Dependabot shows an alert which it says is no longer vulnerable.

[root-lib]

There are couple of alerts eg: No security update is needed as browserslist is no longer vulnerable where the patched version is 4.16.5 however the app updated the dependency to 4.17.0 , so technically the issue should go away.

So what we are observing is that, alert is still present , however on details page it says a message "alert is no longer vulnerable" .

Looking into vulnerability itself, it says nothing about versions greater than 4.16.5 , so maybe thats why alert persist(this is my guess) . I believe this is a bug as the alert should be removed .

package manager-> npm
package -> browserlist
CVE --> CVE-2021-23364
language- > JavaScript
package lock file -> ui/yarn.lock

dependabot.yml :
version: 2
updates:

• package-ecosystem: npm
  directory: "/"
  target-branch: "dependabot-updates"
  schedule:
  interval: monthly
• package-ecosystem: npm
  directory: "/ui"
  target-branch: "dependabot-updates"
  schedule:
  interval: monthly

[jeffwidman]

👋 Hey there! Sorry for the glacially slow response... we've been a bit buried the past few years, and only just now starting to dig through some of our backlog.

This issue is pretty old, and we've pushed a lot of bugfixes since then... is this still a valid / reproducible issue?

Also, let's limit the discussion in this issue to browserlist, as the root cause for the problem can vary depending on the package it's referring to...

I broke the comment about the lock file with two versions of a pkg into a separate issue in #5584 so that we don't lose track of it.

[G-Rath]

@jeffwidman we have this a lot on our repos, though not specifically with browserlist - whats the best way to report these to you if you want them individually?

[halo]

Hi, no need to say sorry :) In 2021 I had outdated warnings for ruby gems. Those have since disappeared, so I consider that part fixed.

[jeffwidman]

@G-Rath Good question... I'm not sure, but I've asked internally and will circle back.

[G-Rath]

@jeffwidman cheers, I've got at least three to report :)

[lucasgonze]

This issue is pretty old, and we've pushed a lot of bugfixes since then... is this still a valid / reproducible issue?

This particular item is gone now, for the moment, I assume.

[jeffwidman]

So I learned a little more from teammates about npm (an ecosystem that I've never worked with directly myself). Here's my current understanding:

1. The alerts are triggered by manifest parsing code that is a separate code path from dependabot-core's parsing code. So if the alert manifest parsing code thinks the repo is still vulnerable, the alert will persist.
2. npm allows multiple versions of a dependency in the dep tree... and these are used in the code at runtime... the newest is not superseding the old one. So if those exist, you're still vulnerable.
3. dependabot-core has a known bug where it only updates the lowest version of a dependency... so Dependabot may try to create a PR, then report that npm is no longer vulnerable, when in fact a later version of the dependency is vulnerable and is still in the tree. That's tracked in npm erroneously reports no longer vulnerable with multiple versions of dependency. #5741
4. The alerts are generated based on information in the GitHub advisory database. So if that database lists all versions > 0.16.5 are vulnerable, but the maintaner just pushed v0.17.0 which fixes the issue, then the alert will not disappear until the advisory database is updated. Thankfully, you can submit a PR to the advisory DB to fix an incorrect version specifier.

So I suspect that the majority of these cases are symptoms of #5741.

As far as reporting additional cases, first take a look at your manifests to see if it matches the behavior of #5741. If it's something different, then file a new issue.

If at all possible, please include a link to a public repo that can reproduce the problem. That should generally be possible, but if for some reason it's not you can file a support ticket instead with a link to your private repo.

And to be clear, we don't mind more issues, as long as you've done your homework to ensure they're valid.

In the meantime, I'm going to close this issue as the original browserlist issue is resolved and if we leave it open it'll continue to be a "catch-all" ticket... Unfortunately catch-call issues aren't really helpful because while the symptoms may be similar, the root cause may be entirely different.