Fails to recognize when ALL third party dependencies have been removed #16015
Unanswered
mcandre
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In the case that the user removes the third party dependency tree entirely, such as by removing the package.json or other such configuration file from version control, then Dependabot should follow suit and stop complaining about CVE's that no longer present in the project.
Currently, Dependabot gets easily confused. It should respect the user's wishes and treat the removal of package management configuration files as a signal that the CVE's are no longer present, in fact the entire programming language may no longer be present. For example, when
package.json
files were initially used to manage JS CLI tools in non-JavaScript projects, and then the projects later have no need for those CLI tools.Beta Was this translation helpful? Give feedback.
All reactions