rarkins
commented
4 years ago Sorry, that's not functionality we support, although if running on GitHub then we do attempt to reuse their vulnerability alerts. Adding package-lock.json won't work, and actually your includePaths isn't necessary either.
With npm turned on, we see our package.json get bumped, but that often still leaves npm audit warnings in the package-lock.json
Is there a way to get the equivalent of
npm audit fixto automatically run?or is that because we don't have package-lock.json listed here in includePaths?
"automerge": true, "rangeStrategy": "bump", "enabledManagers": ["npm"], "includePaths": ["package.json"],