No Dependabot alert for CVE-2020-8184

GitHub Help How to use Git and GitHub
#1

I wondering why my repos haven’t gotten any Dependabot alerts (and automated security updates for CVE-2020-8184 found in rack: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c

Is it because the CVE isn’t in any of the sources GitHub uses? How is that possible when the issue even was found and fixed by GitHub Staff?

Also, dependabot-preview managed to pick up the security issue: https://github.com/Starkast/wikimum/pull/174

This is really confusing to me.

#2

Hi dentarg,

I’ve just moved this question over to How to use Git and GitHub since I think you’re more likely to get the right :eyes: on it there.

#3

Hi dentarg,

CVE-2020-8184 was not added to the GitHub advisory database until 2020-06-24
You can use the GitHub advisory database to check if a vulnerability is tracked by GitHub, though GitHub’s security features do not claim to catch all vulnerabilities.