Renovate cannot read vulnerability alerts.

[va-lgtm]

I am trying to automate the creation of pull requests for vulnerabilities, but they are not being created.
If I am missing some settings or permissions, could you please let me know?

Refering this issue, I created a configuration that intentionally specifies the package that contains the vulnerability and only creates the pull request for the vulnerability.

https://github.com/va-lgtm/vulnerability-alerts-test/blob/fbe8ebef9ba7eeb165421f4b907fb55c4b8f720b/renovate.json
https://github.com/va-lgtm/vulnerability-alerts-test/blob/fbe8ebef9ba7eeb165421f4b907fb55c4b8f720b/package.json

node-forge@^0.9.1, as specified in the package.json of this repository, contains the following vulnerability.
https://www.npmjs.com/advisories/1561

However, the log in the renovate dashboard shows the following, and it appears that no pull request has been created for the vulnerability.

DEBUG: Cannot read vulnerability alerts
DEBUG: No vulnerability alerts found

If I am missing some settings or permissions, could you please let me know?

FYI: Full log of renovate is bellow.

logs

INFO: Repository started
{
  "renovateVersion": "24.99.0"
}
DEBUG: Using localDir: /mnt/renovate/gh/va-lgtm/vulnerability-alerts-test
DEBUG: Repository cache not found
{
  "cacheFileName": "/tmp/renovate-cache/renovate/repository/github/va-lgtm/vulnerability-alerts-test.json"
}
DEBUG: initRepo("va-lgtm/vulnerability-alerts-test")
DEBUG: Overriding default GitHub endpoint
{
  "endpoint": "https://api.github.com/"
}
DEBUG: No dangling containers to remove
DEBUG: va-lgtm/vulnerability-alerts-test default branch = main
DEBUG: Using app token for git init
DEBUG: resetMemCache()
DEBUG: checkOnboarding()
DEBUG: isOnboarded()
DEBUG: findFile(renovate.json)
DEBUG: Initializing git repository into /mnt/renovate/gh/va-lgtm/vulnerability-alerts-test
DEBUG: git clone completed
{
  "durationMs": 477
}
DEBUG: latest repository commit
{
  "latestCommit": {
    "hash": "fbe8ebef9ba7eeb165421f4b907fb55c4b8f720b",
    "date": "2021-04-04T20:15:13+09:00",
    "message": "add whole files",
    "refs": "HEAD -> main, origin/main, origin/HEAD",
    "body": "",
    "author_name": "va-lgtm",
    "author_email": "81907578+va-lgtm@users.noreply.github.com"
  }
}
DEBUG: Setting git author name
{
  "gitAuthorName": "Renovate Bot"
}
DEBUG: Setting git author email
{
  "gitAuthorEmail": "bot@renovateapp.com"
}
DEBUG: Config file exists
{
  "fileName": "renovate.json"
}
DEBUG: Retrieving issueList
DEBUG: Retrieved 0 issues
DEBUG: Repo is onboarded
DEBUG: Found renovate.json config file
DEBUG: Repository config
{
  "fileName": "renovate.json",
  "config": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "packageRules": [
      {
        "packagePatterns": [
          "*"
        ],
        "enabled": false
      }
    ],
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false
  }
}
DEBUG: migrateAndValidate()
DEBUG: Config migration necessary
{
  "oldConfig": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "packageRules": [
      {
        "packagePatterns": [
          "*"
        ],
        "enabled": false
      }
    ],
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false,
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ]
  },
  "newConfig": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "packageRules": [
      {
        "enabled": false,
        "matchPackagePatterns": [
          "*"
        ]
      }
    ],
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false,
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ]
  }
}
DEBUG: massaged config
{
  "config": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "packageRules": [
      {
        "enabled": false,
        "matchPackagePatterns": [
          "*"
        ]
      }
    ],
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false,
