Dependency-Track v5 is the next major version of the project, previously developed under the codename Hyades. For what is actually new in v5, including architecture, schema, configuration, and API surface, see About changes in v5.
This document covers the GA cutover itself. It describes what changes for operators, contributors, and downstream consumers as v5 moves to GA, and what your options are for staying on v4.
Important
Please read this document end-to-end before updating any image pin, Helm value, or CI reference.
The image name changes, and the :latest and :snapshot tag policies are deliberately conservative
to avoid moving consumers across a major version without an explicit decision.
- Phases
- What is moving
- Tag policy
- Pin recommendations
- Action items by audience
- Historical artifacts
- What is not changing
The cutover proceeds in ordered phases. Timing is best-effort and community-driven. Each phase advances only when its preconditions are met. Do not plan around fixed dates.
Important
v4 will receive bugfixes and security patches for at least ~6 months past v5 GA. This minimum is committed, regardless of how cutover-day timing shifts.
| Phase | Precondition | What happens |
|---|---|---|
| Announcement | Maintainers agree the cutover is imminent | Public notice. v4 master enters freeze on a date named in the notice. |
| Cutover | v5 5.0.0-rc.1 ready to publish |
v4 master (both repos) renamed to v4-master-archived. v5 imported as main. RC published. hyades-* repos archived. |
| GA | RC soak completes with no blockers | v5 5.0.0 GA published. |
| v4 EOL | At least ~6 months elapsed since v5 GA | v4 patches stop. :snapshot discontinued. :latest flips to v5. |
Each phase is announced ahead of time on the
GitHub Discussions,
and #dependency-track channel in the OWASP Slack.
| Before (v4 / pre-GA v5) | After (v5 GA onwards) |
|---|---|
DependencyTrack/dependency-track (v4) |
DependencyTrack/dependency-track:4.14.x (v4) |
DependencyTrack/dependency-track:master |
Renamed to :v4-master-archived (frozen, no merges accepted) |
DependencyTrack/frontend (v4) |
DependencyTrack/frontend:4.14.x (v4) |
DependencyTrack/frontend:master |
Renamed to :v4-master-archived (frozen, no merges accepted) |
DependencyTrack/hyades-apiserver (v5 dev) |
DependencyTrack/dependency-track:main (v5) |
DependencyTrack/hyades-frontend (v5 dev) |
DependencyTrack/frontend:main (v5) |
hyades-apiserver and hyades-frontend are archived at cutover. They remain readable.
No new pushes, no new issues, no new PRs.
| Before | After |
|---|---|
dependencytrack/hyades-apiserver:<tag> |
dependencytrack/apiserver:<tag> |
ghcr.io/dependencytrack/hyades-apiserver |
ghcr.io/dependencytrack/apiserver |
dependencytrack/hyades-frontend:<tag> |
dependencytrack/frontend:<tag> |
ghcr.io/dependencytrack/hyades-frontend |
ghcr.io/dependencytrack/frontend |
v4 images (dependencytrack/apiserver, dependencytrack/frontend, dependencytrack/bundled)
do not change name. v4 has always published to these names. Only the pre-GA v5 (hyades-*) images are renamed.
Note
dependencytrack/bundled is v4-only. There is no v5 equivalent. It follows the v4 lifecycle and stops receiving
updates at v4 EOL along with the other v4 images.
:latest and :snapshot deliberately do not flip on the GA date.
This is to prevent unpinned v4 deployments from silently jumping to v5 on the next docker pull and breaking.
| Period | Resolves to |
|---|---|
| Today through v4 EOL | Latest v4 release |
| After v4 EOL | Latest v5 release |
If you run :latest in production today, pin to an explicit version before v4 EOL.
After v4 EOL, :latest advances across the major boundary in one pull.
| Tag | Period | Resolves to |
|---|---|---|
:snapshot |
Today through v4 EOL | v4 nightly |
:snapshot |
After v4 EOL | Discontinued |
:4-snapshot |
From cutover onwards | v4 nightly (frozen at EOL) |
:5-snapshot |
From v5 GA onwards | v5 nightly |
:snapshot is not flipped to v5 at v4 EOL. Migrate to :4-snapshot or :5-snapshot explicitly.
| Tag | Resolves to |
|---|---|
:5.x.y |
Exact v5 release. Immutable. |
:5.x.y-rc.N |
Exact RC. Immutable. |
:5-snapshot |
v5 main nightly |
:latest |
See :latest. |
No floating major (:5) or minor (:5.0) tags are published. This matches v4's tagging surface and steers operators
toward digest or exact-version pins (see Pin recommendations).
For production, in order of preference:
- Digest pin (
@sha256:...). Strongest guarantee. Survives tag mutation, repo deletion, and registry mirroring. - Exact version (
:4.14.3or:5.0.0). Survives the cutover unchanged.
Use Renovate, Dependabot, or equivalent to bump exact pins on a schedule you control.
Do not use :latest or :snapshot in production. Both move under you without notice.
None, if you pin image tags by an exact version or digest. v4 keeps shipping on its existing image names and tags until v4 EOL (~6 months post-v5 GA).
If you currently pull :latest or :snapshot, switch before v4 EOL:
| Today | Pin to |
|---|---|
dependencytrack/apiserver:latest |
An exact version (e.g. :4.14.3) or a digest |
dependencytrack/apiserver:snapshot |
:4-snapshot or a digest |
dependencytrack/frontend:latest |
An exact version (e.g. :4.14.3) or a digest |
dependencytrack/frontend:snapshot |
:4-snapshot or a digest |
:4-snapshot becomes available at cutover. Until then, pin to a digest to escape :snapshot.
