OWASP Dependency-Track 5.0 Is Now Generally Available | OWASP Foundation
For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.
This website uses cookies to analyze our traffic and only share that information with our analytics partners.<br>Accept
Store
Donate
Join
OWASP Dependency-Track 5.0 Is Now Generally Available
Tuesday, June 9, 2026 The largest redesign in the project’s history brings horizontal scaling, fault tolerance, and software supply chain integrity verification to the widely used open source platform.
[Wilmington, DE], June 3, 2026. OWASP Dependency-Track, the open source platform that organizations use to identify and reduce risk in the software supply chain, today announced the general availability of version 5.0. Developed under the codename Hyades, v5 is the most extensive redesign since the platform’s inception. It rebuilds how Dependency-Track scales, survives failure, and reasons about risk, while keeping the workflows teams already rely on.
Version 4 ran as a single API server that held its work queue in memory and its search index on local disk. That shape served smaller deployments well, but it limited any team that needed high availability, predictable resource usage, or clean recovery after a crash. Version 5 targets those limits directly. The platform now scales out, keeps working when individual instances fail, and standardizes on a single mature database engine. Smaller deployments gain the same guarantees with no added complexity.
Those guarantees already hold up in the field. Early adopters running the v5 alphas have ingested upwards of 20,000 SBOMs per hour, and some organizations now operate single v5 instances holding more than 250,000 SBOMs representing tens of millions of software components. Throughput and portfolio sizes at that level put Dependency-Track firmly in enterprise territory.
🛍️ Highlights of Dependency-Track 5.0
Horizontal scaling and active/active high availability. Stateless API server instances coordinate through PostgreSQL alone, with no message broker and no peer to peer networking, so a cluster can span availability zones and scale up or down without reconfiguration.
Processing that survives crashes. An embedded durable execution engine resumes bill of materials processing, vulnerability analysis, and notification delivery from the exact step they reached, and retries failed steps automatically with backoff instead of waiting for someone to trigger them again.
Software supply chain integrity verification. Dependency-Track now flags components whose published hashes do not match what the upstream package registry served, catching typosquatting and registry side tampering, a class of attack that v4 left to tools further down the pipeline.
Smarter, expression based policies. A new policy engine built on Common Expression Language (CEL) powers component policies, vulnerability policies that can automatically audit or suppress findings before they reach analysts, and notification filters that can match on any field of an event, such as firing only at or above a chosen severity.
One database, fewer failure modes. v5 standardizes on PostgreSQL and moves search, caching, and metrics into the database. The local search index disappears, along with the index corruption and disk space failures that came with it, and metrics become a proper time series with bounded retention.
Built for operations. A dedicated management endpoint exposes Prometheus metrics and Kubernetes style liveness and readiness probes on their own port, integration secrets are centralized behind a pluggable provider for easier rotation and audit, and pluggable file storage supports shared volumes or S3 compatible object storage.
Governance and data lifecycle. Portfolio access control graduates out of beta with bounded overhead at scale, and configurable retention keeps inactive project versions and time series metrics from growing without bound.
What it means for security leaders
For security leaders, v5 turns Dependency-Track into infrastructure they can depend on at enterprise scale. The strategic value is less about any single feature than about what a platform at this scale makes possible.
Regulation is turning software inventory from good practice into legal obligation. Under the EU Cyber Resilience Act, manufacturers of products with digital elements must produce and maintain a machine readable SBOM, with core obligations phasing in through December 2027 and vulnerability reporting duties arriving sooner. Satisfying that across a real product portfolio means keeping a complete and continuously updated inventory, not a periodic sample. v5 is built to hold exactly that, at the scale where compliance has to operate.
The same foundation reaches well beyond software. A platform that already tracks millions of components is the natural place to inventory everything else an...