-
Notifications
You must be signed in to change notification settings - Fork 942
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot not updating some deps due to thinking they're already updated in the logs #5346
Comments
I think there's some confusion here. The pins that already exist in If instead you had a pin whose range didn't allow installing the latest available version, then Dependabot would open PR's to bump those top-end pins. You may also want to checkout the |
I think you're saying that as long as the lockfile and package.json are compatible then dependabot won't update package.json? I guess the usability problem I see is that since dependabot usually does update packge.json even when it doesn't need to, it's surprising that it leaves them out of sync. Since developers primarily use package.json as the source of truth most won't guess that dependabot primarily uses package-lock.json when deciding if a dependency is out of date. For example, in melink14/rikaikun#1250 the title is that version 0.10.7 is bumped to 0.11.0 even though the diff is 0.10.0 -> 0.11.0. That said, I think in simple common cases this won't ever come up and the total time wasted being confused should be small! Thanks for answering! |
Yes, I think this is the default behavior for libraries. But you can tweak it with the docs referenced by @jeffwidman.
Unless you pin all dependencies to exact versions in your |
Thanks @deivid-rodriguez! I didn't understand it before but it seems the behavior I want is encapsulated by The odd thing is that that version strategy is supposed to be the default according to the docs for apps (which my repo should be due to being private and not published on NPM (code ref: dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb Line 25 in a2143f6
I'll investigate more but there may be a bug (either doc or impl) in the default behavior. |
@melink14 No problem. From looking at the PRs in your repo, the |
Package ecosystem
npm
Package manager version
8.13.2
Language version
Node 16.15.1
Manifest location and content before the Dependabot update
https://github.com/melink14/rikaikun/blob/main/package.json
dependabot.yml content
https://github.com/melink14/rikaikun/blob/main/.github/dependabot.yml
Updated dependency
@web/test-runner-chrome currently ^0.10.0 -> ^0.10.7
@web/test-runner-commands ^0.6.2 -> ^0.6.3
What you expected to see, versus what you actually saw
These packages have been updatable for awhile but when Dependabot checks it thinks they're already up to date. It should send a pull request which updates these deps in package.json.
My guess is that since I have several packages installed from the @web mono-repo and they also usually have dependencies on each other that even though package.json is not updated, the version being installed is the correct version (due to ^ pinning).
Even so it'd be nice if package.json also was updated such that dependended on version didn't depend on transitive dependencies. It would also be nice if we got a clean output from package manager update list.
Native package manager behavior
Using npm-check-updates finds and updates these deps.
Images of the diff or a link to the PR, issue, or logs
Example log where it shows different version than what's in package.json
The text was updated successfully, but these errors were encountered: