Categories
Uncategorized

Using pnpm & dependabot? Security alerts silently cease when you upgrade to v9

If you’re using pnpm as a package manager and dependabot for security alerts – be aware, if you’re running pnpm v9, dependabot will no longer flag required updates for components with vulnerabilities, as it doesn’t support the v9 lock file.

It’s a known issue internally at GitHub, but it caught us out after we upgraded from v8 to v9 – we only noticed a few weeks later that alerts had stopped, as Dependabot doesn’t actually tell you that it’s no longer able to provide these updates.

The GitHub issue is logged here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.