GHSA-269g-pwp5-87pp says it affects any version prior to 4.13.1 which is not true as rules didn't exist before 4.7. So the proper range would be 4.7 up to 4.13.

This is probably not terribly important but it caused dependabot to cry wolf on projects that are (deliberately) still using older versions - like extensions for JUnit 3 that happen to be still maintained. The same is/will soon be true for a bunch of other static code analyzers checking oldish code bases.