Dependabot-core: Dependabot reporting on deleted files

+1 bump

Hm. Not sure if fixed and resolved, I've dismissed the alert before so cannot check now, but it is no longer reported in my weekly report.

Similar situation. I was investigating a couple of libraries, but deleted them a few months ago... randomly started getting security alerts for them 🤷‍♂

I have a repo that used to be an Angular project with a yarn.lock file. That file was deleted from the repo several months ago. But I continuously get security alerts from dependencies that were referenced in the yarn.lock.

The dependencies do not exist and that file does not exist.

Clicking the filename link does nothing.

I converted some repos from yarn.lock to package-lock.json and I only get Github Security Advisories for the long-since deleted yarn.lock file. It is unclear if the existing package-lock.json file is monitored.

I have monorepo and deleted one of the packages. But still getting alerts once a while (until dismissed) for no longer existing package-lock.json

Getting this as well from a long since deleted yarn.lock file.

I'm also being affected by this (I deleted a package-lock.json file a long time ago), but:

• not just about old security notifications (I am also getting new security notifications)
• not just notifications over email - they also show up in the GitHub notifications list

Here's an example (I've marked this as "This alert is inaccurate or incorrect"): https://github.com/karlhorky/talks/network/alert/packages/2017-11-01-react-open-source-the-effect-of-react-on-web-standards/package-lock.json/elliptic/closed

@davidpustai can you update the title and description to be more general regarding the points above? It's about Dependabot reporting on deleted files in all ways, which is a bug and shouldn't happen.

I too am having this issue. The files it's reporting have been deleted for months. Even the folders that they used to be in are long gone.

The same for me. File and directory have been deleted a while ago but I still get new notifications about vulnerabilities.

Did you have a branch with those deps still available ?

What would fix this?

Did you have a branch with those deps still available ?

In my case, no. There are only two branches and the files were completely removed from both. I haven't checked it in a while as all I was getting was false reports so I disabled the feature.

I also recently experienced this - received an alert against a package.json file that had been deleted from the master branch weeks ago. Clicking the link to the package.json in the alert resulted in a 404. We _do_ have stale branches that will still include that package, but my understanding was that dependabot should only pay attention to the default branch.

We had this issue today (GitHub Enterprise 2.22.4).

A workaround -

1. Replace the deleted package.json file with one that has zero dependencies. Commit it.
2. Delete the package.json file. Commit it.

The result of this is the zeroing out of the Dependency Graph for that file, but the file remains mentioned in the dependency graph view. You shouldn't get any more security warnings for those outdated dependencies.

I know the Dependency Graph team is aware of this, I'll link them to this thread