chore(deps): bump the github group across 1 directory with 4 updates (#5080)

Bumps the github group with 4 updates in the / directory:
[actions/dependency-review-action](https://github.com/actions/dependency-review-action),
[actions/setup-node](https://github.com/actions/setup-node),
[actions/create-github-app-token](https://github.com/actions/create-github-app-token)
and [actions/cache](https://github.com/actions/cache).

Updates `actions/dependency-review-action` from 4.8.2 to 4.9.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/dependency-review-action/releases">actions/dependency-review-action's
releases</a>.</em></p>
<blockquote>
<h2>Dependency Review Action 4.9.0</h2>
<p>This feature release contains a couple of notable changes:</p>
<ul>
<li>There is a new configuration option
<code>show_patched_versions</code> which will add a column to the
output, showing the fix version of each vulnerable dependency. Thanks <a
href="https://github.com/felickz"><code>@​felickz</code></a>!</li>
<li>Runs which do not display OpenSSF scorecards no longer fetch
scorecard information; previously it was fetched regardless of whether
or not it was displayed, causing unneccessary slowness. Great catch <a
href="https://github.com/jantiebot"><code>@​jantiebot</code></a>!</li>
<li>There are a couple of fixes to purl parsing which should improve
match accuracy for <code>allow-package-dependency</code> lists,
including case (in)sensitivity and url-encoded namespaces Thanks <a
href="https://github.com/juxtin"><code>@​juxtin</code></a>!</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Compare normalized purls to account for encoding quirks by <a
href="https://github.com/juxtin"><code>@​juxtin</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1056">actions/dependency-review-action#1056</a></li>
<li>Make purl comparisons case insensitive by <a
href="https://github.com/juxtin"><code>@​juxtin</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1057">actions/dependency-review-action#1057</a></li>
<li>Feat: Add <code>Patched Version</code> to
<code>Vulnerabilities</code> summary by <a
href="https://github.com/felickz"><code>@​felickz</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1045">actions/dependency-review-action#1045</a></li>
<li>fix: only get scorecard levels if user wants to see the OpenSSF
scorecard by <a
href="https://github.com/jantiebot"><code>@​jantiebot</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1060">actions/dependency-review-action#1060</a></li>
<li>Bump actions/stale from 10.1.0 to 10.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1058">actions/dependency-review-action#1058</a></li>
<li>Bump actions/checkout from 4 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1021">actions/dependency-review-action#1021</a></li>
<li>Updates for release 4.9.0 by <a
href="https://github.com/ahpook"><code>@​ahpook</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1064">actions/dependency-review-action#1064</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/jantiebot"><code>@​jantiebot</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1060">actions/dependency-review-action#1060</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v4.8.3...v4.9.0">https://github.com/actions/dependency-review-action/compare/v4.8.3...v4.9.0</a></p>
<h2>4.8.3</h2>
<h2>Dependency Review Action v4.8.3</h2>
<p>This is a bugfix release that updates a number of upstream
dependencies and includes a fix for the earlier feature that detected
oversized summaries and upload them as artifacts, which could
occasionally crash the action.</p>
<p>We have also updated the release process to use a long-lived
<code>v4</code> <strong>branch</strong> for the action, instead of a
force-pushed tag, which aligns better with git branching strategies; the
change should be transparent to end users.</p>
<h2>What's Changed</h2>
<ul>
<li>GitHub Actions can't push to our protected main by <a
href="https://github.com/dangoor"><code>@​dangoor</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1017">actions/dependency-review-action#1017</a></li>
<li>Bump actions/stale from 9.1.0 to 10.1.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/995">actions/dependency-review-action#995</a></li>
<li>Bump github/codeql-action from 3 to 4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1003">actions/dependency-review-action#1003</a></li>
<li>Bump actions/setup-node from 4 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1005">actions/dependency-review-action#1005</a></li>
<li>Upgrade glob to address a vulnerability by <a
href="https://github.com/brrygrdn"><code>@​brrygrdn</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1024">actions/dependency-review-action#1024</a></li>
<li>Bump js-yaml by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1020">actions/dependency-review-action#1020</a></li>
<li>Addressing vulnerabilities by <a
href="https://github.com/Ahmed3lmallah"><code>@​Ahmed3lmallah</code></a>
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1036">actions/dependency-review-action#1036</a></li>
