Is it possible to comment on dependabot alerts?

[carlgieringer]

I started looking into a dependabot alert, and it will require upgrading a core dependency. Upgrading will be time consuming and will require careful coordination. I am not able to perform the ugprade now, but I would like to comment on the dependabot alert with my research findings and ideas. I would also like to block the dependabot alert on an issue dedicated to upgrading that core dependency (the upgrade may itself have blockers, and there will be several PRs and discussions related to the upgrade.)

Is it possible to comment on dependabot alerts? Another possible way to handle this would be to 'create an issue from a dependabot alert'. The dependabot alert could provide a link to the issue for later discovery, and the newly created issue would be created from a template linking to the dependabot alert. Then all the comments, discussion, PRs, blockers, etc. could go into that newly created issue.

[samigt]

In the same line of thought, an option to forward the dependabot alerts to the security team for review

[naomi789]

Great feedback, thank you! Unfortunately, my understanding is that folks can currently only comment for dismissals.

[jornncc]

What I end up doing is literally to 'dismiss the alert --> provide rally/jira ticket as a comment' and then re-open the ticket again :-) That way the comment shows up on the ticket.

[amaciejk]

Another vote for this - it would be really useful for alerts where the investigation has been done and you're just waiting for a new release of a dependancy or the like

[lukewhitehouse]

Bumping this one. I'm on a mission to resolve dependabot alerts across many legacy internal repos at my company and it's making me feel like Loki (s2 spoilers) with all the dependency trees I'm having to weave together.

Being able to comment on or even assign an alert for other contributors to see would be amazing for transparency and collaboration.