kuma-website Dependabot seems to be unable to create PRs for vulnerable dependencies

Issue edited (original content below)

What happened?

Our GH dependabot seem to be unable to open PRs to fix vulnerable dependencies: https://github.com/kumahq/kuma-website/security/dependabot

This might be due to dependencies having exact version requirement.

Need to investigate and fix this.

~~Our GH security advisories / dependabot updates seem to be not working.~~

~~When going to https://github.com/kumahq/kuma-website/security/advisories we don't see any security advisories listed, but running yarn audit shows vulnerabilities:~~

yarn audit

...
99 vulnerabilities found - Packages audited: 1544
Severity: 2 Low | 33 Moderate | 56 High | 8 Critical

~~We need to fix this and have an automatic update mechanism just like in Kuma.~~

Aug 03 '22 09:08 slonka

https://github.com/kumahq/kuma-website/security/dependabot

Aug 03 '22 09:08 michaelbeaumont

Security advisories are thing that are manually written and released by us

Aug 03 '22 09:08 michaelbeaumont

I don't have access (404 not found). Even if it's listed there should be a dependabot update PR for each of this, right?

Aug 03 '22 09:08 slonka

Potentially, but dependabot can't update every dependency if it's not compatible with the constraints we have.

Aug 03 '22 09:08 michaelbeaumont

Buggy behavior from dependabot here? Looking at https://github.com/kumahq/kuma-website/security/dependabot/47 we see that 4.1.0 is vulnerable, which is in yarn.lock. But we see "No security update is needed as ansi-regex is no longer vulnerable." However, in the logs:

updater | INFO <job_433101476> Checking if ansi-regex 2.1.1 needs updating
  proxy | 2022/08/03 10:03:37 [016] GET https://registry.npmjs.org:443/ansi-regex
  proxy | 2022/08/03 10:03:38 [016] 200 https://registry.npmjs.org:443/ansi-regex
  proxy | 2022/08/03 10:03:38 [018] GET https://registry.npmjs.org:443/ansi-regex/6.0.1
  proxy | 2022/08/03 10:03:38 [018] 200 https://registry.npmjs.org:443/ansi-regex/6.0.1
updater | INFO <job_433101476> Latest version is 6.0.1
updater | INFO <job_433101476> no security update needed as ansi-regex is no longer vulnerable
updater | INFO <job_433101476> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | time="2022-08-03T10:03:38Z" level=info msg="task complete" container_id=job-433101476-updater exit_code=0

But we're apparently nevertheless using 4.1.0 and not using 6.0.1 at all, so this doesn't seem right.

Aug 03 '22 10:08 michaelbeaumont

Triage: there is a problem with dependabot configuration https://github.com/kumahq/kuma-website/network/updates We think that current dependabot PRs are security updates from Github.