Should I close or acknowledge a security alert?

Users may acknowledge an alert if they don't want to be notified about it anymore. If the alert doesn't apply to the project, they simply close it.

An alert can be reopen after being acknowledged but closing an alert is irreversible.

We generally close an alert in one of these two cases:

- the alert doesn't apply to the project and never did; the exploit relies on a particular setting or a particular feature that's not used in the project
- a workaround has been implemented or a patch has been deployed; the project still depends on a vulnerable version of its dependency but it's not at risk anymore

Once the alert is closed, the dependency doesn't have the red color anymore.

Users may acknowledge an alert if it's legitimate but causes too much noise, in which case we want to turn the notifications off for this particular alert. The dependency affected by the alert keeps its red color.

Feedback and Knowledge Base