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ]
  }
}
DEBUG: migrated config
{
  "config": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "packageRules": [
      {
        "enabled": false,
        "matchPackagePatterns": [
          "*"
        ]
      }
    ],
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false,
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ]
  }
}
DEBUG: Found repo ignorePaths
{
  "ignorePaths": [
    "**/node_modules/**",
    "**/bower_components/**"
  ]
}
DEBUG: detectSemanticCommits()
DEBUG: getCommitMessages
DEBUG: Semantic commits detection: unknown
DEBUG: No semantic commits detected
DEBUG: Setting branchPrefix: renovate/
DEBUG: Cannot read vulnerability alerts
DEBUG: No vulnerability alerts found
DEBUG: processRepo()
DEBUG: No baseBranches
DEBUG: extract()
DEBUG: Setting current branch to main
DEBUG: latest commit
{
  "branchName": "main",
  "latestCommitDate": "2021-04-04T20:15:13+09:00"
}
DEBUG: Using file match: (^|/)tasks/[^/]+\.ya?ml$ for manager ansible
DEBUG: Using file match: (^|/)requirements\.ya?ml$ for manager ansible-galaxy
DEBUG: Using file match: azure.*pipelines?.*\.ya?ml$ for manager azure-pipelines
DEBUG: Using file match: (^|/)batect(-bundle)?\.yml$ for manager batect
DEBUG: Using file match: (^|/)batect$ for manager batect-wrapper
DEBUG: Using file match: (^|/)WORKSPACE(|\.bazel)$ for manager bazel
DEBUG: Using file match: \.bzl$ for manager bazel
DEBUG: Using file match: buildkite\.ya?ml for manager buildkite
DEBUG: Using file match: \.buildkite/.+\.ya?ml$ for manager buildkite
DEBUG: Using file match: (^|/)Gemfile$ for manager bundler
DEBUG: Using file match: (^|/)Cargo.toml$ for manager cargo
DEBUG: Using file match: (^|/).circleci/config.yml$ for manager circleci
DEBUG: Using file match: (^|/)cloudbuild.ya?ml for manager cloudbuild
DEBUG: Using file match: (^|/)Podfile$ for manager cocoapods
DEBUG: Using file match: (^|/)([\w-]*)composer.json$ for manager composer
DEBUG: Using file match: (^|/)deps\.edn$ for manager deps-edn
DEBUG: Using file match: (^|/)docker-compose[^/]*\.ya?ml$ for manager docker-compose
DEBUG: Using file match: (^|/|\.)Dockerfile$ for manager dockerfile
DEBUG: Using file match: (^|/)Dockerfile\.[^/]*$ for manager dockerfile
DEBUG: Using file match: (^|/).drone.yml$ for manager droneci
DEBUG: Using file match: (^|/).gitmodules$ for manager git-submodules
DEBUG: Using file match: ^\.github\/workflows\/[^/]+\.ya?ml$ for manager github-actions
DEBUG: Using file match: \.gitlab-ci\.yml$ for manager gitlabci
DEBUG: Using file match: ^\.gitlab-ci\.yml$ for manager gitlabci-include
DEBUG: Using file match: (^|/)go.mod$ for manager gomod
DEBUG: Using file match: \.gradle(\.kts)?$ for manager gradle
DEBUG: Using file match: (^|/)gradle.properties$ for manager gradle
DEBUG: Using file match: (^|/)gradle.properties$ for manager gradle-lite
DEBUG: Using file match: \.gradle(\.kts)?$ for manager gradle-lite
DEBUG: Using file match: (^|/)gradle/wrapper/gradle-wrapper.properties$ for manager gradle-wrapper
DEBUG: Using file match: (^|/)requirements\.yaml$ for manager helm-requirements
DEBUG: Using file match: (^|/)values.yaml$ for manager helm-values
DEBUG: Using file match: (^|/)helmfile.yaml$ for manager helmfile
DEBUG: Using file match: (^|/)Chart.yaml$ for manager helmv3
DEBUG: Using file match: ^Formula/[^/]+[.]rb$ for manager homebrew
DEBUG: Using file match: \.html?$ for manager html
DEBUG: Using file match: (^|/)plugins\.(txt|ya?ml)$ for manager jenkins
DEBUG: Using file match: (^|/)kustomization\.yaml for manager kustomize
DEBUG: Using file match: (^|/)project\.clj$ for manager leiningen
DEBUG: Using file match: \.pom\.xml$ for manager maven
DEBUG: Using file match: (^|/)pom\.xml$ for manager maven
DEBUG: Using file match: (^|/)package.js$ for manager meteor
DEBUG: Using file match: (^|/)mix\.exs$ for manager mix
DEBUG: Using file match: ^.node-version$ for manager nodenv
DEBUG: Using file match: (^|/)package.json$ for manager npm
DEBUG: Using file match: \.(?:cs|fs|vb)proj$ for manager nuget
DEBUG: Using file match: \.(?:props|targets)$ for manager nuget
DEBUG: Using file match: \.config\/dotnet-tools\.json$ for manager nuget
DEBUG: Using file match: (^|/)\.nvmrc$ for manager nvm
DEBUG: Using file match: (^|/)([\w-]*)requirements.(txt|pip)$ for manager pip_requirements
DEBUG: Using file match: (^|/)setup.py$ for manager pip_setup
DEBUG: Using file match: (^|/)Pipfile$ for manager pipenv
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager poetry
DEBUG: Using file match: (^|/)\.pre-commit-config\.yaml$ for manager pre-commit
DEBUG: Using file match: (^|/)pubspec\.ya?ml$ for manager pub
DEBUG: Using file match: (^|/)\.ruby-version$ for manager ruby-version
DEBUG: Using file match: \.sbt$ for manager sbt
DEBUG: Using file match: project/[^/]*.scala$ for manager sbt
DEBUG: Using file match: (^|/)setup\.cfg$ for manager setup-cfg
DEBUG: Using file match: (^|/)Package\.swift for manager swift
DEBUG: Using file match: \.tf$ for manager terraform
DEBUG: Using file match: (^|/)\.terraform-version$ for manager terraform-version
DEBUG: Using file match: (^|/)terragrunt\.hcl$ for manager terragrunt
DEBUG: Using file match: (^|/)\.terragrunt-version$ for manager terragrunt-version
DEBUG: Using file match: ^.travis.yml$ for manager travis
DEBUG: Matched 1 file(s) for manager npm: package.json
DEBUG: npm file package.json has name "vulnerabilityAlertsTest"
DEBUG: Detecting Lerna and Yarn Workspaces
DEBUG: Finding locked versions
DEBUG: Found package-lock.json for package.json
DEBUG: Found npm package files
DEBUG: Found 1 package file(s)
INFO: Dependency extraction complete
{
  "baseBranch": "main",
  "stats": {
    "managers": {
      "npm": {
        "fileCount": 1,
        "depCount": 1
      }
    },
    "total": {
      "fileCount": 1,
      "depCount": 1
    }
  }
}
DEBUG: Dependency is disabled (node-forge)(dependency="node-forge")
DEBUG: Package releases lookups complete
{
  "baseBranch": "main"
}
DEBUG: branchifyUpgrades
DEBUG: 0 flattened updates found:
DEBUG: Returning 0 branch(es)
DEBUG: config.repoIsOnboarded=true
DEBUG: packageFiles with updates
{
  "config": {
    "npm": [
      {
        "packageFile": "package.json",
        "deps": [
          {
            "depType": "devDependencies",
            "depName": "node-forge",
            "currentValue": "^0.9.1",
            "datasource": "npm",
            "prettyDepType": "devDependency",
            "lockedVersion": "0.9.2",
            "depIndex": 0,
            "updates": [],
            "skipReason": "disabled"
          }
        ],
        "packageJsonName": "vulnerabilityAlertsTest",
        "packageFileVersion": "1.0.0",
        "packageJsonType": "app",
        "npmLock": "package-lock.json",
        "managerData": {},
        "skipInstalls": true,
        "constraints": {},
        "lockFiles": [
          "package-lock.json"
        ]
      }
    ]
  }
}
DEBUG: processRepo()
DEBUG: Processing 0 branches:
DEBUG: Calculated maximum PRs remaining this run
{
  "prsRemaining": 99
}
DEBUG: PullRequests limit = 99
DEBUG: Calculated maximum branches remaining this run
{
  "branchesRemaining": 99
}
DEBUG: Branches limit = 99
DEBUG: Removing any stale branches
DEBUG: config.repoIsOnboarded=true
DEBUG: No renovate branches found
DEBUG: Repository timing splits (milliseconds)
{
  "splits": {
    "init": 2252,
    "extract": 963,
    "lookup": 7,
    "update": 13
  },
  "total": 3243
}
DEBUG: http statistics
{
  "hostStats": [
    "api.github.com, 4 requests, 171ms request average, 0ms queue average"
  ],
  "totalRequests": 4
}
INFO: Repository finished
{
  "durationMs": 3243
}

