How do you proceed if the Dependabot is not able to create a PR for an alert but just outlines a "Workaround".
I did what the workaround suggested, merged my changes and was expecting the Dependabot to run its checks again and preferably close the alert itself it the vulnerability was dealt with. However, the only option I see is to "Dismiss the alert – A fix has already been starte". Is that all I can do and hope I did everything right?
In a GitHub project und "Security" –> "Vulnerability alerts" –> "Dependabot" I have an open alert: "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code". In contrast to some other alerts for this one no automatic pull request was created to fix the issue. Only some "Workarounds" were outlined in the details of the alert. I followed one of them (deleting one dependency from your package manager’s lockfile and re-installing the dependencies) and merged my changes into main. However, the alert is still showing up in the list of open Dependabot alerts.
I closed the alert by clicking "Dismiss alert" and selecting "A fix has already been starte" as the reason to dismiss. However, I’m not a 100% sure whether the workaround actually worked and the vulnerability was properly dealt with. I would expect the Dependabot to check my code again after the merge and close the alert automatically if it verified that it’s fixed.
What is the right way to close the alert?
Thank you very much!
felix
You need to sign in to view this answers