<li>Bump fast-xml-parser from 5.3.3 to 5.3.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1050">actions/dependency-review-action#1050</a></li>
<li>Bump fast-xml-parser from 5.3.5 to 5.3.6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1053">actions/dependency-review-action#1053</a></li>
<li>Properly truncate long summaries and catch errors by <a
href="https://github.com/juxtin"><code>@​juxtin</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1052">actions/dependency-review-action#1052</a></li>
<li>Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses
group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/931">actions/dependency-review-action#931</a></li>
<li>Changes for Release 4.8.3 by <a
href="https://github.com/ahpook"><code>@​ahpook</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1054">actions/dependency-review-action#1054</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3">https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/dependency-review-action/commit/2031cfc080254a8a887f58cffee85186f0e49e48"><code>2031cfc</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1064">#1064</a>
from actions/ahpook/release-4.9.0</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/d02fa39f790d6e8a4ecafab5848251ff12c20df7"><code>d02fa39</code></a>
Updates for release 4.9.0</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/4038a34c4b30f7c11a7d45dc8dbea40e2211aa27"><code>4038a34</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1021">#1021</a>
from actions/dependabot/github_actions/actions/check...</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/a632b8386b2cc2b1b99427606b513f7632d27e91"><code>a632b83</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1058">#1058</a>
from actions/dependabot/github_actions/actions/stale...</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/57a3d46a7be2c2e259fa3284ffc501296337f2ac"><code>57a3d46</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1060">#1060</a>
from jantiebot/main</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/5ecdc4b5781cdabdfe233d6e58ec18eac23e275d"><code>5ecdc4b</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1045">#1045</a>
from forks-felickz/main</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/e8c2f9a12c568d6f36f8d3a9935a6c71afc691f5"><code>e8c2f9a</code></a>
fix: remove inferrable type annotation to pass eslint</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/0e129e113c878bfe7c1abf6c6d94b180cbf71086"><code>0e129e1</code></a>
Prettier - Refactor summary table rendering for improved
readability</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/aa60746a920d63ce55376f67d381e15edd3a714d"><code>aa60746</code></a>
Add 'show-patched-versions' option to configuration and update summary
handling</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/e4047984002250b82268ac37f613ab74366e1d85"><code>e404798</code></a>
Merge upstream actions/dependency-review-action main</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/dependency-review-action/compare/3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261...2031cfc080254a8a887f58cffee85186f0e49e48">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/setup-node` from 6.2.0 to 6.3.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-node/releases">actions/setup-node's
releases</a>.</em></p>
<blockquote>
<h2>v6.3.0</h2>
<h2>What's Changed</h2>
<h3>Enhancements:</h3>
<ul>
<li>Support parsing <code>devEngines</code> field by <a
href="https://github.com/susnux"><code>@​susnux</code></a> in <a
href="https://redirect.github.com/actions/setup-node/pull/1283">actions/setup-node#1283</a></li>
</ul>
<blockquote>
<p>When using node-version-file: package.json, setup-node now
prefers devEngines.runtime over engines.node.</p>
</blockquote>
<h3>Dependency updates:</h3>
<ul>
<li>Fix npm audit issues by <a
href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in
<a
href="https://redirect.github.com/actions/setup-node/pull/1491">actions/setup-node#1491</a></li>
<li>Replace uuid with crypto.randomUUID() by <a
href="https://github.com/trivikr"><code>@​trivikr</code></a> in <a
href="https://redirect.github.com/actions/setup-node/pull/1378">actions/setup-node#1378</a></li>
<li>Upgrade minimatch from 3.1.2 to 3.1.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-node/pull/1498">actions/setup-node#1498</a></li>
</ul>
<h3>Bug fixes:</h3>
<ul>
<li>Remove hardcoded bearer for mirror-url <a
href="https://github.com/marco-ippolito"><code>@​marco-ippolito</code></a>
in <a
href="https://redirect.github.com/actions/setup-node/pull/1467">actions/setup-node#1467</a></li>
<li>Scope test lockfiles by package manager and update cache tests by <a
href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in
<a
href="https://redirect.github.com/actions/setup-node/pull/1495">actions/setup-node#1495</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/susnux"><code>@​susnux</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/setup-node/pull/1283">actions/setup-node#1283</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-node/compare/v6...v6.3.0">https://github.com/actions/setup-node/compare/v6...v6.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-node/commit/53b83947a5a98c8d113130e565377fae1a50d02f"><code>53b8394</code></a>