[viceice]

You've disabled all managers, so no updates at all.

Package rule is applied after global config, so you need s package rule to re-enable those security updates

[va-lgtm]

Thank you very much for your quick comment. 🙇

I created the configuration referring to the comment below.
renovatebot/config-help#138 (comment)

This is the comment from the author of renovate, so it probably works with this configuration.
Has there been any specification updates to renovate since this comment was posted?

[va-lgtm]

As you have pointed out, by enabling packageRules, a pull request like the following is created.
va-lgtm/vulnerability-alerts-test#1

However, I think this pull request is for updating the package, not for resolving vulnerabilities.

I would like to configure the settings so that only pull requests for vulnerability resolution are created.
Is it possible to do such a thing?

[va-lgtm]

FYI, I share the renovate log when this pull request was created.
It still contains the following messages.

DEBUG: Cannot read vulnerability alerts
DEBUG: No vulnerability alerts found

The entire log is below.

logs

INFO: Repository started
{
  "renovateVersion": "24.99.0"
}
DEBUG: Using localDir: /mnt/renovate/gh/va-lgtm/vulnerability-alerts-test
DEBUG: Repository cache is valid
DEBUG: initRepo("va-lgtm/vulnerability-alerts-test")
DEBUG: Overriding default GitHub endpoint
{
  "endpoint": "https://api.github.com/"
}
DEBUG: No dangling containers to remove
DEBUG: va-lgtm/vulnerability-alerts-test default branch = main
DEBUG: Using app token for git init
DEBUG: resetMemCache()
DEBUG: checkOnboarding()
DEBUG: isOnboarded()
DEBUG: findFile(renovate.json)
DEBUG: Initializing git repository into /mnt/renovate/gh/va-lgtm/vulnerability-alerts-test
DEBUG: git clone completed
{
  "durationMs": 492
}
DEBUG: latest repository commit
{
  "latestCommit": {
    "hash": "7455ff60c362de9ea8557ebed45d49093e904de9",
    "date": "2021-04-04T21:18:53+09:00",
    "message": "enabling packageRules",
    "refs": "HEAD -> main, origin/main, origin/HEAD",
    "body": "",
    "author_name": "va-lgtm",
    "author_email": "81907578+va-lgtm@users.noreply.github.com"
  }
}
DEBUG: Setting git author name
{
  "gitAuthorName": "Renovate Bot"
}
DEBUG: Setting git author email
{
  "gitAuthorEmail": "bot@renovateapp.com"
}
DEBUG: Config file exists
{
  "fileName": "renovate.json"
}
DEBUG: Retrieving issueList
DEBUG: Retrieved 0 issues
DEBUG: Repo is onboarded
DEBUG: Found renovate.json config file
DEBUG: Repository config
{
  "fileName": "renovate.json",
  "config": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false
  }
}
DEBUG: migrateAndValidate()
DEBUG: No config migration necessary
DEBUG: massaged config
{
  "config": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false,
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ]
  }
}
DEBUG: migrated config
{
  "config": {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "vulnerabilityAlerts": {
      "enabled": true
    },
    "automerge": false,
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ]
  }
}
DEBUG: Found repo ignorePaths
{
  "ignorePaths": [
    "**/node_modules/**",
    "**/bower_components/**"
  ]
}
DEBUG: detectSemanticCommits()
DEBUG: getCommitMessages
DEBUG: Semantic commits detection: unknown
DEBUG: No semantic commits detected
DEBUG: Setting branchPrefix: renovate/
DEBUG: Cannot read vulnerability alerts
DEBUG: No vulnerability alerts found
DEBUG: processRepo()
DEBUG: No baseBranches
DEBUG: extract()
DEBUG: Setting current branch to main
DEBUG: latest commit
{
  "branchName": "main",
  "latestCommitDate": "2021-04-04T21:18:53+09:00"
}
DEBUG: Using file match: (^|/)tasks/[^/]+\.ya?ml$ for manager ansible
DEBUG: Using file match: (^|/)requirements\.ya?ml$ for manager ansible-galaxy
DEBUG: Using file match: azure.*pipelines?.*\.ya?ml$ for manager azure-pipelines
DEBUG: Using file match: (^|/)batect(-bundle)?\.yml$ for manager batect
DEBUG: Using file match: (^|/)batect$ for manager batect-wrapper
DEBUG: Using file match: (^|/)WORKSPACE(|\.bazel)$ for manager bazel
DEBUG: Using file match: \.bzl$ for manager bazel
DEBUG: Using file match: buildkite\.ya?ml for manager buildkite
DEBUG: Using file match: \.buildkite/.+\.ya?ml$ for manager buildkite
DEBUG: Using file match: (^|/)Gemfile$ for manager bundler
DEBUG: Using file match: (^|/)Cargo.toml$ for manager cargo
DEBUG: Using file match: (^|/).circleci/config.yml$ for manager circleci
DEBUG: Using file match: (^|/)cloudbuild.ya?ml for manager cloudbuild
DEBUG: Using file match: (^|/)Podfile$ for manager cocoapods
