Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot not bumping dependencies in npm workspaces / monorepo structure #5226

Closed
dreamorosi opened this issue Jun 3, 2022 · 2 comments
Closed

Dependabot not bumping dependencies in npm workspaces / monorepo structure #5226

dreamorosi opened this issue Jun 3, 2022 · 2 comments
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working

Comments

@dreamorosi
Copy link

Package ecosystem
npm
Package manager version
npm 8.5.5
Language version
node v16.15.0
Manifest location and content before the Dependabot update

Monorepo structure:

dependabot.yml content

version: 2
updates:

  # Maintain dependencies for npm
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "friday"
      time: "05:00"
      timezone: "Europe/Amsterdam"
    open-pull-requests-limit: 20

https://github.com/dreamorosi/test-dependabot-issue/blob/main/.github/dependabot.yml#L25-L32
Updated dependency

https://github.com/dreamorosi/test-dependabot-issue/pull/1
https://github.com/dreamorosi/test-dependabot-issue/pull/2
https://github.com/dreamorosi/test-dependabot-issue/pull/3
https://github.com/dreamorosi/test-dependabot-issue/pull/4
https://github.com/dreamorosi/test-dependabot-issue/pull/5
https://github.com/dreamorosi/test-dependabot-issue/pull/6

What you expected to see, versus what you actually saw

Dependencies being bumped as they should instead of dependabot not updating anything.

Native package manager behavior

N/A

But these dependencies were added by npm i [package-name] -w packages/a using npm workspaces commands.

Images of the diff or a link to the PR, issue, or logs

See links above

🕹 Bonus points: Smallest manifest that reproduces the issue

This is a minimal reproduction repo that shows the issue. There's no actual code only the .github/depdendabot.yml, folder structure, and respective package.json * package-lock.json files:
https://github.com/dreamorosi/test-dependabot-issue
@dreamorosi dreamorosi added the T: bug 🐞 Something isn't working label Jun 3, 2022
@dreamorosi dreamorosi mentioned this issue Jun 3, 2022
Merged
6 tasks
@jakecoffman jakecoffman added the L: javascript:npm npm packages via npm label Jun 7, 2022
@WIStudent
Copy link

I was undecided if I should setup my monorepo using lerna bootstrap or npm workspaces, and dependabot support is an important factor for me, so I took a look at this.

I think setting versioning-strategy: increase should produce the results your are looking for. I forked your demo project and set versioning-strategy to increase. The pull requests now update both the root package-lock.json and the workspace package.json file.

@dreamorosi
Copy link
Author

@WIStudent wow thanks a lot for looking into this and providing a forked sample.

At the end we ended up disabling Dependabot for our repo because it was generating way too much noise, but this actually solves the issue and I really appreciate it.

I'll be closing the issue.

@dreamorosi dreamorosi mentioned this issue Jul 20, 2022
Merged
5 tasks
hjpotter92 added a commit to livepeer/studio that referenced this issue Sep 22, 2022
@hjpotter92
dependabot.yaml: Implement suggested change for monorepo
d6f2eab 
As found on <dependabot/dependabot-core#5226>
@dennisMeeQ dennisMeeQ mentioned this issue Oct 24, 2022
Closed
@sungik-choi sungik-choi mentioned this issue Nov 8, 2022
Merged
8 tasks
@tlylt tlylt mentioned this issue Nov 30, 2022
Open
@inomdzhon inomdzhon mentioned this issue May 16, 2023
Merged
@svenjacobs svenjacobs mentioned this issue Jun 7, 2023
Open
1 task
freakyfelt added a commit to freakyfelt/yet-another-json-rpc that referenced this issue Jun 8, 2023
@freakyfelt
Update dependabot.yml
9d8ac48 
Use root package and set versioning to increase to make npm workspaces work dependabot/dependabot-core#5226
VoyTechnology added a commit to SaferPlace/saferplace that referenced this issue Aug 17, 2023
@VoyTechnology
Use versioning strategy for dependabot
678437b 
Based on comments in dependabot/dependabot-core#5226 this might be the way to resolve this issue.
@VoyTechnology VoyTechnology mentioned this issue Aug 17, 2023
Merged
VoyTechnology added a commit to SaferPlace/saferplace that referenced this issue Aug 17, 2023
@VoyTechnology
Use versioning strategy for dependabot (#79)
728828c 
Based on comments in dependabot/dependabot-core#5226 this might be the way to resolve this issue.
lemald added a commit to mbta/skate that referenced this issue Dec 11, 2023
@lemald
fix(dependabot): set explicit versioning-strategy for NPM ecosystem
2752d21 
dependabot/dependabot-core#5226
lemald added a commit to mbta/skate that referenced this issue Dec 11, 2023
@lemald
fix(dependabot): set explicit versioning-strategy for NPM ecosystem
0007826 
dependabot/dependabot-core#5226
lemald added a commit to mbta/skate that referenced this issue Dec 11, 2023
@lemald
Try to fix dependabot for npm (#2316)
3e6e48c 
* fix(dependabot): set explicit versioning-strategy for NPM ecosystem

dependabot/dependabot-core#5226

* chore(dependabot): remove no-longer-relevant ignore blocks
@anthonyshew anthonyshew mentioned this issue Jan 5, 2024
Merged
anthonyshew added a commit to vercel/turborepo that referenced this issue Jan 5, 2024
@anthonyshew
Fix dependabot, I think. (#6900)
9c9c9c4 
### Description

Dependabot wasn't making pull requests so trying to get it configured
right. Wish I could test and/or validate it somehow but I couldn't find
any way. (Found plenty of people asking how, though!)

Looking at dependabot/dependabot-core#2178 and
dependabot/dependabot-core#5226, I *think*
this is the right configuration.

Very unfortunate that we can't globmatch (2178).
Zertsov pushed a commit to vercel/turborepo that referenced this issue Jan 10, 2024
@anthonyshew @Zertsov
Fix dependabot, I think. (#6900)
4544468 
### Description

Dependabot wasn't making pull requests so trying to get it configured
right. Wish I could test and/or validate it somehow but I couldn't find
any way. (Found plenty of people asking how, though!)

Looking at dependabot/dependabot-core#2178 and
dependabot/dependabot-core#5226, I *think*
this is the right configuration.

Very unfortunate that we can't globmatch (2178).
@dreamorosi dreamorosi mentioned this issue Jan 16, 2024
Merged
9 tasks
@theurgi theurgi mentioned this issue Jan 24, 2024
Closed
@esizer esizer mentioned this issue Mar 20, 2024
Merged
@bajtos bajtos mentioned this issue May 29, 2024
Merged
4 tasks
ethanmills added a commit to govuk-one-login/onboarding-self-service-experience that referenced this issue Jun 6, 2024
@ethanmills
SSE-3275: Update dependabot config for NPM workspaces
e328553 
As described in dependabot/dependabot-core#5226
@ethanmills ethanmills mentioned this issue Jun 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jakecoffman @WIStudent @dreamorosi