An alert can be reopen after being acknowledged but closing an alert is irreversible.
We generally close an alert in one of these two cases:
- the alert doesn't apply to the project and never did; the exploit relies on a particular setting or a particular feature that's not used in the project
- a workaround has been implemented or a patch has been deployed; the project still depends on a vulnerable version of its dependency but it's not at risk anymore
Once the alert is closed, the dependency doesn't have the red color anymore.
Users may acknowledge an alert if it's legitimate but causes too much noise, in which case we want to turn the notifications off for this particular alert. The dependency affected by the alert keeps its red color.