dependency review ( Github advanced security) not able to detect security vulnerability in golang library

[babluEltropy]

I'm evaluating dependency review ( Github advanced security) to detect security vulnerability in golang libraries.

I tried one of the library which has security vulnerability as mentioned
library -> https://github.com/dgrijalva/jwt-go
vulnerability details -> GHSA-w73w-5m7g-f7qc

I tried evaluating this library using dependency review here
https://github.com/bkrockx/advanced-security-go-test/actions/workflows/dependency-review.yml

related GitHub action file ->
https://github.com/bkrockx/advanced-security-go-test/blob/main/.github/workflows/dependency-review.yml

But it was not able to detect security vulnerability in this library.

Can someone please suggest why this vulnerability is not getting detected ?

[jhutchings1]

The dependency graph doesn't show that you depend on jwt-go in your go.mod or go.sum files. You didn't change either of those in the PR, so there is no change to the set of dependencies we're tracking. https://github.com/bkrockx/advanced-security-go-test/network/dependencies

[babluEltropy]

Thank you jhutchings1,
After checking in go.mod and go.sum files, security vulnerability was detected in dependency review.