Bump minimatch from 3.1.2 to 3.1.5 (<a
href="https://redirect.github.com/actions/setup-node/issues/1498">#1498</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/54045abd5dcd3b0fee9ca02fa24c57545834c9cc"><code>54045ab</code></a>
Scope test lockfiles by package manager and update cache tests (<a
href="https://redirect.github.com/actions/setup-node/issues/1495">#1495</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/c882bffdbd4df51ace6b940023952e8669c9932a"><code>c882bff</code></a>
Replace uuid with crypto.randomUUID() (<a
href="https://redirect.github.com/actions/setup-node/issues/1378">#1378</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/774c1d62961e73038a114d59c8847023c003194d"><code>774c1d6</code></a>
feat(node-version-file): support parsing <code>devEngines</code> field
(<a
href="https://redirect.github.com/actions/setup-node/issues/1283">#1283</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/efcb663fc60e97218a2b2d6d827f7830f164739e"><code>efcb663</code></a>
fix: remove hardcoded bearer (<a
href="https://redirect.github.com/actions/setup-node/issues/1467">#1467</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/d02c89dce7e1ba9ef629ce0680989b3a1cc72edb"><code>d02c89d</code></a>
Fix npm audit issues (<a
href="https://redirect.github.com/actions/setup-node/issues/1491">#1491</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-node/compare/6044e13b5dc448c55e2357c09f80417699197238...53b83947a5a98c8d113130e565377fae1a50d02f">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/create-github-app-token` from 2.2.1 to 3.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v2.2.2...v3.0.0">3.0.0</a>
(2026-03-14)</h1>
<ul>
<li>feat!: node 24 support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/275">#275</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/2e564a0bb8e7cc2b907b2401a2afe177882d4325">2e564a0</a>)</li>
<li>fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/4451bcbc139f8124b0bf04f968ea2586b17df458">4451bcb</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>remove custom proxy handling (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/143">#143</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/dce0ab05f36f30b22fd14289fd36655c618e4e8e">dce0ab0</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>Custom proxy handling has been removed. If you use HTTP_PROXY or
HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action
step.</li>
<li>Requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later if you are using a self-hosted runner.</li>
</ul>
<h2>v3.0.0-beta.6</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.5...v3.0.0-beta.6">3.0.0-beta.6</a>
(2026-03-13)</h1>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​actions/core</code> from 1.11.1
to 3.0.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/337">#337</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/b04413352d4644ac2131b9a90c074f5e93ca18a1">b044133</a>)</li>
<li><strong>deps:</strong> bump minimatch from 9.0.5 to 9.0.9 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/335">#335</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5cbc65624c9ddc4589492bda7c8b146223e8c3e4">5cbc656</a>)</li>
<li><strong>deps:</strong> bump the production-dependencies group with 4
updates (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/336">#336</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/6bda5bc1410576b9a0879ce6076d53345485bba9">6bda5bc</a>)</li>
<li><strong>deps:</strong> bump undici from 7.16.0 to 7.18.2 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/323">#323</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/b4f638f48ee0dcdbb0bc646c48e4cb2a2de847fe">b4f638f</a>)</li>
</ul>
<h2>v3.0.0-beta.5</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.4...v3.0.0-beta.5">3.0.0-beta.5</a>
(2026-03-13)</h1>
<ul>
<li>fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/d53a1cdfde844c958786293adcaf739ecb8b5eb9">d53a1cd</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>Custom proxy handling has been removed. If you use HTTP_PROXY or
HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action
step.</li>
</ul>
<h2>v3.0.0-beta.4</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.3...v3.0.0-beta.4">3.0.0-beta.4</a>
(2026-03-13)</h1>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​octokit/auth-app</code> from
7.2.1 to 8.0.1 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/257">#257</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1">bef1eaf</a>)</li>
<li><strong>deps:</strong> bump <code>@​octokit/request</code> from
9.2.3 to 10.0.2 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/256">#256</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5d7307be63501c0070c634b0ae8fec74e8208130">5d7307b</a>)</li>
<li><strong>deps:</strong> bump glob from 10.4.5 to 10.5.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/305">#305</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5480f4325a18c025ee16d7e081413854624e9edc">5480f43</a>)</li>
