chore(deps): bump actions/upload-artifact from 4 to 5

[dependabot]

Bumps actions/upload-artifact from 4 to 5.

Release notes

Sourced from actions/upload-artifact's releases.

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

New Contributors

• @​GhadimiR made their first contribution in actions/upload-artifact#681
• @​nebuk89 made their first contribution in actions/upload-artifact#712
• @​danwkennedy made their first contribution in actions/upload-artifact#727
• @​patrikpolyak made their first contribution in actions/upload-artifact#725

Full Changelog: actions/upload-artifact@v4...v5.0.0

v4.6.2

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in actions/upload-artifact#685

New Contributors

• @​salmanmkc made their first contribution in actions/upload-artifact#685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in actions/upload-artifact#673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in actions/upload-artifact#662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in actions/upload-artifact#578
• Add new artifact-digest output by @​bdehamer in actions/upload-artifact#656

New Contributors

• @​hamirmahal made their first contribution in actions/upload-artifact#578

... (truncated)

Commits

• 330a01c Merge pull request #734 from actions/danwkennedy/prepare-5.0.0
• 03f2824 Update github.dep.yml
• 905a1ec Prepare v5.0.0
• 2d9f9cd Merge pull request #725 from patrikpolyak/patch-1
• 9687587 Merge branch 'main' into patch-1
• 2848b2c Merge pull request #727 from danwkennedy/patch-1
• 9b51177 Spell out the first use of GHES
• cd231ca Update GHES guidance to include reference to Node 20 version
• de65e23 Merge pull request #712 from actions/nebuk89-patch-1
• 8747d8c Update README.md
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/upload-artifact	5.*.*	🟢 4.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected

Scanned Files

• .github/workflows/dependency-audit.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later