diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml
new file mode 100644
index 0000000..fcb5551
--- /dev/null
+++ b/.github/dependency-review-config.yml
@@ -0,0 +1,8 @@
+fail_on_severity: "low"
+allow_licenses:
+  - "MIT"
+  - "ISC"
+  - "MPL-2.0"
+  - "BSD-2-Clause"
+  - "BSD-3-Clause"
+  - "Apache-2.0"
diff --git a/.github/workflows/pkg.yml b/.github/workflows/pkg.yml
deleted file mode 100644
index 25411ce..0000000
--- a/.github/workflows/pkg.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-name: pkg
-
-on:
-  push:
-    tags:
-      - v*
-
-jobs:
-  run:
-    uses: go-faster/x/.github/workflows/release.yml@main
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000..c48c37b
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,19 @@
+name: "Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v3
+
+        # Their stupid action rely on PR event metadata, so
+        # there is no much sense to setup a re-usable workflow.
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v3
+        with:
+          config-file: "./.github/dependency-review-config.yml"
diff --git a/.github/workflows/x.yml b/.github/workflows/x.yml
index 01263ea..6473419 100644
--- a/.github/workflows/x.yml
+++ b/.github/workflows/x.yml
@@ -17,7 +17,5 @@ jobs:
     uses: go-faster/x/.github/workflows/lint.yml@main
   commit:
     uses: go-faster/x/.github/workflows/commit.yml@main
-  nancy:
-    uses: go-faster/x/.github/workflows/nancy.yml@main
   codeql:
     uses: go-faster/x/.github/workflows/codeql.yml@main