<li><strong>deps:</strong> bump p-retry from 6.2.1 to 7.1.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/294">#294</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/dce3be8b284f45e65caed11a610e2bef738d15b4">dce3be8</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/create-github-app-token/commit/f8d387b68d61c58ab83c6c016672934102569859"><code>f8d387b</code></a>
build(release): 3.0.0 [skip ci]</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/d2129bd463d4feb8723edeea9437baa7db58e41e"><code>d2129bd</code></a>
style: remove extra blank line in release workflow</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/77b94efc3e5f99a45abdd163fe04a4ebb95e98d6"><code>77b94ef</code></a>
build: refresh generated artifacts</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/3ab4c6689898955f913a485593b36b197c6dbbdc"><code>3ab4c66</code></a>
chore: move undici to devDependencies</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/739cf66feb937a443e4b6b7626bedd98f9fef6df"><code>739cf66</code></a>
docs: update README action versions</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/db40289976a36527816d4f6f45765fdee71f134b"><code>db40289</code></a>
build(deps): bump actions versions in test.yml</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/496a7ac4eb472eeac44d67818d1ce7f5e9e5fc97"><code>496a7ac</code></a>
test: migrate from AVA to Node.js native test runner (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/346">#346</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/3870dc3051e3f1fc3a2faa17bcbb00f31fe1dd6c"><code>3870dc3</code></a>
Rename end-to-end proxy job in test workflow</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/4451bcbc139f8124b0bf04f968ea2586b17df458"><code>4451bcb</code></a>
fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/dce0ab05f36f30b22fd14289fd36655c618e4e8e"><code>dce0ab0</code></a>
fix: remove custom proxy handling (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/143">#143</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/create-github-app-token/compare/29824e69f54612133e76f7eaac726eef6c875baf...f8d387b68d61c58ab83c6c016672934102569859">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/cache` from 5.0.3 to 5.0.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/releases">actions/cache's
releases</a>.</em></p>
<blockquote>
<h2>v5.0.4</h2>
<h2>What's Changed</h2>
<ul>
<li>Add release instructions and update maintainer docs by <a
href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/cache/pull/1696">actions/cache#1696</a></li>
<li>Potential fix for code scanning alert no. 52: Workflow does not
contain permissions by <a
href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/cache/pull/1697">actions/cache#1697</a></li>
<li>Fix workflow permissions and cleanup workflow names / formatting by
<a href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/cache/pull/1699">actions/cache#1699</a></li>
<li>docs: Update examples to use the latest version by <a
href="https://github.com/XZTDean"><code>@​XZTDean</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1690">actions/cache#1690</a></li>
<li>Fix proxy integration tests by <a
href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/cache/pull/1701">actions/cache#1701</a></li>
<li>Fix cache key in examples.md for bun.lock by <a
href="https://github.com/RyPeck"><code>@​RyPeck</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1722">actions/cache#1722</a></li>
<li>Update dependencies &amp; patch security vulnerabilities by <a
href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/cache/pull/1738">actions/cache#1738</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/XZTDean"><code>@​XZTDean</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1690">actions/cache#1690</a></li>
<li><a href="https://github.com/RyPeck"><code>@​RyPeck</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1722">actions/cache#1722</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v5...v5.0.4">https://github.com/actions/cache/compare/v5...v5.0.4</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's
changelog</a>.</em></p>
<blockquote>
<h1>Releases</h1>
<h2>How to prepare a release</h2>
<blockquote>
<p>[!NOTE]<br />
Relevant for maintainers with write access only.</p>
</blockquote>
<ol>
<li>Switch to a new branch from <code>main</code>.</li>
<li>Run <code>npm test</code> to ensure all tests are passing.</li>
<li>Update the version in <a
href="https://github.com/actions/cache/blob/main/package.json"><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li>
<li>Run <code>npm run build</code> to update the compiled files.</li>
<li>Update this <a
href="https://github.com/actions/cache/blob/main/RELEASES.md"><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a>
with the new version and changes in the <code>## Changelog</code>
section.</li>
<li>Run <code>licensed cache</code> to update the license report.</li>
<li>Run <code>licensed status</code> and resolve any warnings by
updating the <a
href="https://github.com/actions/cache/blob/main/.licensed.yml"><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a>
file with the exceptions.</li>
