Dependency Scanning jobs should run even when dependency files don't change, otherwise they can't report new vulnerabilities affecting existing dependencies.