I have a Java server application project that uses some Node-based tools (TypeScript and PostCSS) to build the web frontend. The project thus contains both Maven dependencies and NPM ones. Dependabot won’t stop pestering me about “vulnerable” NPM dependencies, with extremely severe life-threatening dangerous vulnerabilities like “that regex in this dependency three levels deep wasn’t optimal enough and could maybe possibly load your CPU a bit too much if you give it a 500-megabyte string”. Now, I couldn’t care less about the NPM dependencies because that part only ever runs on the build machine and only on input that I fully control.
I would like to disable Dependabot alerts for NPM, but keep them for Maven, because vulnerabilities there could indeed be important. Can I do that? If so, how do I do that?