Dependabot-core: Wrong dependency version detected in package-lock.json, resulting in false-positive alert

Hi @AlCalzone, did you receive only an alert or also a PullRequest?

Only an alert (or rather three to be exact), which includes an error that dependabot could not update:

This is the description under "view details about this error":

Thanks, I don't work on those alerts myself, but I'll route this to the right team, thanks @AlCalzone!

We had those wrong reports now 3 times in a row the last 3 days. On first report, the dependency wasn't even present in our package-lock.json. The report yesterday and today was the same as the issue from the author - the version that's being requested to install is already installed.

This is the package-lock.json and this the report:

I'm now also getting the false positive for yargs-parser:

The lowest version in my package-lock.json is the recommended 18.1.1. Dependabot is unable to create an update (which is expected I guess).

I've experienced this, as well, and I have a hypothesis on why. In my case, dependabot reports the vulnerability in yargs-parser <= 5.0.0. The recommended remediation is: "Upgrade yargs-parser to version 5.0.0-security.0 or later". However, when I run npm ls yargs-parser on the main branch of my repo, I only see the patched version 5.0.0-security.0 listed. I manually checked my package-lock.json, as well.
I'm guessing this is maybe caused by the the following:

• the parent dependency of the yargs-parser is [email protected].
• the package.json of yargs version 7.x lists yargs-parser "^5.0.0"
• dependabot only sees the yargs-parser version in the yargs package.json NOT my project's package-lock.json, therefore sending an alert
• 
  Would this be at all accurate? If so, is this the expected behaviour? I might be misunderstanding the internals of dependabot.