Dependabot opening Pull-Requests for logrocket referencing npm/security-holder

[cpc-camarj]

Select Topic Area

Question

Body

Hello,
I'm using the LogRocket NPM package in a private project. When Dependabot creates a pull request updating LogRocket it doesn't include a changelog or commit list in the PR description and links to the npm/security-holder NPM package. Is this expected behavior?

Upon further research, I noticed that this also happened on public repositories as well -> lbkulinski/cta4j-front-end#127

For a moment I was afraid that logrocket might have been compromised. Thankfully, I have no problems with downloading and using the package with npm

[jonthenerd]

I think instead of trying to link to a GitHub repo where one does not exist, Dependabot should link to the NPM package on the NPM registry (https://www.npmjs.com/package/logrocket in this case).

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[jonthenerd]

This is still an issue. It's dormant because no maintainers have replied. If paid customers of GitHub Advanced Security are told to come here to report issues with dependabot, then those issues should at least be acknowledged rather than just closed as dormant.