Dependabot modifying dependency URLs causes Git clone error after upgrading to PNPM 9.4.0

[CaoMeiYouRen]

Hi ,
I noticed that after upgrading to PNPM 9.4.0, Dependabot is modifying the dependency URLs from https://codeload.github.com/ to git+https://git@github.com, which is causing the following error:

ERROR  Command failed with exit code 128: /usr/bin/git clone git@github.com:CaoMeiYouRen/rss-parser.git /home/runner/setup-pnpm/node_modules/.bin/store/v3/tmp/_tmp_1835_81cad7a39cafa01315f02c3d60683486

CaoMeiYouRen/rss-impact-server/pull/178

This seems to be related to the way PNPM handles Git dependencies.
I would like to know if it is related to this change

Originally posted by @CaoMeiYouRen in #10073 (comment)

[deivid-rodriguez]

Seems related to #7851, or #7258. I did have an upstream patch to propose but I was not able to finish it and did not get much attention from upstream maintainers.

[deivid-rodriguez]

I think pnpm/pnpm#8005 may have fixed this? If that's the case, #10058 just merged a few hours ago should've done the trick (assuming it's deployed already). Can you verify?

[CaoMeiYouRen]

I think pnpm/pnpm#8005 may have fixed this? If that's the case, #10058 just merged a few hours ago should've done the trick (assuming it's deployed already). Can you verify?

I don't think so, dependabot continues to open incorrect pull requests. e.g.
https://github.com/CaoMeiYouRen/rss-impact-server/pull/191/files

[abdulapopoola]

@CaoMeiYouRen is this still happening? I see successful Dependabot PRs in that repo

[n3dst4]

Looks like they got rid of their git dependencies instead: CaoMeiYouRen/rss-impact-server@b50fd76

[abdulapopoola]

@n3dst4 ; yes, you're right. Thanks for the pointer

[matteo-cristino]

I bumped in the same issue, is there any update?

[ghost]

Looks like they got rid of their git dependencies instead: CaoMeiYouRen/rss-impact-server@b50fd76

[eikowagenknecht]

Same problem for me. I opened an issue with pnpm before finding this one here: pnpm/pnpm#8343 Not sure if Dependabot or pnpm needs to fix this.

[GabrielGil]

I believe PNPM is not doing a good job with this as it also mixes my dependencies to use git instead of https://codeload.github.com every time the lockfile is updated, breaking the build because due a SHH error. I will need to downgrade to v8 in my project, until a clear solution is achieved :)

The same error of pnpm/pnpm#8343 I am experiencing.

Thanks for the great work of Dependabot and PNPM's teams 🙌 🙏

[gilest]

Posted a workaround in pnpm/pnpm#8343 (comment)