- v4 continues to receive
4.14.xpatch releases. There will be no further v4 minor releases (no4.15.0). - Patch cadence is best-effort and community-driven, focused on security and high-severity fixes.
- File v4 bugs against
DependencyTrack/dependency-trackwith thev4label.
- No further patches, including for CVEs in v4 itself or its dependencies.
- New issues that apply only to v4 are closed with a pointer to v5. Existing
v4-labeled issues remain as-is and readable for reference.
Warning
There is no in-place upgrade. v5 runs on its own PostgreSQL cluster and ingests v4 data via an offline, one-shot migrator. Plan downtime accordingly.
- About changes in v5 for the architectural, schema, and configuration deltas.
- Migrating from v4 to v5 for the step-by-step migrator procedure, prerequisites, and post-migration audit checklist.
- Rehearsing the v4 migration to dry-run against a production copy before scheduling the cutover.
- Running v4 and v5 in parallel for parallel-validation strategies.
The official chart updates together with v5 GA. See helm-charts.
Diff your values file against the v5 chart defaults before bumping.
Important
v4 master is frozen ahead of cutover and renamed at cutover. Open PRs follow the rename but cannot be merged.
See If you have an open PR for what to do.
Re-target your PR before cutover. If you do not, the PR survives but ends up against v4-master-archived,
which accepts no merges. You will have to re-target it yourself afterwards.
Against dependency-track:master (pre-cutover v4 repo):
- v4 patch: re-target the base branch to
4.14.x(see re-targeting below). - v5-bound: close and re-open against
hyades-apiserver:main(pre-cutover) ordependency-track:main(post-cutover). Link the original PR in the new description.
Against hyades-apiserver:main or hyades-frontend:main:
- Pre-cutover: business as usual. Land before cutover if you can.
- At cutover: the repo is archived. Existing PRs are not auto-migrated and cannot be merged.
Re-open against
dependency-track:main(orfrontend:main) once v5 GA is published.
GitHub UI: open the PR, click Edit next to the title, pick the new base branch. Works only if the new base lives
in the same repo. For cross-repo moves (hyades-apiserver -> dependency-track), open a new PR.
After cutover, point your fork and clone at dependency-track. The archived hyades-apiserver remote still works
read-only but will not accept pushes.
# 1. Rename your fork on GitHub: Settings -> Repository name -> "dependency-track"
# (GitHub keeps redirects, but update the remote anyway.)
# 2. Update the upstream remote
git remote set-url upstream https://github.com/DependencyTrack/dependency-track.git
# 3. Update your fork remote
git remote set-url origin git@github.com:<you>/dependency-track.git
# 4. Fetch the new default branch and rebase your work
git fetch upstream
git rebase upstream/main
# 5. Push and open the PR against dependency-track:main
git push -u origin <your-branch>Note
After the rename, upstream/master resolves to upstream/v4-master-archived.
That branch is frozen and accepts no merges. Rebase v5-bound work onto
upstream/main and v4-patch work onto upstream/4.14.x.
GitHub does not auto-rename or auto-archive forks.
- Your fork still exists under its old name and still tracks the archived repo.
- Rename it via Settings -> Repository name to keep PRs tidy.
- Branches you pushed before cutover are preserved.
| Concern | Location |
|---|---|
| v5 apiserver code, issues, PRs | DependencyTrack/dependency-track (branch main) |
| v5 frontend code, issues, PRs | DependencyTrack/frontend (branch main) |
| v4 maintenance patches | DependencyTrack/dependency-track (branch 4.14.x) |
CONTRIBUTING.md, SECURITY.md |
DependencyTrack/dependency-track:main (root) |
| ADRs | DependencyTrack/dependency-track:main under docs/adr/ |
| Helm charts | DependencyTrack/helm-charts (unaffected) |
| User docs | DependencyTrack/docs (unaffected) |
- Both repos are archived at cutover. Existing issues and discussions stay readable but become read-only.
- Open issues are not auto-migrated. Maintainers will move the ones they judge relevant for v5 to
DependencyTrack/dependency-trackat their own discretion. No guarantees on which or when. - If your issue is not moved, and you believe it should be, you have two options:
- Ask a maintainer to move it via OWASP Slack
#dependency-trackor GitHub Discussions, linking the original. - Re-file on
DependencyTrack/dependency-trackand link the old issue.
- Ask a maintainer to move it via OWASP Slack
- v4 bug reports go on
DependencyTrack/dependency-trackwith thev4label.
v5 introduces Architecture Decision Records. Substantial changes now require an ADR that reaches Accepted
before the implementation PR merges. v4 had no such requirement. See
CONTRIBUTING.md#architecture-decision-records for trigger criteria.
Warning
The 5.0.0 tag exists in two places with different content. The archived hyades-apiserver repo published
release tags 5.0.0 through 5.6.0 (and 5.7.0-alpha.X) during pre-GA development. This was a mistake in hindsight.
v5 GA restarts numbering at 5.0.0 on dependency-track:main. The two are not the same artifact. Disambiguate
by repo and registry path:
| Tag | Source | Meaning |
|---|---|---|
5.0.0 |
DependencyTrack/hyades-apiserver (archived) |
Pre-GA, frozen |
5.0.0 |
DependencyTrack/dependency-track (and apiserver images) |
v5 GA |
Pre-GA images and source remain pullable from the archived repo for reference. Do not consume them as v5 GA.
To keep expectations grounded:
- The Helm chart repository (
DependencyTrack/helm-charts) is not renamed or archived. - The documentation repository (
DependencyTrack/docs) is not renamed. - The project website (
dependencytrack.org) does not change URL. - The OWASP project page does not change URL.