<li>Commit your changes and push your branch upstream.</li>
<li>Open a pull request against <code>main</code> and get it reviewed
and merged.</li>
<li>Draft a new release <a
href="https://github.com/actions/cache/releases">https://github.com/actions/cache/releases</a>
use the same version number used in <code>package.json</code>
<ol>
<li>Create a new tag with the version number.</li>
<li>Auto generate release notes and update them to match the changes you
made in <code>RELEASES.md</code>.</li>
<li>Toggle the set as the latest release option.</li>
<li>Publish the release.</li>
</ol>
</li>
<li>Navigate to <a
href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml">https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a>
<ol>
<li>There should be a workflow run queued with the same version
number.</li>
<li>Approve the run to publish the new version and update the major tags
for this action.</li>
</ol>
</li>
</ol>
<h2>Changelog</h2>
<h3>5.0.4</h3>
<ul>
<li>Bump <code>minimatch</code> to v3.1.5 (fixes ReDoS via globstar
patterns)</li>
<li>Bump <code>undici</code> to v6.24.1 (WebSocket decompression bomb
protection, header validation fixes)</li>
<li>Bump <code>fast-xml-parser</code> to v5.5.6</li>
</ul>
<h3>5.0.3</h3>
<ul>
<li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a
href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li>
<li>Bump <code>@actions/core</code> to v2.0.3</li>
</ul>
<h3>5.0.2</h3>
<ul>
<li>Bump <code>@actions/cache</code> to v5.0.3 <a
href="https://redirect.github.com/actions/cache/pull/1692">#1692</a></li>
</ul>
<h3>5.0.1</h3>
<ul>
<li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via
<code>@actions/cache@5.0.1</code> <a
href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li>
</ul>
<h3>5.0.0</h3>
<blockquote>
<p>[!IMPORTANT]
<code>actions/cache@v5</code> runs on the Node.js 24 runtime and
requires a minimum Actions Runner version of <code>2.327.1</code>.</p>
</blockquote>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/cache/commit/668228422ae6a00e4ad889ee87cd7109ec5666a7"><code>6682284</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1738">#1738</a>
from actions/prepare-v5.0.4</li>
<li><a
href="https://github.com/actions/cache/commit/e34039626f957d3e3e50843d15c1b20547fc90e2"><code>e340396</code></a>
Update RELEASES</li>
<li><a
href="https://github.com/actions/cache/commit/8a671105293e81530f1af99863cdf94550aba1a6"><code>8a67110</code></a>
Add licenses</li>
<li><a
href="https://github.com/actions/cache/commit/1865903e1b0cb750dda9bc5c58be03424cc62830"><code>1865903</code></a>
Update dependencies &amp; patch security vulnerabilities</li>
<li><a
href="https://github.com/actions/cache/commit/565629816435f6c0b50676926c9b05c254113c0c"><code>5656298</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1722">#1722</a>
from RyPeck/patch-1</li>
<li><a
href="https://github.com/actions/cache/commit/4e380d19e192ace8e86f23f32ca6fdec98a673c6"><code>4e380d1</code></a>
Fix cache key in examples.md for bun.lock</li>
<li><a
href="https://github.com/actions/cache/commit/b7e8d49f17405cc70c1c120101943203c98d3a4b"><code>b7e8d49</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1701">#1701</a>
from actions/Link-/fix-proxy-integration-tests</li>
<li><a
href="https://github.com/actions/cache/commit/984a21b1cb176a0936f4edafb42be88978f93ef1"><code>984a21b</code></a>
Add traffic sanity check step</li>
<li><a
href="https://github.com/actions/cache/commit/acf2f1f76affe1ef80eee8e56dfddd3b3e5f0fba"><code>acf2f1f</code></a>
Fix resolution</li>
<li><a
href="https://github.com/actions/cache/commit/95a07c51324af6001b4d6ab8dff29f4dfadc2531"><code>95a07c5</code></a>
Add wait for proxy</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/cache/compare/cdf6c1fa76f9f475f3d7449005a359c84ca0f306...668228422ae6a00e4ad889ee87cd7109ec5666a7">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: dependabot[bot]

.github/workflows/dependency-review.yml

@@ -33,6 +33,6 @@ jobs:
         with:
           persist-credentials: false
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
           comment-summary-in-pr: always

.github/workflows/release.yml

@@ -28,7 +28,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
           package-manager-cache: false
@@ -39,7 +39,7 @@ jobs:
         working-directory: lambdas
         run: yarn install --frozen-lockfile && yarn run test && yarn dist
       - name: Get installation token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: token
         with:
           app-id: ${{ vars.RELEASER_APP_ID }}

.github/workflows/terraform.yml

@@ -57,7 +57,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -123,7 +123,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.3.')
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -188,7 +188,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins

.github/workflows/update-docs.yml

@@ -87,7 +87,7 @@ jobs:
         with:
           python-version: 3.x
       - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
-      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           key: mkdocs-material-${{ env.cache_id }}
           path: .cache