If you’re using pnpm as a package manager and dependabot for security alerts – be aware, if you’re running pnpm v9, dependabot will no longer flag required updates for components with vulnerabilities, as it doesn’t support the v9 lock file.
It’s a known issue internally at GitHub, but it caught us out after we upgraded from v8 to v9 – we only noticed a few weeks later that alerts had stopped, as Dependabot doesn’t actually tell you that it’s no longer able to provide these updates.