Confusing message in dependabot vul. alerts when package-lock.json contain multiple versions of the same dependency

[nt-gt]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

npm

Language version

node.js

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

Project was using loader-utils/1.4.2 (as the lastest possible version of Dependabot)

Dependabot wanted to upgrade to 2.0.3 due to a vulnerability in 2.0.0

What you expected to see, versus what you actually saw

I got this warning about a vulnerability (see screenshot)

As I read the vulnerability, my project is unaffected and cannot be affected, because it is using a "too old" version to be affected. Therefore, I expected not to get a security vulnerability for issue at this time.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[jamestran201]

Hi @nt-gt, we have a couple questions to further investigate this issue:

• What is the name of the repository and its owner on GitHub?
• Is the repository hosted on GHES? If so, which version of GHES is being used?
• Could you send us the package.json and package-lock.json files for this repo?

[nt-gt]

Hi,

The repo is hosted on github but it is private, so I am not sure it helps.

Do you have a non-public way I can transmit the actual details to you? We do have some unresolved and presumably real dependabot security issues next to this false report. As I understand it, the requested files would expose those details along with the project that contains them.

[jamestran201]

In that case, you can open a ticket through support.github.com and include the info about your repository, your manifest files, and that you're using github.com. Our support team will help you investigate the issue.

[nt-gt]

Thanks, I have created a ticket now (#1951187). :)

[nt-gt]

As clarified in the support ticket, I have two versions of loader-utils in my .lock file. The line saying The latest possible version of loader-utils that can be installed is ... was making me believe otherwise.

I think the root cause of this issue is that the dependabot security is providing confusing information when this case happens.

I think having a "There are multiple versions of this dependency in the .lock file of this project and at least one of these versions are in the range of affected versions" would have prevented me from thinking this was a false-positive. Alternatively, removing the The latest possible version of X that can be installed is ... when there are multiple versions of the dependency would probably have worked as well in this case (where it is an transitive dependency)

[jamestran201]

@nt-gt Thank you for your feedback 🙇 . We'll make a note of this for future improvements. cc: @jeffwidman

[jeffwidman]

Thanks @jamestran201 for chiming in here.

@nt-gt sorry about this, completely agree it's painful, I know it's on our radar as we do get regular bug reports of this issue/confusion. I should have realized right away that was the underlying issue here, sorry about that.

[jeffwidman]

Related:

• Dependabot shows an alert which it says is no longer vulnerable.  #4222
• npm erroneously reports no longer vulnerable with multiple versions of dependency. #5741