diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..4f6427b93
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,20 @@
+---
+version: 2
+
+updates:
+- package-ecosystem: "npm"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  groups:
+    minor-npm-dependencies:
+      # NPM: Only group minor and patch updates (we want to carefully review major updates)
+      update-types: [minor, patch]
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  groups:
+    minor-actions-dependencies:
+      # GitHub Actions: Only group minor and patch updates (we want to carefully review major updates)
+      update-types: [minor, patch]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d8c83acf4..cbd29917e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ on:
       - releases/*
 
 
-# Note that when you see patterns like "ref: test-data/v2/basic" within this workflow, 
+# Note that when you see patterns like "ref: test-data/v2/basic" within this workflow,
 # these refer to "test-data" branches on this actions/checkout repo.
 # (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic)
 
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.1
 
       # Basic checkout
       - name: Checkout basic
@@ -257,7 +257,7 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
+
   test-git-container:
     runs-on: ubuntu-latest
     container: bitnami/git:latest
diff --git a/.github/workflows/update-test-ubuntu-git.yml b/.github/workflows/update-test-ubuntu-git.yml
index e2d57f316..ee7ce7bd9 100644
--- a/.github/workflows/update-test-ubuntu-git.yml
+++ b/.github/workflows/update-test-ubuntu-git.yml
@@ -31,7 +31,7 @@ jobs:
       # Use `docker/login-action` to log in to GHCR.io. 
       # Once published, the packages are scoped to the account defined here.
       - name: Log in to the ghcr.io container registry
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v3.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -48,7 +48,7 @@ jobs:
 
       # Use `docker/build-push-action` to build (and optionally publish) the image. 
       - name: Build Docker Image (with optional Push)
-        uses: docker/build-push-action@v5.1.0
+        uses: docker/build-push-action@v5.3.0
         with:
           context: .
           file: images/test-ubuntu-git.Dockerfile
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a35831b4b..a1a3a24aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog
 
+## v4.1.4
+- Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1692
+- Add dependabot config by @cory-miller in https://github.com/actions/checkout/pull/1688
+- Bump the minor-actions-dependencies group with 2 updates by @dependabot in https://github.com/actions/checkout/pull/1693
+- Bump word-wrap from 1.2.3 to 1.2.5 by @dependabot in https://github.com/actions/checkout/pull/1643
+
+## v4.1.3
+- Check git version before attempting to disable `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1656
+- Add SSH user parameter by @cory-miller in https://github.com/actions/checkout/pull/1685
+- Update `actions/checkout` version in `update-main-version.yml` by @jww3 in https://github.com/actions/checkout/pull/1650
+
 ## v4.1.2
 - Fix: Disable sparse checkout whenever `sparse-checkout` option is not present @dscho in https://github.com/actions/checkout/pull/1598
 
diff --git a/__test__/verify-basic.sh b/__test__/verify-basic.sh
index 5aaa309b8..d084617f0 100755
--- a/__test__/verify-basic.sh
+++ b/__test__/verify-basic.sh
@@ -18,6 +18,20 @@ else
     exit 1
   fi
 
+  # Verify that sparse-checkout is disabled.
+  SPARSE_CHECKOUT_ENABLED=$(git -C ./basic config --local --get-all core.sparseCheckout)
+  if [ "$SPARSE_CHECKOUT_ENABLED" != "" ]; then
+    echo "Expected sparse-checkout to be disabled (discovered: $SPARSE_CHECKOUT_ENABLED)"
+    exit 1
+  fi
+
+  # Verify git configuration shows worktreeConfig is effectively disabled
+  WORKTREE_CONFIG_ENABLED=$(git -C ./basic config --local --get-all extensions.worktreeConfig)
+  if [[ "$WORKTREE_CONFIG_ENABLED" != "" ]]; then
+    echo "Expected extensions.worktreeConfig (boolean) to be disabled in git config.  This could be an artifact of sparse checkout functionality."
+    exit 1
+  fi
+
   # Verify auth token
   cd basic
   git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
diff --git a/dist/index.js b/dist/index.js
index b21024745..5ff87e42a 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -582,6 +582,8 @@ class GitCommandManager {
     disableSparseCheckout() {
         return __awaiter(this, void 0, void 0, function* () {
             yield this.execGit(['sparse-checkout', 'disable']);
+            // Disabling 'sparse-checkout` leaves behind an undesirable side-effect in config (even in a pristine environment).
+            yield this.tryConfigUnset('extensions.worktreeConfig', false);
         });
     }
     sparseCheckout(sparseCheckout) {
diff --git a/package-lock.json b/package-lock.json
index f2c410044..d453f7c0f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "checkout",
-  "version": "4.1.3",
+  "version": "4.1.4",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "checkout",
-      "version": "4.1.3",
+      "version": "4.1.4",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^1.10.0",
@@ -9129,9 +9129,9 @@
       }
     },
     "node_modules/word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
+      "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==",
       "dev": true,
       "engines": {
         "node": ">=0.10.0"
@@ -16055,9 +16055,9 @@
       }
     },
     "word-wrap": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz",
-      "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==",
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
+      "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==",
       "dev": true
     },
     "wrap-ansi": {
diff --git a/package.json b/package.json
index 4bed13710..238cdcf05 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "4.1.3",
+  "version": "4.1.4",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts
index fa50321f8..8e42a387f 100644
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -178,6 +178,8 @@ class GitCommandManager {
 
   async disableSparseCheckout(): Promise<void> {
     await this.execGit(['sparse-checkout', 'disable'])
+    // Disabling 'sparse-checkout` leaves behind an undesirable side-effect in config (even in a pristine environment).
+    await this.tryConfigUnset('extensions.worktreeConfig', false)
   }
 
   async sparseCheckout(sparseCheckout: string[]): Promise<void> {