vulnerabilityAlerts are being detected but no PRs are being created, am I missing something?

[gregoryduckworth]

I've enabled vulnerabilityAlerts along with the associated Github dependency alerts but no PRs are getting created.

When enabling the debug logging on Renovate I can see:

"alertPackageRules": [
 {
   "datasources": ["npm"],
   "packageNames": ["node-notifier"],
   "matchCurrentVersion": "= 8.0.0",
   "allowedVersions": "8.0.1",
   "prBodyNotes": [
     "### GitHub Vulnerability Alerts",
     "#### [CVE-2020-7789](https://nvd.nist.gov/vuln/detail/CVE-2020-7789)\n\nThis affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array."
   ],
   "force": {
     "enabled": true,
     "labels": ["security"],
     "vulnerabilityAlert": true,
     "branchTopic": "npm-node-notifier-vulnerability",
     "prCreation": "immediate"
   }
 }
]

However there is no associated PR.

My config for the alerts is:

"vulnerabilityAlerts": {
    "assignees": [
      "team:search-and-navigation-admins"
    ],
    "labels": [
      "security"
    ]
  }

Is there something missing or additionally I need to do to get the PRs created?

[rarkins]

Is the dependency a direct one (in package.json) or indirect (in a lock file only)? Renovate does not support the latter yet.

[slapierre]

I am encountering a similar issue when experimenting with prConcurrentLimit: I want to confirm that Renovate will open a vulnerability PR right away even when the max number of concurrent PR is already reached.

Similar to @gregoryduckworth, I have a direct dependency listed in package.json -- it's an older version of axios (0.20.0) I put there to trigger an alert.

I enabled the dependencyDashboard and I see that the bot has been intending to open a PR for a while to update the dependency, however it does not flag it as a vulnerability, I enabled Dependabot for comparison and it raised a vulnerability issue (CVE-2020-28168).

I have a basic renovate.json configuration:

{
  "reviewers": [
    "..."
  ],
  "baseBranches": [
    "main"
  ],
  "dependencyDashboard": true,
  "extends": [
    "config:base"
  ],
  "labels": [
    "dependencies"
  ],
  "prConcurrentLimit": 2,
  "prHourlyLimit": 0,
  "semanticCommits": "enabled",
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": [
      "security"
    ]
  }
}

[rarkins]

Please create minimal reproduction repo if you'd like us to take a look.

[slapierre]

Hi @rarkins,

I created this repository:

• https://github.com/slapierre/renovate-8297

We see from the Configure Renovate PR that the bot intends to create a branch with the -vulnerability suffix, unfortunately that PR is not on the top the stack:

[rarkins]

This problem was unrelated to the original post in this thread, but resolved in https://github.com/renovatebot/renovate/releases/tag/24.27.3

[slapierre]

Hi everyone,

I deleted the GitHub repository that I created to reproduce the issue now that the expected behavior has been implemented by the renovate team.

Here is the content of my renovate.json to open a vulnerability PR right away when an alert is detected.

{
  "baseBranches": ["main"],
  "dependencyDashboard": true,
  "extends": ["config:base"],
  "labels": ["dependencies"],
  "prConcurrentLimit": 2,
  "prHourlyLimit": 0,
  "reviewers": ["@slapierre"],
  "semanticCommits": "enabled",
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security"]
  }
}