How to clear Dependabot alerts

[jeffvc]

Select Topic Area

Question

Body

Once the defect in the code has been resolved, will Dependabot automatically clear the alert, or is this something that needs to be done manually by the coder?

[GigaSmurf]

Dependabot checks your code for outdated or insecure libraries. If it finds any, it sends you an alert and may also create a "fix" for you in the form of a pull request. You review the pull request, make sure it doesn't break anything, and then merge it into your code. Once the pull request is merged, Dependabot notices that the problem is fixed and the alert goes away by itself.

You don't need to manually clear the alerts if Dependabot's automated fix is merged. If you fix the issue yourself in another way, the alert should also clear on its own once you've pushed the changes. You can also close it manually when you go to the Security tab in your repository.

[jeffvc]

Thanks, info much appreciated!!

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[penguineer]

This is not entirely true for me. I have 18 Dependabot warnings in https://github.com/penguineer/cleanURI-extractor, which I solved but upgrading the underlying framework to the most recent version.

However, now I am getting reports like this in the already open warnings:

I still have to close the warning manually.

I would expect that Dependabot closes any warnings that cannot be re-created for the most recent version of the code base, as it is non-existent now and therefore can be considered resolved.