No Dependabot alert for CVE-2020-8184

I wondering why my repos haven’t gotten any Dependabot alerts (and automated security updates for CVE-2020-8184 found in rack:

Is it because the CVE isn’t in any of the sources GitHub uses? How is that possible when the issue even was found and fixed by GitHub Staff?

Also, dependabot-preview managed to pick up the security issue:

This is really confusing to me.

Hi dentarg,

I’ve just moved this question over to How to use Git and GitHub since I think you’re more likely to get the right :eyes: on it there.

Hi dentarg,

CVE-2020-8184 was not added to the GitHub advisory database until 2020-06-24
You can use the GitHub advisory database to check if a vulnerability is tracked by GitHub, though GitHub’s security features do not claim to catch all vulnerabilities.