Does GitHub's dependency graph use the lock file or the manifest file for vulnerability alerts?

[ActTutorx3]

Select Topic Area

Question

Body

I'm trying to understand exactly what Dependabot is scanning when it surfaces vulnerability alerts. My project has both a package.json and a package-lock.json, and the resolved versions in the lock file don't always match the semver ranges declared in the manifest.
Is Dependabot alerting based on what's declared (manifest) or what's actually installed (lock file)? And does this behavior differ between Dependabot alerts vs Dependabot security updates that open PRs?
I ask because I'm seeing an alert for a transitive dependency that technically satisfies the range in package.json but resolves to a vulnerable version in the lock file, so I'm not sure if this is expected behavior or a gap in the scanning.

[shinybrightstar]

We made the decision to disable the ability to earn Achievements in our Community in order to discourage users from participating in coordinated or inauthentic activity like rapid questions and answers in order to earn badges. You can learn more about this decision in our announcement post here Achievements will no longer be available in the Community.

Note that GitHub's Acceptable Use Policies prohibits coordinated or inauthentic activity like rapid questions and answers. As a result, we'll be unmarking the answer and locking this post. 

Any future violations may result in a temporary or indefinite block from the Community. Thanks for understanding.