Missing Dependabot Alerts and Security updates


After testing out this workflow, I see that it uploads the dependency graph, but I am not receiving Dependabot alerts, as [mentioned](https://github.com/erlef/mix-dependency-submission#:~:text=%F0%9F%94%90%20Stay%20secure%20%E2%80%93%20Receive%20Dependabot%20alerts%20and%20security%20updates%20for%20known%20vulnerabilities%20in%20your%20direct%20and%20transitive%20dependencies.) in the Readme.

I've set up an [example project](https://github.com/zidik/elixir_security_example) with two vulnerabilities:
* (Critical) [CVE-2017-20166](https://github.com/advisories/GHSA-4r2f-6fm9-2qgh) Ecto lacks a protection mechanism, version 2.2.0
* (Low) [CVE-2025-1211](https://github.com/advisories/GHSA-vq52-99r9-h5pw) Server-side Request Forgery (SSRF) in hackney, versions before 1.21.1.

Thanks to this workflow, Github has the [full dependency tree](https://github.com/zidik/elixir_security_example/network/dependencies). It recognizes both depencencies (Ecto 2.0.0 and Hackney 1.17). Both of them are in GitHub Security Advisory Database (see links above), but [no alerts](https://github.com/zidik/elixir_security_example/security) are generated from Dependabot.

<img width="460" height="96" alt="Dependabot security alerts enabled" src="https://github.com/user-attachments/assets/70651f7d-7f9d-4b0b-859e-d7f35a63fe50" />

Am I missing something?


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Missing Dependabot Alerts and Security updates #189

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Missing Dependabot Alerts and Security updates #189

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions