diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index e0098ad2..031e80a8 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -9,7 +9,7 @@
 
 name: REUSE Compliance Check
 
-on: pull_request
+on: [pull_request]
 
 jobs:
   reuse-compliance-check:
@@ -19,4 +19,4 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@a46482ca367aef4454a87620aa37c2be4b2f8106 # v3.0.0
+      uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4.0.0
diff --git a/.reuse/dep5 b/.reuse/dep5
deleted file mode 100644
index 4d01ca07..00000000
--- a/.reuse/dep5
+++ /dev/null
@@ -1,16 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: Nextcloud Password Confirmation library
-Upstream-Contact: Nextcloud GmbH <https://nextcloud.com/impressum/>
-Source: https://github.com/nextcloud-libraries/nextcloud-password-confirmation
-
-Files: package.json package-lock.json .github/pull_request_template.md
-Copyright: Nextcloud GmbH and Nextcloud contributors
-License: MIT
-
-Files: l10n/*.pot
-Copyright: 2020-2024 Nextcloud translators
-License: MIT
-
-Files: tsconfig.json tsconfig.node.json
-Copyright: 2022-2024 Nextcloud GmbH and Nextcloud contributors
-License: CC0-1.0
diff --git a/REUSE.toml b/REUSE.toml
new file mode 100644
index 00000000..5fb67b7a
--- /dev/null
+++ b/REUSE.toml
@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: MIT
+version = 1
+SPDX-PackageName = "Nextcloud Password Confirmation library"
+SPDX-PackageSupplier = "Nextcloud GmbH <https://nextcloud.com/impressum/>"
+SPDX-PackageDownloadLocation = "https://github.com/nextcloud-libraries/nextcloud-password-confirmation"
+
+[[annotations]]
+path = ["package.json", "package-lock.json", ".github/pull_request_template.md"]
+precedence = "aggregate"
+SPDX-FileCopyrightText = "Nextcloud GmbH and Nextcloud contributors"
+SPDX-License-Identifier = "MIT"
+
+[[annotations]]
+path = "l10n/**.pot"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2020-2024 Nextcloud translators"
+SPDX-License-Identifier = "MIT"
+
+[[annotations]]
+path = ["tsconfig.json", "tsconfig.node.json"]
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2022-2024 Nextcloud GmbH and Nextcloud contributors"
+SPDX-License-Identifier = "CC0-1.0"