Previously, Dependabot couldn't generate a security update for a transitive dependency when its parent dependency required incompatible specific version range. In this locked state, developers had to manually upgrade the parent and transitive dependencies.
Now, Dependabot will be able to create pull requests for npm projects that upgrade both the parent and child dependencies together.
For example, if a vulnerability for the transitive dependency
node-forge triggers a Dependabot alert and allows a PR to be created:
Prior to this change Dependabot would fail to create a Dependabot security update for transitive dependencies :confused:. But not anymore! 😀 Now, Dependabot will unlock the
node-forge security update by bumping the parent
webpack-dev-server version in addition to patching the `node-forge dependency within the same Pull Request!
This change will apply to pull requests generated by Dependabot that update vulnerable