Dependabot - Poetry problem with security alerts

I’m integrating Dependabot on repositories that have Python apps with Poetry as the dependency manager. Even using the dependabot.yml configuration file, security alerts weren’t displayed.

In a test public repository, I added Django@2.2.10, which has a critical SQL Injection vulnerability. The Dependabot opened a PR to update it, but no vulnerability alert was triggered.

Repository: GitHub - pdf13/poetry-test

The same version of Django was alerted as vulnerable in a private repository that uses PIP and requirements.txt instead of Poetry.

Can someone please help me to realize if I’m doing something wrong? In this testing repository, I’m getting PRs to update dependencies but I can’t get which one has security issues.

Thanks in advance :blush:

4 Likes