I’ve enabled “dependabot-preview” for security fixes only on my private repo.
However it detects only some vulnerable packages, compared to Security Alerts tab. Also, I can trigger the Automated security fixes (aka “dependabot”) which creates PR for issues missed by the “dependabot-preview”.
Is it possible that dependabot-preview does not detect issues detected by Security Alerts (dependabot)? What is the recommened way to handle security audit? I would like to use the dependabot-preview because of the configuration options via config.yaml (PR customization), but it does not seems to be reliable.