Feedback: Dependabot alerts for issue, that not relevant to my framework version

I received an email, that suggested to fix the problem.

On Thu, 22 Apr 2021 at 5:30 am, dependabot[bot] wrote:

This automated pull request fixes a security vulnerability (high severity).

Learn more about Dependabot security updates.

Bumps System.Net.Http from 4.1.0 to 4.3.4.

According to description link .NET Core Information Disclosure · CVE-2018-8292 · GitHub Advisory Database · GitHub

This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

However my project is using .Net Framework 4.6, that can be determined by .csproj and packages.config.

Our private repositories received similar false alarms.

It will be nice, if dependabot will be more smart and understand, does the issue applicable to the project or not and avoid false alarms.


I had a look and it looks as if it’s picking up the version from here: CommonDotNetHelpers/packages.config at 015ac57a8b2850d4af9a4c30d3d0ef8b9327e6f6 · MNF/CommonDotNetHelpers · GitHub

You can see all the dependencies listed on your repository insights: