VulnerabilityAlerts why are no PRs created #27493
Replies: 5 comments 4 replies
-
We are seeing the same behavior, except on Github Enterprise Cloud and Renovate Github App (not self-hosted). Seeing the same thing in logs as well. |
Beta Was this translation helpful? Give feedback.
-
Hi there, This issue or discussion is missing some logs, making it difficult or impossible to help you. Depending on which situation applies follow one, some or all of these instructions. No logs at allIf you haven't posted any log yet, we need you to find and copy/paste the log into the issue template. Finding logs on hosted appSelect me to read instructionsIf you use the Mend Renovate app (GitHub):
Finding logs when self-hostingSelect me to read instructionsIf you're running self-hosted, run with Insufficient logsSelect me to read instructionsIf you already gave us a log, and the Renovate team said it's not enough, then follow the instructions from the No logs at all section. Formatting your logsSelect me to read instructionsPlease put your logs in a
If you feel the logs are too large to paste here, please use a service like GitHub Gist and paste the link here. Good luck, The Renovate team |
Beta Was this translation helpful? Give feedback.
-
Hi there, Get your discussion fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible. Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. Discussions without reproductions are less likely to be converted to Issues. To get started, please read our guide on creating a minimal reproduction. Good luck, The Renovate team |
Beta Was this translation helpful? Give feedback.
-
Dear Renovate Team, this discussion always contained logs filled out in the template provided by you. I adjusted them though to the format requested in the answer. There are no more logs than I provided on debug. I tried trace, which is impossible to provide, because the config is logged that often, so you cannot see anything. Besides that GitHub Actions crashed because of too large log files and the largest file I could still export before the crash, reached ~1GB. But as said I tried to extract more information, but this is not possible. So this are all logs I can provide. Regarding reproducer. As mentioned. It is the default config. I posted this config in the first comment as well. There is nothing special about this. GitHub Enterprise Server is the only special information I can provide. |
Beta Was this translation helpful? Give feedback.
-
Hi @RahulGautamSingh, |
Beta Was this translation helpful? Give feedback.
-
How are you running Renovate?
Self-hosted
If you're self-hosting Renovate, tell us what version of Renovate you run.
37.203.2
If you're self-hosting Renovate, select which platform you are using.
GitHub Enterprise Server
What is your question?
In one of our projects Dependabot alerts shows 35 vulnerability alerts. Some of them are because of asyncapi and the usage of very old dependencies(@babel/traverse@7.20.5). For testing purposes I also added one (@babel/traverse@7.10.5) directly into the package.json and installed it via yarn, so that the yarn.lock file is also updated.
Dependabot, which is disabled because we like Renovate more, is eager to create PRs for 30 of the 35 alerts. But we never get a PR of Renovate for the transitive dependencies. I get one for the @babel/traverse, which I added manually for testing purposes.
Config snippet:
Am I missing something? Are my expectation wrong? Sadly I see no logs, which indicates why Renovate ignores the vulnerabilityAlerts. I enabled trace logs and started looking into the code, but the trace logs are very large and repeat the config very often, which makes searching very difficult and in code I could only see that the alertPackageRules are basically just added to the packageRules. I could not find the location, where the information is used.
Logs (if relevant)
Select me to see logs
Most of them are listed multiple times, because of our project structure, that is why the list does not contain 35 entries.
And then I see:
Select me to see logs
I removed a lot of entries though
Beta Was this translation helpful? Give feedback.
All reactions