DEBUG: Using file match: (^|/)([\w-]*)composer.json$ for manager composer
DEBUG: Using file match: (^|/)deps\.edn$ for manager deps-edn
DEBUG: Using file match: (^|/)docker-compose[^/]*\.ya?ml$ for manager docker-compose
DEBUG: Using file match: (^|/|\.)Dockerfile$ for manager dockerfile
DEBUG: Using file match: (^|/)Dockerfile\.[^/]*$ for manager dockerfile
DEBUG: Using file match: (^|/).drone.yml$ for manager droneci
DEBUG: Using file match: (^|/).gitmodules$ for manager git-submodules
DEBUG: Using file match: ^\.github\/workflows\/[^/]+\.ya?ml$ for manager github-actions
DEBUG: Using file match: \.gitlab-ci\.yml$ for manager gitlabci
DEBUG: Using file match: ^\.gitlab-ci\.yml$ for manager gitlabci-include
DEBUG: Using file match: (^|/)go.mod$ for manager gomod
DEBUG: Using file match: \.gradle(\.kts)?$ for manager gradle
DEBUG: Using file match: (^|/)gradle.properties$ for manager gradle
DEBUG: Using file match: (^|/)gradle.properties$ for manager gradle-lite
DEBUG: Using file match: \.gradle(\.kts)?$ for manager gradle-lite
DEBUG: Using file match: (^|/)gradle/wrapper/gradle-wrapper.properties$ for manager gradle-wrapper
DEBUG: Using file match: (^|/)requirements\.yaml$ for manager helm-requirements
DEBUG: Using file match: (^|/)values.yaml$ for manager helm-values
DEBUG: Using file match: (^|/)helmfile.yaml$ for manager helmfile
DEBUG: Using file match: (^|/)Chart.yaml$ for manager helmv3
DEBUG: Using file match: ^Formula/[^/]+[.]rb$ for manager homebrew
DEBUG: Using file match: \.html?$ for manager html
DEBUG: Using file match: (^|/)plugins\.(txt|ya?ml)$ for manager jenkins
DEBUG: Using file match: (^|/)kustomization\.yaml for manager kustomize
DEBUG: Using file match: (^|/)project\.clj$ for manager leiningen
DEBUG: Using file match: \.pom\.xml$ for manager maven
DEBUG: Using file match: (^|/)pom\.xml$ for manager maven
DEBUG: Using file match: (^|/)package.js$ for manager meteor
DEBUG: Using file match: (^|/)mix\.exs$ for manager mix
DEBUG: Using file match: ^.node-version$ for manager nodenv
DEBUG: Using file match: (^|/)package.json$ for manager npm
DEBUG: Using file match: \.(?:cs|fs|vb)proj$ for manager nuget
DEBUG: Using file match: \.(?:props|targets)$ for manager nuget
DEBUG: Using file match: \.config\/dotnet-tools\.json$ for manager nuget
DEBUG: Using file match: (^|/)\.nvmrc$ for manager nvm
DEBUG: Using file match: (^|/)([\w-]*)requirements.(txt|pip)$ for manager pip_requirements
DEBUG: Using file match: (^|/)setup.py$ for manager pip_setup
DEBUG: Using file match: (^|/)Pipfile$ for manager pipenv
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager poetry
DEBUG: Using file match: (^|/)\.pre-commit-config\.yaml$ for manager pre-commit
DEBUG: Using file match: (^|/)pubspec\.ya?ml$ for manager pub
DEBUG: Using file match: (^|/)\.ruby-version$ for manager ruby-version
DEBUG: Using file match: \.sbt$ for manager sbt
DEBUG: Using file match: project/[^/]*.scala$ for manager sbt
DEBUG: Using file match: (^|/)setup\.cfg$ for manager setup-cfg
DEBUG: Using file match: (^|/)Package\.swift for manager swift
DEBUG: Using file match: \.tf$ for manager terraform
DEBUG: Using file match: (^|/)\.terraform-version$ for manager terraform-version
DEBUG: Using file match: (^|/)terragrunt\.hcl$ for manager terragrunt
DEBUG: Using file match: (^|/)\.terragrunt-version$ for manager terragrunt-version
DEBUG: Using file match: ^.travis.yml$ for manager travis
DEBUG: Matched 1 file(s) for manager npm: package.json
DEBUG: npm file package.json has name "vulnerabilityAlertsTest"
DEBUG: Detecting Lerna and Yarn Workspaces
DEBUG: Finding locked versions
DEBUG: Found package-lock.json for package.json
DEBUG: Found npm package files
DEBUG: Found 1 package file(s)
INFO: Dependency extraction complete
{
  "baseBranch": "main",
  "stats": {
    "managers": {
      "npm": {
        "fileCount": 1,
        "depCount": 1
      }
    },
    "total": {
      "fileCount": 1,
      "depCount": 1
    }
  }
}
DEBUG: Package releases lookups complete
{
  "baseBranch": "main"
}
DEBUG: branchifyUpgrades
DEBUG: 1 flattened updates found: node-forge
DEBUG: Returning 1 branch(es)
DEBUG: Fetching changelog: https://github.com/digitalbazaar/forge (0.9.2 -> 0.10.0)
DEBUG: config.repoIsOnboarded=true
DEBUG: packageFiles with updates
{
  "config": {
    "npm": [
      {
        "packageFile": "package.json",
        "deps": [
          {
            "depType": "devDependencies",
            "depName": "node-forge",
            "currentValue": "^0.9.1",
            "datasource": "npm",
            "prettyDepType": "devDependency",
            "lockedVersion": "0.9.2",
            "depIndex": 0,
            "updates": [
              {
                "currentVersion": "0.9.2",
                "newVersion": "0.10.0",
                "newValue": "^0.10.0",
                "bucket": "non-major",
                "newMajor": 0,
                "newMinor": 10,
                "updateType": "minor",
                "isSingleVersion": false,
                "isRange": true,
                "releaseTimestamp": "2020-09-02T02:06:56.960Z",
                "branchName": "renovate/node-forge-0.x"
              }
            ],
            "warnings": [],
            "sourceUrl": "https://github.com/digitalbazaar/forge",
            "fixedVersion": "0.9.2"
          }
        ],
        "packageJsonName": "vulnerabilityAlertsTest",
        "packageFileVersion": "1.0.0",
        "packageJsonType": "app",
        "npmLock": "package-lock.json",
        "managerData": {},
        "skipInstalls": true,
        "constraints": {},
        "lockFiles": [
          "package-lock.json"
        ]
      }
    ]
  }
}
DEBUG: processRepo()
DEBUG: Processing 1 branch: renovate/node-forge-0.x
DEBUG: Calculated maximum PRs remaining this run
{
  "prsRemaining": 99
}
DEBUG: PullRequests limit = 99
DEBUG: Calculated maximum branches remaining this run
{
  "branchesRemaining": 99
}
DEBUG: Branches limit = 99
DEBUG: processBranch with 1 upgrades(branch="renovate/node-forge-0.x")
DEBUG: Setting current branch to main(branch="renovate/node-forge-0.x")
DEBUG: latest commit(branch="renovate/node-forge-0.x")
{
  "branchName": "main",
  "latestCommitDate": "2021-04-04T21:18:53+09:00"
}
DEBUG: getBranchPr(renovate/node-forge-0.x)(branch="renovate/node-forge-0.x")
DEBUG: findPr(renovate/node-forge-0.x, undefined, open)(branch="renovate/node-forge-0.x")
DEBUG: Retrieving PR list(branch="renovate/node-forge-0.x")
DEBUG: Retrieved 0 Pull Requests(branch="renovate/node-forge-0.x")
DEBUG: findPr(renovate/node-forge-0.x, undefined, closed)(branch="renovate/node-forge-0.x")
DEBUG: branchExists=false(branch="renovate/node-forge-0.x")
DEBUG: Branch has 1 upgrade(s)(branch="renovate/node-forge-0.x")
DEBUG: recreateClosed is false(branch="renovate/node-forge-0.x")
DEBUG: findPr(renovate/node-forge-0.x, Update dependency node-forge to ^0.10.0, !open)(branch="renovate/node-forge-0.x")
DEBUG: prAlreadyExisted=false(branch="renovate/node-forge-0.x")
DEBUG: Checking schedule(at any time, null)(branch="renovate/node-forge-0.x")
DEBUG: No schedule defined(branch="renovate/node-forge-0.x")
DEBUG: Branch needs creating(branch="renovate/node-forge-0.x")
DEBUG: Using reuseExistingBranch: false(branch="renovate/node-forge-0.x")
DEBUG: manager.getUpdatedPackageFiles() reuseExistinbranch=false(branch="renovate/node-forge-0.x")
DEBUG: npm.updateDependency(): devDependencies.node-forge = ^0.10.0(branch="renovate/node-forge-0.x")
DEBUG: Updating node-forge in package.json(branch="renovate/node-forge-0.x")
DEBUG: Updated 1 package files(branch="renovate/node-forge-0.x")
DEBUG: Getting updated lock files(branch="renovate/node-forge-0.x")
DEBUG: Writing package.json files(branch="renovate/node-forge-0.x")
{
  "packageFiles": [
    "package.json"
  ]
}
DEBUG: Writing package-lock.json(branch="renovate/node-forge-0.x")
DEBUG: Writing any updated package files(branch="renovate/node-forge-0.x")
DEBUG: Writing package.json(branch="renovate/node-forge-0.x")
DEBUG: No npmrc file found in repository(branch="renovate/node-forge-0.x")
DEBUG: Writing updated .npmrc file to /mnt/renovate/gh/va-lgtm/vulnerability-alerts-test/.npmrc(branch="renovate/node-forge-0.x")
DEBUG: Generating package-lock.json for .(branch="renovate/node-forge-0.x")
DEBUG: Spawning npm install to create /mnt/renovate/gh/va-lgtm/vulnerability-alerts-test/package-lock.json(branch="renovate/node-forge-0.x")
DEBUG: No npm compatibility range found - installing npm latest(branch="renovate/node-forge-0.x")
DEBUG: Updating lock file only(branch="renovate/node-forge-0.x")
DEBUG: No node constraint found - using latest(branch="renovate/node-forge-0.x")
DEBUG: Using docker to execute(branch="renovate/node-forge-0.x")
DEBUG: No tag or tagConstraint specified(branch="renovate/node-forge-0.x")
{
  "image": "docker.io/renovate/node"
}
DEBUG: Fetching Docker image: docker.io/renovate/node(branch="renovate/node-forge-0.x")
DEBUG: Finished fetching Docker image(branch="renovate/node-forge-0.x")
DEBUG: Executing command(branch="renovate/node-forge-0.x")
{
