Confusing security reports

[mcandre]

Dependabot shows conflicting information on the basic status of vulnerabilities.

I'm getting email alerts AND open security alert tickets, YET when I investigate, dependabot remarks that the vulnerability is already patched. How am I supposed to interpret that? Which part of the system is correct? Screenshot:

If the security issue is fixed, then please go ahead and automatically close (resolve) the ticket. Don't bug me with email reports for things that are already resolved, either.

Just to add further confusion, dependabot doesn't always behave the same way in the security tickets. Sometimes it doesn't even recognize that the version has been updated in the project:

At least two things appear to be broken in dependabot:

• Gaps in triggers for automatically closing resolved security tickets once the version is identified as no longer affected.
• Inconsistent dependency version identification, that fails to align with the version resolution semantics of popular package managers like Bundler.