Renovate not creating PRs to update npm security vulnerabilities by Dependabot

[pbas-bs]

What would you like help with?

I would like help with my configuration

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

I am trying to have Renovate open a PR when Dependabot alerts a security vulnerability.
I created a minimal example here: https://github.com/pbas-bs/renovate-npm-test

I have a security vulnerability reported:

My renovate configuration enables security vulnerabilities and transitive remediation:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: [
    "config:base",
    "schedule:weekly",
    ":autodetectPinVersions",
    ":enableVulnerabilityAlerts",
    ":labels(dependencies)",
    ":preserveSemverRanges",
    ":prImmediately",
    ":rebaseStalePrs",
    ":semanticCommits",
    ":semanticPrefixChore",
    ":separateMajorReleases",
    ":timezone(Europe/Rome)",
  ],
  packageRules: [
    {
      groupName: "node minor + patch dependencies",
      matchManagers: ["npm"],
      matchUpdateTypes: ["minor", "patch"],
    },
  ],
  draftPR: true,
  reviewersFromCodeOwners: false,
  reviewersSampleSize: 1,
  stabilityDays: 2,
  vulnerabilityAlerts: {
    enabled: true,
    draftPR: false,
    reviewersFromCodeOwners: true,
  },
  prConcurrentLimit: 3,
  prHourlyLimit: 2,
  enabledManagers: ["npm"],
  transitiveRemediation: true,
}

From the logs it appears as Renovate finds the two allerts.
Full logs: https://gist.github.com/pbas-bs/3e49d8f885d19a04ac9a930425788724

Logs (if relevant)

Logs

DEBUG: alert package rules
{
  "alertPackageRules": [
    {
      "matchDatasources": [
        "npm"
      ],
      "matchPackageNames": [
        "nth-check"
      ],
      "matchCurrentVersion": "= 1.0.2",
      "matchFileNames": [
        "package-lock.json"
      ]
    },
    {
      "matchDatasources": [
        "npm"
      ],
      "matchPackageNames": [
        "postcss"
      ],
      "matchCurrentVersion": "= 7.0.39",
      "matchFileNames": [
        "package-lock.json"
      ]
    }
  ]
}
...
DEBUG: 2 flattened updates found: nth-check, postcss
DEBUG: Returning 2 branch(es)
DEBUG: config.repoIsOnboarded=true

[viceice]

check packageFiles with updates message. renovate can't update transitive npm dependencies

[SchroederSteffen]

Thanks for the clarification. Got it.
Then, I would suggest to rewrite it as follows:

It's possible to get lockfile-only remediations when the affected direct dependency is not pinned in your package.json

Right, we also don't pin our libraries' non-dev dependencies. All others are pinned, though, leading to a reduced scope/usefulness of the current implementation.

[SchroederSteffen]

All others are pinned, though, leading to a reduced scope/usefulness of the current implementation.

Well, since the mentioned case is only about vulnerable direct dependencies, it's already quite limited anyways.
I was actually looking for transitive remediations, since most vulnerabilities are reported for transient dependencies.

[HonkingGoose]

I was confused by the documentation:

I'm improving the docs with this PR:

• docs(config options): rewrite transitiveRemediation #28732

[SchroederSteffen]

Many thanks for your effort @HonkingGoose, even if it was in vain. 👍

[HonkingGoose]

Thank you for the kind words! ❤️

We're dropping the feature soon, so we don't need the docs improvement either. 🙃