Dependabot-core: Depandabot wont recognise package with vulnerability from WhiteSource Vulnerability Database

Your package.json has hellojs as ^1.17.1 (minor updates), therefore it will update to the latest which is 1.18.6 (Since it's a minor update). If you check your yarn.lock you can see that it is indeed at 1.18.6. So, this is working as intended as the dependency is at the latest version.

For more information on the versioning check: https://docs.npmjs.com/about-semantic-versioning/ and to see what updates can be accepted with the version in package.json you can refer to this: https://semver.npmjs.com/

Ohh sorry about the noice, thought I had pushed the correct commit.. I really need the upcoming christmas break :)

But, I have pushed the right commit now and I cant see the hellojs vulnerability over at

Thanks for the quick response!

/C

Hello and Happy new year! I realise I made some mistakes when I created this issue. I have now put my repo in a state where I think dependabot should find the vulnerability.

So I have updated the repo where hellojs is installed @1.18.4 but still no depenadabot alerts nor pull requests in regards to hellojs.

If you go to WhiteSource Vulnerability Database and search for CVE-2020-7741 you will see the vulnerability and all versions below 1.18.5 should be affected.

@WalshyDev

We are still not seeing any vulnerabilities alerts from dependabot in regards to hellojs. Could we re-open this issue to get someone to take a closer look at it?