Jeremy Long

Thanks @mysmlz - however, this change is not complete - as you cannot collapse the `Published Vulnerabilities` section after the update. This is because line 40 needs to be updated...

Simple enough request - a log message when a rule is not used will be included in the next release.

Pretty sure this will be fixed in 6.5.0 which was slightly delayed but should be released this weekend.

We would need a sample DLL that causes the exception and/or the log file (i.e. `depcheck.log` from your example above).

Did you include the `regex="true"` attribute? ```xml ^cpe:/a:\*:Grpc.Core.Api:__GRPC_NUGET_VERSION__.*$ ```

Sorry - just circling back through old questions. If this is still a problem can you provide the Package URL from the HTML report?

I've never really analyzed what the recommended system requirements would be.

Do you have a sample project that can demonstrate this?

That is likely the issue - you are scanning the project deployment not the build. Dependency-check is really designed to, for most supported technology stacks, to scan the build files....

Does `npm audit` identify the vulnerable component?