The dependency vulnerability gap that CI/CD can’t fix

1d ago · 3 min read · Every project I’ve worked on has the same setup: osv-scanner or Dependabot wired into CI, which fails the build if a known CVE is found. It feels complete. It isn't. Here’s the gap: CI runs at push ti