Dependabot reporting security vulnerability against v2 tag

[lacasseio]

Dependabot is reporting a vulnerability on my repository despite using @v2 as shown in the README and the security advisor. The team works with Dependabot to ensure no false positives are reported on v2. If Dependabot is unwilling to fix its false positive report, then there should be a mention that Dependabot is wrong somewhere in the documentation or simply release v3 based on v2.4.2.

[bigdaz]

Thanks Daniel. This is a limitation with Dependabot, and I raised an issue here https://github.com/orgs/community/discussions/54553. At this stage, there's no way to use v2 and avoid the security warning: you just need to "ignore" the warning in your repository.

I've been reluctant to bump to a new major version just to avoid a bug in Dependabot, but I will certainly consider accelerating the timeframe to release version 3.x.

A PR to update the readme would be appreciated :).