snyk just looks at security issues, not all avaliable updates. i see dependabot (personally use renovate bot as dependabot has a broken security mode regarding forks, as you can't disable dependabot on a fork), as pro-actively upgrading dependencies, so the older dependency with a security issue is then not being used when the venerability gets announced as you have already upgraded.
John On Wed, 29 Dec 2021 at 14:48, sebb <seb...@gmail.com> wrote: > Genuine question: has Dependabot alerted us to any security issues? > > If so which ones, and was it the only alert mechanism for that issue? > > Sebb > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
