Incorrect dependabot alerts when version in package-lock.json
is outside affected range
#9528
Closed
1 task done
Labels
L: git:submodules
Git submodules
L: go:modules
Golang modules
L: javascript
L: ruby:bundler
RubyGems via bundler
T: bug 🐞
Something isn't working
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
npm@10
Language version
node 20
Manifest location and content before the Dependabot update
https://github.com/go-gitea/gitea/blob/main/package-lock.json
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
No dependabot alert raised, but it raised multiples for
GHSA-35jh-r3h4-6jhm
like for example https://github.com/go-gitea/gitea/security/dependabot/64.lodash@4.17.21
does not match the affected version range<= 4.5.0
andnpm ls lodash
also confirms there is no affected version in the file:Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: