OWASP Dependency-Track v5.1 Released

By SecBurg

12. Jun 2026

Dependency-Track Dashboard

OWASP Dependency-Track is an intelligent component analysis platform that helps organizations identify and reduce software supply chain risk. It ingests Software Bill of Materials (SBOM) data, monitors components for known vulnerabilities and policy violations, and integrates with existing security and development toolchains.

Version 5.0 marks a major milestone - essentially a ground-up rewrite of the platform. 5.0.1 landed today with a batch of bug fixes.

What’s new in v5:

**Horizontal scaling** - active/active high availability via PostgreSQL coordination
**Durable execution** - processing resumes after crashes with automatic retry logic
**PostgreSQL only** - H2, MySQL, and SQL Server support dropped
**Supply chain integrity** - flags components with mismatched hashes
**CEL-based policies** - expression-based rules using Common Expression Language
**Pluggable file storage** - shared volumes or S3-compatible backends
**Separate container images** - API server and frontend shipped independently
**Prometheus metrics** - dedicated management endpoint with Kubernetes probes

Migration note: v5 requires an offline migration to a separate PostgreSQL cluster - in-place upgrades from v4 are not supported. The v4.14.x line receives security fixes for approximately six more months.

Changelog for v5.0.1:

## What's Changed
### Enhancements 🚀
* Backport: v4-migrator: Add TCP keepalive and optional socket timeout by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6348
* Backport: v4-migrator: Fail fast when detecting bootstrap being pointed at v4 database by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6361
* Backport: Allow out-of-order execution of Flyway migrations by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6366
### Bug Fixes 🐛
* Backport: Make REPOSITORY.AUTHENTICATIONREQUIRED non-nullable by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6349
* Backport: Apply stricter PURL normalization for NPM package metadata resolution by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6350
* Backport: Bypass outbox for notification rule tests by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6351
* Backport: Fix NO_PROXY being rejected as legacy Alpine property by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6352
* Backport: Reject parent objects with null UUID when creating/updating/patching projects by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6354
* Backport: v4-migrator: only run post-load actions when load phase completes successfully by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6353
* Backport: Fix NPE during LDAP auth when bind credentials are not configured by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6356
* Backport: Fix suppressed vulns being considered for policy evaluation by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6357
* Backport: Fix incomplete field coverage of /v1/finding/project/{uuid}'s searchText filter by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6358
* Backport: Fix OIDC UserInfo endpoint not being invoked when team sync is enabled and ID token contains no teams claim by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6359
* Backport: Fix URL-encoding of OSV ecosystem names by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6360
* Backport: Support non-UTC timezones for metrics operations by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6363
* Backport: Fix email notification publisher not populating the "From" header by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6362
* Backport: v4-migrator: Fix confusing debug log for missing tgt_permission table by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6364
* Backport: Fix URL-encoding of OSV ecosystem names when retrieving incremental advisories by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6375
* Backport: Handle PAC-inaccessible target projects more gracefully for BOM uploads with autoCreate=true by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6377
* Backport: Fix broken HTTP proxy basic auth by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6381
* Backport: Fix team of API key not being auto-assigned project access after project creation by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/6389

Full Changelog: https://github.com/DependencyTrack/dependency-track/compare/5.0.0...5.0.1

Full release notes and migration guide: OWASP blog / GitHub releases

News
Tools