Dependabot won't resolve alert despite updated dependency

[doerfli]

hi there!
my repository https://github.com/doerfli/shelly-temp shows active dependabot alerts (https://github.com/doerfli/shelly-temp/security/dependabot) for the nokogiri gem which should be updated to version >= 1.13.4. To the best of my knowledge i have dont that (https://github.com/doerfli/shelly-temp/blob/main/Gemfile.lock#L139), but the alerts won't vanish. Is this a bug?
And yes, i am aware that i could just silence them with a click, but if its a bug i tought i'd better report that.
Thanks, Marc

[jhutchings1]

Thanks for letting us know, I will flag this for our team to have a look.

[doerfli]

Thanks for looking into this.
Could it be that it has something to do with the gem version being listed platform dependent nokogiri (1.13.4-x86_64-darwin) - i have no clue how this is really called, but i mean the -x86_64-darwin suffix of the version.

[zokaibr]

@jhutchings1 any updates on this? I'm facing the same issue, I have a Gemfile.lock with Nokogiri version 1.13.6-x86_64-darwin and Dependabot still alerting about update Nokigiri to version >= 1.13.6.

[jhutchings1]

@dfmoreto Are you on cloud, or server? The team implemented a fix on cloud that should've closed the alert.

[jhutchings1]

The team has confirmed that there may have been some delay in data processing, but this should be working now. If you're still having issues, please contact Support so we can take a closer look. Thank you!

[adalric]

We are also seeing this on one of our projects, we don't have the suffix tho

[ianterrell]

I've been seeing this on our projects, too. We're also on Macs with suffixes of -x86_64-darwin.

It's amusing/annoying to get a Dependabot notification when the latest commit to the lock file has already updated to the latest version.

[ChaosCypher]

I've seen a similar scenario with codeql and alerts not resolving, it all stemmed from the configuration file, I wonder if dependabot has the same issue.

TLDR; codeql.yaml becomes the key for a repositories security alerts, if you change codeql.yaml to codeql.yml then github creates a new key and the alerts then get created under that key, but the previous codeql.yaml key remains in place. Meaning resolving alerts under one does not resolve the other, this means the alerts don't go away.

If you have a dependabot.yaml file and it was renamed to dependabot.yml or some other name I wonder if it experiences the same issues as codeql. Maybe worth taking a look?