You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dependabot shows conflicting information on the basic status of vulnerabilities.
I'm getting email alerts AND open security alert tickets, YET when I investigate, dependabot remarks that the vulnerability is already patched. How am I supposed to interpret that? Which part of the system is correct? Screenshot:
If the security issue is fixed, then please go ahead and automatically close (resolve) the ticket. Don't bug me with email reports for things that are already resolved, either.
Just to add further confusion, dependabot doesn't always behave the same way in the security tickets. Sometimes it doesn't even recognize that the version has been updated in the project:
At least two things appear to be broken in dependabot:
Gaps in triggers for automatically closing resolved security tickets once the version is identified as no longer affected.
Inconsistent dependency version identification, that fails to align with the version resolution semantics of popular package managers like Bundler.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Dependabot shows conflicting information on the basic status of vulnerabilities.
I'm getting email alerts AND open security alert tickets, YET when I investigate, dependabot remarks that the vulnerability is already patched. How am I supposed to interpret that? Which part of the system is correct? Screenshot:
If the security issue is fixed, then please go ahead and automatically close (resolve) the ticket. Don't bug me with email reports for things that are already resolved, either.
Just to add further confusion, dependabot doesn't always behave the same way in the security tickets. Sometimes it doesn't even recognize that the version has been updated in the project:
At least two things appear to be broken in dependabot:
Beta Was this translation helpful? Give feedback.
All reactions