Security fix version for vulnerable dependencies

[milind009]

Recently, I was going through how dependabot handles dependency updates in case of vulnerable dependencies for npm and yarn based repos. Few questions I had around that are -

• For direct dependencies, it returns the lowest security fix version but it does not check whether the version is resolvable or not (i.e checking for peer dependencies requirements and other checks as is done while getting the latest resolvable version)

• Currently for npm and yarn, dependabot handles security update only for requirements_to_unlock = :own. Is it not applicable for :none and :all or is there some other reason behind not implementing it for the other two values?

@feelepxyz Is there any implemetation detail that makes these scenarios invalid? Can you take a look once?

[jeffwidman]

This code has changed a lot in the 2+ years since this issue was filed, and the behavior described above is likely no longer true... especially because we invested some effort into improving how we handle security updates for npm / yarn over the past year.

I'm going to close, but if you're still looking for answer, please take a look at the current source to see which questions are still relevant and then comment and we can re-open or perhaps easier to simply file a new ticket. To be clear, we are happy to answer questions, I just don't want to spend time digging in the source given that it's likely you're no longer interested in the answers to two-year-old questions.