Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot not updating some deps due to thinking they're already updated in the logs #5346

Closed
melink14 opened this issue Jul 6, 2022 · 5 comments
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working

Comments

@melink14
Copy link

melink14 commented Jul 6, 2022

Package ecosystem
npm
Package manager version
8.13.2
Language version

Node 16.15.1
Manifest location and content before the Dependabot update

https://github.com/melink14/rikaikun/blob/main/package.json
dependabot.yml content

https://github.com/melink14/rikaikun/blob/main/.github/dependabot.yml
Updated dependency

@web/test-runner-chrome currently ^0.10.0 -> ^0.10.7
@web/test-runner-commands ^0.6.2 -> ^0.6.3
What you expected to see, versus what you actually saw

These packages have been updatable for awhile but when Dependabot checks it thinks they're already up to date. It should send a pull request which updates these deps in package.json.

My guess is that since I have several packages installed from the @web mono-repo and they also usually have dependencies on each other that even though package.json is not updated, the version being installed is the correct version (due to ^ pinning).

Even so it'd be nice if package.json also was updated such that dependended on version didn't depend on transitive dependencies. It would also be nice if we got a clean output from package manager update list.

Native package manager behavior

Using npm-check-updates finds and updates these deps.
Images of the diff or a link to the PR, issue, or logs

Example log where it shows different version than what's in package.json

updater | INFO <job_411891167> Checking if @web/test-runner-chrome 0.10.7 needs updating
  proxy | 2022/07/06 00:23:58 [210] GET https://registry.npmjs.org:443/@web%2Ftest-runner-chrome
  proxy | 2022/07/06 00:23:59 [210] 200 https://registry.npmjs.org:443/@web%2Ftest-runner-chrome
  proxy | 2022/07/06 00:23:59 [212] GET https://registry.npmjs.org:443/@web%2Ftest-runner-chrome/0.10.7
  proxy | 2022/07/06 00:23:59 [212] 200 https://registry.npmjs.org:443/@web%2Ftest-runner-chrome/0.10.7
updater | INFO <job_411891167> Latest version is 0.10.7
@melink14 melink14 added the T: bug 🐞 Something isn't working label Jul 6, 2022
@jeffwidman jeffwidman added the L: javascript:npm npm packages via npm label Feb 4, 2023
@jeffwidman
Copy link
Member

I think there's some confusion here. The pins that already exist in package.json are already sufficient to install the latest versions. And so any fresh install will grab the latest versions. That's why Dependabot doesn't bump these pins.

If instead you had a pin whose range didn't allow installing the latest available version, then Dependabot would open PR's to bump those top-end pins.

You may also want to checkout the versioning-strategy config docs, as that gives a few more knobs for controlling these.

@melink14
Copy link
Author

melink14 commented Feb 6, 2023

I think you're saying that as long as the lockfile and package.json are compatible then dependabot won't update package.json?

I guess the usability problem I see is that since dependabot usually does update packge.json even when it doesn't need to, it's surprising that it leaves them out of sync. Since developers primarily use package.json as the source of truth most won't guess that dependabot primarily uses package-lock.json when deciding if a dependency is out of date.

For example, in melink14/rikaikun#1250 the title is that version 0.10.7 is bumped to 0.11.0 even though the diff is 0.10.0 -> 0.11.0.

That said, I think in simple common cases this won't ever come up and the total time wasted being confused should be small!

Thanks for answering!

@deivid-rodriguez
Copy link
Contributor

I think you're saying that as long as the lockfile and package.json are compatible then dependabot won't update package.json?

Yes, I think this is the default behavior for libraries. But you can tweak it with the docs referenced by @jeffwidman.

Since developers primarily use package.json as the source of truth most won't guess that dependabot primarily uses package-lock.json when deciding if a dependency is out of date.

Unless you pin all dependencies to exact versions in your package.json file, package-lock.json is the only way to know the exact versions of dependencies you are actually using, so Dependabot needs to use that if it wants to detect whether your packages are out of date or not.

@melink14
Copy link
Author

melink14 commented Feb 8, 2023

Thanks @deivid-rodriguez!

I didn't understand it before but it seems the behavior I want is encapsulated by increase version strategy. (Judging by the table in #4979)

The odd thing is that that version strategy is supposed to be the default according to the docs for apps (which my repo should be due to being private and not published on NPM (code ref:

))

I'll investigate more but there may be a bug (either doc or impl) in the default behavior.

@deivid-rodriguez
Copy link
Contributor

@melink14 No problem.

From looking at the PRs in your repo, the package.json requirement seems to always be increased as expected. In the example you gave in the original post of this issue, no strategy will do anything since you were already using the latest version. But the next time a new version is released for those dependencies, the requirement should be synchronized again with the locked version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants