The `dependabot-preview` product isn't related to the vulnerability alerts system. It's used specifically to keep dependencies up-to-date, whether for security reasons or not. Since it isn't hooked in to GitHub's vulnerability alerts system, you are correct that it won't catch some things that the vulnerability alerts system will.
As for what's recommended for a security audit, GitHub's security features, such as security alerts, do not claim to catch all vulnerabilities. Though we are always trying to update our vulnerability database and alert you with our most up-to-date information, we will not be able to catch everything or alert you to known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough vulnerability review when necessary.
I hope that helps! Let us know if you have more questions.
... View more