/432

Added a new configuration option (warn-only, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log.

• Create stale.yaml by @​jonjanego in https://github.com/actions/dependency-review-action/pull/671
• Use manual codeql config by @​juxtin in https://github.com/actions/dependency-review-action/pull/678
• Multiple dependency updates (see the changelog below for more information)

New Contributors

• @​jonjanego made their first contribution in https://github.com/actions/dependency-review-action/pull/671
• @​tgrall made their first contribution in https://github.com/actions/dependency-review-action/pull/432

Full Changelog: actions/dependency-review-action@v4...v4.1.0

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v4.5.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.