Dependency vulnerability scanning is now routed by your declared project stack, so the audit runs against the ecosystem you actually care about.
Sorted Out
Fixed an issue where projects containing multiple ecosystems could be scanned with the wrong tool because the check selected the first matching lockfile.
This matters most for mixed repositories, for example a Go service that also includes a JavaScript asset pipeline. With a Go stack declared, the scan now correctly runs govulncheck instead of defaulting to a JavaScript audit.