Dependabot first reported and then retracted a security problem in a package. The basis of the retraction isn't given, just that the package "is no longer vulnerable." That makes no sense. The original CVE is still out there and the affected code is still referenced.

On investigation I find that the given package is in yarn.lock twice, once in a version that contains the vulnerability and later in a version that contains the patch:

    ansi-regex@^2.0.0:
      version "2.1.1"    
    ansi-regex@^5.0.0:
      version "5.0.0"````

I'd be grateful for any way to make sense of this.

If you landed on this question due to your own "no longer vulnerable" error in a different package: you may still be vulnerable.

According to one of the Dependabot maintainers, the (suspected) most common cause of "no longer vulnerable" is when you are using multiple versions of the same dependency, and one of them is vulnerable, but not the lowest version. The maintainer's post says, in part:

Here's my current understanding:

1. The alerts are triggered by manifest parsing code that is a separate code path from dependabot-core's parsing code. So if the alert manifest parsing code thinks the repo is still vulnerable, the alert will persist.
2. npm allows multiple versions of a dependency in the dep tree... and these are used in the code at runtime... the newest is not superseding the old one. So if those exist, you're still vulnerable.
3. dependabot-core has a known bug where it only updates the lowest version of a dependency... so Dependabot may try to create a PR, then report that npm is no longer vulnerable, when in fact a later version of the dependency is vulnerable and is still in the tree. That's tracked in npm erroneously reports no longer vulnerable with multiple versions of dependency. #5741
4. The alerts are generated based on information in the GitHub advisory database. So if that database lists all versions > 0.16.5 are vulnerable, but the maintaner just pushed v0.17.0 which fixes the issue, then the alert will not disappear until the advisory database is updated. Thankfully, you can submit a PR to the advisory DB to fix an incorrect version specifier.

So I suspect that the majority of these cases are symptoms of #5741.

Dependabot issue #5741 says:

when there is a vulnerability that affects some versions of the dependency but not the lowest version. In this case Dependabot incorrectly reports that no security update is needed.

If this source is accurate, it's because the two ansi-regex versions you've listed do not contain the vulnerability:

Confirmed 4.1.0 and 3.0.0 as affected testing using the provided reproducer. 2.1.1 does not reproduce the issue.

3.0.0 is the first affected, as that's the first version that includes 69bebf6 that the problematic part of the regex.

Thanks to answerers for your expertise.

I think the most likely diagnosis is a Dependabot bug. Generally it is wishful thinking to blame your tools but in this case it is the simplest answer by far.