Dependabot not updating some deps due to thinking they're already updated in the logs

[melink14]

Package ecosystem
npm
Package manager version
8.13.2
Language version

Node 16.15.1
Manifest location and content before the Dependabot update

https://github.com/melink14/rikaikun/blob/main/package.json
dependabot.yml content

https://github.com/melink14/rikaikun/blob/main/.github/dependabot.yml
Updated dependency

@web/test-runner-chrome currently ^0.10.0 -> ^0.10.7
@web/test-runner-commands ^0.6.2 -> ^0.6.3
What you expected to see, versus what you actually saw

These packages have been updatable for awhile but when Dependabot checks it thinks they're already up to date. It should send a pull request which updates these deps in package.json.

My guess is that since I have several packages installed from the @web mono-repo and they also usually have dependencies on each other that even though package.json is not updated, the version being installed is the correct version (due to ^ pinning).

Even so it'd be nice if package.json also was updated such that dependended on version didn't depend on transitive dependencies. It would also be nice if we got a clean output from package manager update list.

Native package manager behavior

Using npm-check-updates finds and updates these deps.
Images of the diff or a link to the PR, issue, or logs

Example log where it shows different version than what's in package.json

updater | INFO <job_411891167> Checking if @web/test-runner-chrome 0.10.7 needs updating
  proxy | 2022/07/06 00:23:58 [210] GET https://registry.npmjs.org:443/@web%2Ftest-runner-chrome
  proxy | 2022/07/06 00:23:59 [210] 200 https://registry.npmjs.org:443/@web%2Ftest-runner-chrome
  proxy | 2022/07/06 00:23:59 [212] GET https://registry.npmjs.org:443/@web%2Ftest-runner-chrome/0.10.7
  proxy | 2022/07/06 00:23:59 [212] 200 https://registry.npmjs.org:443/@web%2Ftest-runner-chrome/0.10.7
updater | INFO <job_411891167> Latest version is 0.10.7

[jeffwidman]

I think there's some confusion here. The pins that already exist in package.json are already sufficient to install the latest versions. And so any fresh install will grab the latest versions. That's why Dependabot doesn't bump these pins.

If instead you had a pin whose range didn't allow installing the latest available version, then Dependabot would open PR's to bump those top-end pins.

You may also want to checkout the versioning-strategy config docs, as that gives a few more knobs for controlling these.

[melink14]

I think you're saying that as long as the lockfile and package.json are compatible then dependabot won't update package.json?

I guess the usability problem I see is that since dependabot usually does update packge.json even when it doesn't need to, it's surprising that it leaves them out of sync. Since developers primarily use package.json as the source of truth most won't guess that dependabot primarily uses package-lock.json when deciding if a dependency is out of date.

For example, in melink14/rikaikun#1250 the title is that version 0.10.7 is bumped to 0.11.0 even though the diff is 0.10.0 -> 0.11.0.

That said, I think in simple common cases this won't ever come up and the total time wasted being confused should be small!

Thanks for answering!

[deivid-rodriguez]

I think you're saying that as long as the lockfile and package.json are compatible then dependabot won't update package.json?

Yes, I think this is the default behavior for libraries. But you can tweak it with the docs referenced by @jeffwidman.

Since developers primarily use package.json as the source of truth most won't guess that dependabot primarily uses package-lock.json when deciding if a dependency is out of date.

Unless you pin all dependencies to exact versions in your package.json file, package-lock.json is the only way to know the exact versions of dependencies you are actually using, so Dependabot needs to use that if it wants to detect whether your packages are out of date or not.

[melink14]

Thanks @deivid-rodriguez!

I didn't understand it before but it seems the behavior I want is encapsulated by increase version strategy. (Judging by the table in #4979)

The odd thing is that that version strategy is supposed to be the default according to the docs for apps (which my repo should be due to being private and not published on NPM (code ref:

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb

Line 25 in a2143f6

def package_json_may_be_for_library?

))

I'll investigate more but there may be a bug (either doc or impl) in the default behavior.

[deivid-rodriguez]

@melink14 No problem.

From looking at the PRs in your repo, the package.json requirement seems to always be increased as expected. In the example you gave in the original post of this issue, no strategy will do anything since you were already using the latest version. But the next time a new version is released for those dependencies, the requirement should be synchronized again with the locked version.