In my following repository of the npm package, I have some Dependabot alerts.
However, those vulnerable packages are no-longer installed as the dependencies.
Dependabot alerts says they are in yarn.lock, but I have already deleted yarn.lock from the repository several monthes ago.
npm audit and
yarn audit also say my project has no vulnerable packages.
$ git clone firstname.lastname@example.org:phanect/create.git $ cd create/ $ npm install $ npm audit === npm audit security report === found 0 vulnerabilities in 836 scanned packages $ yarn audit yarn audit v1.22.5 info No lockfile found. warning sao > micromatch > snapdragon > source-map-resolve > email@example.com: https://github.com/lydell/resolve-url#deprecated warning sao > micromatch > snapdragon > source-map-resolve > firstname.lastname@example.org: Please see https://github.com/lydell/urix#deprecated 0 vulnerabilities found - Packages audited: 777 Done in 6.10s.
Is this a bug of Dependabot?