Feature request: support the pnpm package manager
#1736
Comments
|
Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best. |
My interpretation is that this wouldn't necessarily be political with yarn being supported and all. It's likely due to the smaller adoption of |
|
Would absolutely love this, currently pretty awkward being forced into alternatives like renovate, which are defenitely fine, but nowhere near as satisfying. |
|
Just found this 😢 |
See dependabot/dependabot-core#1736 Signed-off-by: Will Soto <willsoto@users.noreply.github.com>
|
@feelepxyz Are contributions welcome for this? I see the following work items for this
Let me know if I overlooked some work above. I can take this up if dependabot team thinks it's a good idea. |
|
@GiriB we're actually thinking of splitting the npm and yarn package manager into separate ones for npm and yarn because handling multiple package managers in one has resulted in a lot of maintenance overhead making upgrades and testing harder. We're also keen to re-think some of the architecture around package managers to make it easier to add new ones so keen to hold off on adding any new ones until we have some clarity around that 😕 |
|
@feelepxyz Thanks for the response! I agree that keeping all package managers together is not the best design. I was thinking of I haven't tried the idea above yet, and pulling it off may not be clean code at all. If I get it in a good shape, maybe I'll raise a PR. Otherwise, I'll wait for the refactor to happen where we split |
|
@GiriB nice one! No timeline yet, probably at least six months out unfortunately. |
|
This would be great! |
|
+1. Though you can use dependabot to update pnpm, the lock file isn't updated—only the |
|
Please add support for |
|
Node's 16.9.0 release comes with With pnpm becoming more popular, I hope dependabot supports it soon too. |
|
Not ideal but while we don't have a support from dependabot, renovate seems supporting |
jurre
added
T: feature-request
Pls let me know when freeze is uplifted we would like to trial some private repo's |
|
Hey everyone! pnpm support is officially available everywhere - you can refer to our documentation on getting this configured: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems If you encounter any problems with this, please feel free to open a new issue in this repo. |
|
HUGE milestone! Thank you so much for all the effort on this across the board! One question, is there a pathway to enabling this in Azure DevOps? Or perhaps support planned sometime in the future? Today out team uses a 3rd party Azure DevOps plugin to enable Dependabot, but we're not sure when this feature will propagate to their build. |
|
Note: To those who are getting the "
|
|
@carogalvin amazing news, thank you! from the docs:
what is the blocker for security updates? this is our use case of renovate, so we still cannot switch to dependabot. is there a timeline or a different issue we can track to understand when support for pnpm security updates will be available? |
|
Thanks everyone for your patience! Since basic support has now landed, let me close this issue and let's track bug reports and additional feature requests in separate tickets. @AndrewCraswell I don't think additional changes are needed, but best to ask at https://github.com/tinglesoftware/dependabot-azure-devops. @alexef I will open a new issue to track security update support. There's some changes needed in this library to support that, but also some changes internal to GitHub. |
|
@alexef we are hoping to have security updates ready for PNPM within a quarter or so. Please track the issue that @deivid-rodriguez creates for updates. |
|
I opened a ticket for security update support here: #7434. |
|
@deivid-rodriguez when will this be available or enterprise, please? |
|
It will be available in GHES version 3.10. |
|
As I understand at this time pnpm is supported for version updates but not security updates. Are Dependabot alerts supported in pnpm? |
See #1736 (comment) |
|
@KidkArolis we are on track to have support for alerts and security updates at the end of July (on track for July 31). |
|
Thanks for clarifying!
For what it's worth. I did see that comment, but reading through the issues and through the docs it was not clear if what you call Security updates is the same as Dependabot alerts. In particular, we're not using and not necessarily interested in version updates or security updates (e.g. renovate is more configurable). But we are interested in Security alerts specifically. But I couldn't work out the relationship between all those, only the Version updates has the table in the docs, and it wasn't if security updates == security alerts in this case. In any case, good to hear it's coming soon! |
|
Pnpm introduced a new lockfile format in v9. The lockfile version was bumped from v6 to v9. Dependabot runs now give for projects that use |
|
Thanks @vluoto ; can you please file a new issue? |
|
I filed an issue here: #9522 |
and others
pnpmis an alternative to npm and yarn that has been around a fairly long time. It has its own lockfile in yaml and should be relatively straightforward to support. Would PRs/other types of help be accepted or are adding more pr's a "can of worms"?[Edit] April 2022 - since the thread is growing: there is still no update on when this will be implemented. If you need this now, your best bet is to use renovatebot: https://docs.renovatebot.com/javascript/
[Edit] November 2022 - for now, github staff suggests using a workaround using the dependency submission api
The text was updated successfully, but these errors were encountered: