[Bug?] No-longer valid Dependabot alerts are still open


In my following repository of the npm package, I have some Dependabot alerts.

However, those vulnerable packages are no-longer installed as the dependencies.
Dependabot alerts says they are in yarn.lock, but I have already deleted yarn.lock from the repository several monthes ago.

npm audit and yarn audit also say my project has no vulnerable packages.

$ git clone git@github.com:phanect/create.git
$ cd create/
$ npm install
$ npm audit
                       === npm audit security report ===                        
found 0 vulnerabilities
 in 836 scanned packages
$ yarn audit
yarn audit v1.22.5
info No lockfile found.
warning sao > micromatch > snapdragon > source-map-resolve > resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
warning sao > micromatch > snapdragon > source-map-resolve > urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
0 vulnerabilities found - Packages audited: 777
Done in 6.10s.

Is this a bug of Dependabot?

According to the docs you should be able to dismiss the alerts: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository#viewing-and-updating-vulnerable-dependencies

(See step 8 near the bottom of the page)

Hi kingthorin,

Thank you for your reply.

Yes, I know I can dismiss the alerts manually. It can be a workaround.

However, I want Dependabot to automatically close the alerts if they no longer exist in the repo.
I saw Dependabot automatically closed the alerts for
the packages I updated for several times. Thats why I guessed this issue may be a bug.