I've just started to use Dependabot and encountered an issue with one of its alerts. I was looking for an answer how to handle such vulnerabilities, but didn't fine any proper resource. What I can see that it is a dependency of my deps, so it affects package-lock file.
Here is what Dependabot provided:
Dependabot cannot update glob-parent to a non-vulnerable version
The latest possible version that can be installed is 3.1.0 because of the following conflicting dependencies:
eslint@8.8.0 requires glob-parent@^6.0.1
postcss-mixins@6.2.3 requires glob-parent@^3.1.0 via a transitive dependency on fast-glob@2.2.7
The earliest fixed version is 5.1.2.
I don't have glob-parent in my package.json file - it is just the dependency of my other dependencies. What is the attitude to handle such alerts? Should I dismiss it? As far as I know manually changing package-lock is not the way to go.
