fix(dependabot): restore root pnpm block; correct workspace-aware config#194
Merged
Conversation
PR #193's dependabot.yml redesign was wrong. Dropping the root `/` block left the per-directory npm blocks (/frontend, /backend/shared) with no authority over the workspace pnpm-lock.yaml — Dependabot edited only the member's package.json without updating the lockfile, so `pnpm install --frozen-lockfile` at Vercel deploy time failed with ERR_PNPM_OUTDATED_LOCKFILE on every PR. PR #180 was the first to fail (5-dep grouped frontend bump). The 4 frontend PRs that share the same shape (#180, #183, #185, #186, #188) all fail identically. Even the backend/functions PRs would fail Vercel because Vercel's `pnpm install` from /frontend traverses up to pnpm-workspace.yaml and reads ALL members' specifiers against the root lockfile. The right config for this monorepo: - Root `/` (npm/pnpm-aware) — coordinates pnpm-lock.yaml across all workspace members (frontend + backend/shared + root devDeps). - /backend/functions (npm) — backend/functions ships via `npm ci` against its OWN package-lock.json (per repo contract with @pcpc/shared as file: dep). Distinct ecosystem from the pnpm workspace; needs its own block. - /backend/functions (docker) — unchanged. Drops the now-redundant /frontend and /backend/shared blocks (subsumed by root). Re-introduces duplicate-PR risk for shared deps (root + functions may both propose the same bump) — accepted as the price of supporting the dual-lockfile pattern. The previous decision (PR #193) had this trade-off inverted: avoiding duplicate PRs cost us deployability, which is worse. Follow-up: after merge, run `@dependabot recreate` on each open Dependabot PR to regenerate them under the corrected config so they include lockfile updates.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0c27d85650
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Codex flagged on PR #194 that with backend/functions still in pnpm-workspace.yaml, the root pnpm Dependabot block can update backend deps in pnpm-lock.yaml without updating backend/functions/package-lock.json — recreating the stale-lockfile problem the separate /backend/functions npm block is meant to avoid. Looked at the options: - Enumerating backend deps under `ignore:` only suppresses backend-only deps; shared deps (redis, @azure/cosmos, @azure/storage-blob, typescript, etc.) would still be touched by the root block AND the functions block. - Removing backend/functions from pnpm-workspace.yaml is cleaner: backend ships via `npm ci` against its own package-lock.json (per repo contract, declaring @pcpc/shared as `file:../shared` not `workspace:*`), and there is no `pnpm --filter @pcpc/backend-functions` usage anywhere in the repo — the only filter targets are @pcpc/frontend. backend/shared stays in the workspace because frontend imports it via `workspace:*` and needs the pnpm resolution. Lockfile delta: -1184 / +40 lines as backend deps drop out of pnpm-lock.yaml (they remain owned by backend/functions/package-lock.json). `pnpm install --frozen-lockfile` passes against the new lockfile. The companion dependabot.yml change in this PR is now correct: the root block sees only frontend + backend/shared, and the /backend/functions block owns its dual-lockfile package cleanly.
This was referenced May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR #193 was wrong — it dropped the root
/block, which broke every Dependabot PR's Vercel deploy (PR #180 was the first to fail withERR_PNPM_OUTDATED_LOCKFILE). This PR restores the correct shape for a pnpm-workspace monorepo, and goes further per Codex feedback to align the workspace shape with the actual deploy contract.Changes
.github/dependabot.yml/(npm/pnpm-aware) — coordinatespnpm-lock.yamlfor frontend + backend/shared + root devDeps/backend/functions(npm) — backend/functions ships vianpm ciagainst its ownpackage-lock.json(per repo contract). Distinct ecosystem; needs its own block/backend/functions(docker) — unchanged/frontendand/backend/sharedblocks (subsumed by root)pnpm-workspace.yamlbackend/functionsfrom the workspaceignore:patterns would only solve the backend-only case; shared deps (redis, @azure/cosmos, @azure/storage-blob, typescript, @types/node) live in both workspaces and would still get touched by both blockspnpm --filter @pcpc/backend-functionsusage exists anywhere in the repoworkspace:*Test plan
pnpm install --frozen-lockfilepasses against the new lockfile (verified locally)@dependabot recreateon each open Dependabot PR (chore(deps-dev): bump the minor-and-patch group across 1 directory with 5 updates #180–chore(deps): bump redis from 4.7.1 to 5.12.1 in /backend/functions #189) so they regenerate under the corrected config🤖 Generated with Claude Code