Dependabot alert without pull request

I’ve got a handful of repos that do this. It seems there should be a PR for this alert, but there isn’t. It’s been days since this alert showed up. Any ideas why not?

Hi @YellowstoneApps,

Thanks for bringing up this question! Please check for more details about each specific alert by clicking the name of the dependency in the alert section.
There may be a warning about why “Dependabot cannot update tot he required version” .

Screen Shot 2020-09-28 at 6.00.44 PM

Click the View details about this error link for more information.
A common reason for not creating the pull request is that Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update.

Yes. I clicked through the alerts that exist and I see those messages. I guess that isn’t really my expectation of dependabot. Dependabot is supposed to open PRs for me, so that CI can run, and then all I have to do is quickly review and merge. These type of PR-less security alerts seem to be the most common. I gather maybe a PR wasn’t opened because these things are dependencies of dependencies, so figuring out what needs to be upgraded isn’t straight forward. I honestly can’t think of a single security alert in recent memory that actually opened a PR for me.

In fact, Ruby on Rails just dropped v6.0.3.4 which is a security release and I have neither a security alert for it or a PR. So what I’m left with are:

  1. Alerts for some random dependency of a dependency that I have to manually go handle myself
  2. Missing, actually super important, alerts and PRs for primary dependencies.

These aren’t things that boost my confidence in the tool or truly solve a problem. The only reason I know about the rails security update is because I’m on their mailing list because it is the foremost dependency in my application. What about the other ~50 gems? I have zero confidence that dependabot is properly alerting me of their status. Given that - dependabot has completely failed me.

@ernest-phillips any update?

Hi @YellowstoneApps

I can understand your frustration here. While we try to help developers catch as many alerts as possible, it is not the aim of Dependabot to replace human review.

Please refer to this note in our documentation:

GitHub’s security features do not claim to catch all vulnerabilities. Though we are always trying to update our vulnerability database and alert you with our most up-to-date information, we will not be able to catch everything or alert you to known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough vulnerability review when necessary.

@ernest-phillips that’s a grade school cop out run through corporate lawyers. Why don’t you stand up and own something?

This isn’t a run of the mill dependency that your tool is missing. This is a major web framework that your company was built on and a huge percentage of your users use.

Swing and a miss.