What happened
OWASP released Dependency-Track 5.0 as generally available on June 9, 2026 (announced June 3; GA confirmed June 9). Described as the largest redesign in the project's history (codename Hyades), v5.0 introduces: horizontal scaling with active/active high availability via stateless PostgreSQL coordination; durable execution engine that survives crashes and resumes BOM processing from exact failure points; software supply chain integrity verification that flags components with mismatched package-registry hashes (detecting typosquatting and registry tampering); CEL-based policy engine for automated vulnerability suppression and notification; standardisation on PostgreSQL only (H2/MySQL/SQL Server dropped); and built-in Prometheus/Kubernetes operations support. Early adopters have ingested 20,000+ SBOMs per hour with single instances holding 250,000+ SBOMs.
Why it matters
Dependency-Track is the de facto open-source SBOM analysis platform used by enterprises and government agencies for software supply chain risk management. v5.0's supply chain integrity verification directly addresses the registry-tampering and typosquatting attacks seen against AI/ML package ecosystems (e.g., the LiteLLM/PyPI backdoor incident). The project explicitly frames v5 as the inventory foundation for AI and ML model tracking alongside software components — directly relevant as EU Cyber Resilience Act SBOM obligations phase in through December 2027. This is a platform-level capability upgrade, not an incremental release.
Action needed
Plan migration from Dependency-Track v4.x to v5.0 (offline migration to PostgreSQL required; v4.14.x receives security fixes for ~6 more months). Enable supply chain integrity verification to detect registry-side tampering of AI/ML dependencies. Evaluate v5's AI/ML model inventory capabilities for EU CRA SBOM compliance programmes.