Dependabot alert without pull request

I’ve got a handful of repos that do this. It seems there should be a PR for this alert, but there isn’t. It’s been days since this alert showed up. Any ideas why not?