  "command": "docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/va-lgtm/vulnerability-alerts-test\":\"/mnt/renovate/gh/va-lgtm/vulnerability-alerts-test\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/va-lgtm/vulnerability-alerts-test\" docker.io/renovate/node bash -l -c \"npm i -g npm && hash -d npm && npm install --package-lock-only --ignore-scripts --no-audit\""
}
DEBUG: exec completed(branch="renovate/node-forge-0.x")
{
  "cmd": "docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/va-lgtm/vulnerability-alerts-test\":\"/mnt/renovate/gh/va-lgtm/vulnerability-alerts-test\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/va-lgtm/vulnerability-alerts-test\" docker.io/renovate/node bash -l -c \"npm i -g npm && hash -d npm && npm install --package-lock-only --ignore-scripts --no-audit\"",
  "durationMs": 19893,
  "stdout": "/home/ubuntu/.npm-global/bin/npm -> /home/ubuntu/.npm-global/lib/node_modules/npm/bin/npm-cli.js\n/home/ubuntu/.npm-global/bin/npx -> /home/ubuntu/.npm-global/lib/node_modules/npm/bin/npx-cli.js\n+ npm@7.8.0\nadded 252 packages from 909 contributors in 15.332s\n\nup to date in 942ms\n",
  "stderr": ""
}
DEBUG: package-lock.json needs updating(branch="renovate/node-forge-0.x")
DEBUG: Updated 1 lock files(branch="renovate/node-forge-0.x")
{
  "updatedArtifacts": [
    "package-lock.json"
  ]
}
DEBUG: 2 file(s) to commit(branch="renovate/node-forge-0.x")
DEBUG: Committing files to branch renovate/node-forge-0.x(branch="renovate/node-forge-0.x")
DEBUG: git commit(branch="renovate/node-forge-0.x")
{
  "result": {
    "author": null,
    "branch": "renovate/node-forge-0.x",
    "commit": "8cc7aa8",
    "root": false,
    "summary": {
      "changes": 2,
      "insertions": 9,
      "deletions": 0
    }
  }
}
DEBUG: git push(branch="renovate/node-forge-0.x")
{
  "result": {
    "pushed": [
      {
        "deleted": false,
        "tag": false,
        "branch": true,
        "new": true,
        "alreadyUpdated": false,
        "local": "refs/heads/renovate/node-forge-0.x",
        "remote": "refs/heads/renovate/node-forge-0.x"
      }
    ],
    "branch": {
      "local": "renovate/node-forge-0.x",
      "remote": "renovate/node-forge-0.x",
      "remoteName": "origin"
    },
    "remoteMessages": {
      "all": [
        "Create a pull request for 'renovate/node-forge-0.x' on GitHub by visiting:",
        "https://github.com/va-lgtm/vulnerability-alerts-test/pull/new/renovate/node-forge-0.x"
      ],
      "pullRequestUrl": "https://github.com/va-lgtm/vulnerability-alerts-test/pull/new/renovate/node-forge-0.x"
    }
  }
}
INFO: Branch created(branch="renovate/node-forge-0.x")
{
  "commitSha": "8cc7aa8"
}
DEBUG: Ensuring PR(branch="renovate/node-forge-0.x")
DEBUG: There are 0 errors and 0 warnings(branch="renovate/node-forge-0.x")
DEBUG: getBranchPr(renovate/node-forge-0.x)(branch="renovate/node-forge-0.x")
DEBUG: findPr(renovate/node-forge-0.x, undefined, open)(branch="renovate/node-forge-0.x")
DEBUG: findPr(renovate/node-forge-0.x, undefined, closed)(branch="renovate/node-forge-0.x")
DEBUG: Creating PR(branch="renovate/node-forge-0.x")
{
  "prTitle": "Update dependency node-forge to ^0.10.0"
}
DEBUG: Creating PR(branch="renovate/node-forge-0.x")
{
  "title": "Update dependency node-forge to ^0.10.0",
  "head": "va-lgtm:renovate/node-forge-0.x",
  "base": "main",
  "draft": false
}
DEBUG: PR created(branch="renovate/node-forge-0.x")
{
  "pr": 1,
  "draft": false
}
DEBUG: Adding labels '' to #1(branch="renovate/node-forge-0.x")
INFO: PR created(branch="renovate/node-forge-0.x")
{
  "pr": 1,
  "prTitle": "Update dependency node-forge to ^0.10.0"
}
DEBUG: Created Pull Request #1(branch="renovate/node-forge-0.x")
DEBUG: Checking #1 for automerge(branch="renovate/node-forge-0.x")
{
  "automerge": false,
  "automergeType": "pr",
  "automergeComment": "automergeComment"
}
DEBUG: No automerge(branch="renovate/node-forge-0.x")
DEBUG: getBranchPr(renovate/node-forge-0.x)
DEBUG: findPr(renovate/node-forge-0.x, undefined, open)
DEBUG: Found PR #1
DEBUG: Returning from graphql open PR list
DEBUG: Removing any stale branches
DEBUG: config.repoIsOnboarded=true
DEBUG: Branch lists
{
  "branchList": [
    "renovate/node-forge-0.x"
  ],
  "renovateBranches": [
    "renovate/node-forge-0.x"
  ]
}
DEBUG: remainingBranches=
DEBUG: No branches to clean up
DEBUG: Repository timing splits (milliseconds)
{
  "splits": {
    "init": 2593,
    "extract": 1106,
    "lookup": 191,
    "update": 26553
  },
  "total": 30821
}
DEBUG: http statistics
{
  "hostStats": [
    "api.github.com, 7 requests, 406ms request average, 0ms queue average",
    "registry.npmjs.org, 1 request, 68ms request average, 0ms queue average"
  ],
  "totalRequests": 8
}
INFO: Repository finished
{
  "durationMs": 30821
}

