Dependabot reporting on deleted files

[davidpustai]

1. I've committed a package.json with a library subdirectory included in my project (not using package manager for this project).
2. Dependabot reported a security alert.
3. I've deleted the package.json and thought that it would resolve it.

But I'm still getting the alert listed in my daily e-mail notification (and in the list of alerts on repository Security page). I've tried to dismiss the alert with "A fix has already been started", didn't change anything.

The alert page further shows a warning message "Dependabot cannot update this dependency" detailed as "Dependabot couldn't update this dependency to the required version as it doesn't support your dependency files.".

[sambdavidson]

+1 bump

[davidpustai]

Hm. Not sure if fixed and resolved, I've dismissed the alert before so cannot check now, but it is no longer reported in my weekly report.

[rob4629]

Similar situation. I was investigating a couple of libraries, but deleted them a few months ago... randomly started getting security alerts for them 🤷‍♂

[carlgunderson]

I have a repo that used to be an Angular project with a yarn.lock file. That file was deleted from the repo several months ago. But I continuously get security alerts from dependencies that were referenced in the yarn.lock.

The dependencies do not exist and that file does not exist.

Clicking the filename link does nothing.

[lopopolo]

I converted some repos from yarn.lock to package-lock.json and I only get Github Security Advisories for the long-since deleted yarn.lock file. It is unclear if the existing package-lock.json file is monitored.

[levenleven]

I have monorepo and deleted one of the packages. But still getting alerts once a while (until dismissed) for no longer existing package-lock.json

[christopherblaser]

Getting this as well from a long since deleted yarn.lock file.

[karlhorky]

I'm also being affected by this (I deleted a package-lock.json file a long time ago), but:

• not just about old security notifications (I am also getting new security notifications)
• not just notifications over email - they also show up in the GitHub notifications list

Here's an example (I've marked this as "This alert is inaccurate or incorrect"): https://github.com/karlhorky/talks/network/alert/packages/2017-11-01-react-open-source-the-effect-of-react-on-web-standards/package-lock.json/elliptic/closed

@davidpustai can you update the title and description to be more general regarding the points above? It's about Dependabot reporting on deleted files in all ways, which is a bug and shouldn't happen.

[WereDev]

I too am having this issue. The files it's reporting have been deleted for months. Even the folders that they used to be in are long gone.

[rlisowski]

The same for me. File and directory have been deleted a while ago but I still get new notifications about vulnerabilities.

[rande]

Did you have a branch with those deps still available ?

[WereDev]

Did you have a branch with those deps still available ?

In my case, no. There are only two branches and the files were completely removed from both. I haven't checked it in a while as all I was getting was false reports so I disabled the feature.

[liddellj]

I also recently experienced this - received an alert against a package.json file that had been deleted from the master branch weeks ago. Clicking the link to the package.json in the alert resulted in a 404. We do have stale branches that will still include that package, but my understanding was that dependabot should only pay attention to the default branch.