[rarkins]

I'm not looking at the config at all yet, because the log DEBUG: Cannot read vulnerability alerts usually indicates a permissions problem [Update: no it doesn't, it just means there are zero alerts] so I want to check that first. Please got to https://github.com/apps/renovate, Configure it for the applicable account, and then you should get to a URL like https://github.com/settings/installations/12345678. Scroll down and see what it says in this section:

[rarkins]

There's currently no PR created because Renovate's npm vulnerability remediation doesn't support v2 lockfiles (i.e. npm@7). This should be fixed in the app soon, here's a demo of it working locally with my fork: renovate-tests/va_test2#1

[va-lgtm]

Thank you for your kind help.

I confirmed that a pull request with the security label was created in my repository as well.
va-lgtm/va_test2#2

I'm thinking of changing the configuration a bit to see how it works, and finally using the docker command to see if it works.

If something comes up that I don't understand at that time, I will ask you again.
So, I would appreciate it if you could give me some time to check how it works.

[rarkins]

FYI I needed to roll back the npm@7 remediation support due to a bug, so please use npm@6 in the meantime if you need this

[rarkins]

Also please create a new discussion if you have future questions. This one is already quite long and changed topic.

[va-lgtm]

FYI I needed to roll back the npm@7 remediation support due to a bug, so please use npm@6 in the meantime if you need this

I understand.
Thank you for your warning.

Also please create a new discussion if you have future questions. This one is already quite long and changed topic.

I understand.
If another question comes up, I will create another discussion.
You are welcome to close this discussion.

Thank you very much for your kind help.