Issues when updating git dependencies in PNPM

[deivid-rodriguez]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

PNPM

Language version

No response

Manifest location and content before the Dependabot update

I don't have a repro for this yet, but we're seeing issues in private repositories related to upgrading dependencies coming from git sources.

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Updates should happen correctly without errors.

In particular, we see errors like the following:

 ERROR  Command failed with exit code 128: git ls-remote git+ssh://git@github.com/<repo>.git HEAD
error: cannot run ssh: No such file or directory
fatal: unable to fork

This error happened while installing the dependencies of <name>@<version>

pnpm: Command failed with exit code 128: git ls-remote git+ssh://git@github.com/<repo>.git HEAD
error: cannot run ssh: No such file or directory
fatal: unable to fork
    at makeError (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:24230:17)
    at handlePromise (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:24801:33)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async getRepoRefs (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:110651:23)
    at async resolveRef (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:110663:20)
    at async resolveGit (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:110614:24)
    at async Object.resolve (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:113185:173)
    at async run (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:124970:23)
/home/dependabot/common/lib/dependabot/shared_helpers.rb:329:in `run_shell_command'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:58:in `run_pnpm_updater'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:42:in `block (2 levels) in run_pnpm_update'
/home/dependabot/common/lib/dependabot/shared_helpers.rb:181:in `with_git_configured'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:41:in `block in run_pnpm_update'
/home/dependabot/common/lib/dependabot/shared_helpers.rb:36:in `block in in_a_temporary_repo_directory'
/home/dependabot/common/lib/dependabot/shared_helpers.rb:36:in `chdir'
/home/dependabot/common/lib/dependabot/shared_helpers.rb:36:in `in_a_temporary_repo_directory'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:40:in `run_pnpm_update'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:25:in `updated_pnpm_lock_content'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:245:in `updated_pnpm_lock_content'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:174:in `pnpm_lock_changed?'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:207:in `block in updated_lockfiles'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:206:in `each'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:206:in `updated_lockfiles'
/home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:42:in `updated_dependency_files'
/home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:85:in `generate_dependency_files'
/home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:36:in `run'
/home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:25:in `create_from'
/home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:122:in `check_and_create_pull_request'
/home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:59:in `check_and_create_pr_with_error_handling'
/home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `block in perform'
/home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `each'
/home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `perform'
/home/dependabot/dependabot-updater/lib/dependabot/updater.rb:72:in `run'
/home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:38:in `perform_job'
/home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:52:in `run'
bin/update_files.rb:23:in `<main>'

I have not been able to reproduce this locally. Everytime I specify git+ssh on a package.json file, pnpm ignores it and uses https. However, that's not happening in these repositories for some reason.

Yarn & NPM have specific code to replace git+ssh with https in package.json before trying to update a lockfile, and then replacing back the updated https references with git+ssh again. So I guess this is a common problem in other package manager, so I will try to "blindly" fix it by applying the same fix.

Some preparatory work for that is at #7245.

In general, we should also review how updates behave with git dependencies, since I have not done any explicit testing with that.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[TonyRL]

Same situation here.

Dependabot Update logs

updater | 2023/05/08 21:05:15 INFO <job_659665566> Sending event ebfebc63e7474a61bf8fd59e9369a3eb to Sentry
  proxy | 2023/05/08 21:05:16 [546] POST https://sentry.io:443/api/1451818/store/
  proxy | 2023/05/08 21:05:16 [546] 200 https://sentry.io:443/api/1451818/store/
updater | 2023/05/08 21:05:16 ERROR <job_659665566> Error processing eslint-plugin-yml (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | 2023/05/08 21:05:16 ERROR <job_659665566> ╭─────────────────────────────────────────────────────────────────╮
updater |    │                                                                 │
updater |    │                Update available! 8.3.1 → 8.4.0.                 │
updater |    │   Changelog: https://github.com/pnpm/pnpm/releases/tag/v8.4.0   │
updater |    │     Run "corepack prepare pnpm@8.4.0 --activate" to update.     │
updater |    │                                                                 │
updater |    │     Follow @pnpmjs for updates: https://twitter.com/pnpmjs      │
updater |    │                                                                 │
updater |    ╰─────────────────────────────────────────────────────────────────╯
updater | 
updater | Progress: resolved 1, reused 0, downloaded 0, added 0
updater | Progress: resolved 51, reused 50, downloaded 0, added 0
updater | Progress: resolved 91, reused 91, downloaded 0, added 0
updater | Progress: resolved 92, reused 91, downloaded 0, added 0
updater | Progress: resolved 122, reused 112, downloaded 2, added 0
updater | Progress: resolved 145, reused 114, downloaded 21, added 0
updater |  ERROR  Command failed with exit code 128: git ls-remote git+ssh://git@github.com/postlight/difflib.js.git HEAD
updater | error: cannot run ssh: No such file or directory
updater | fatal: unable to fork
updater | 
updater | This error happened while installing the dependencies of @postlight/parser@2.2.3
updater | 
updater | pnpm: Command failed with exit code 128: git ls-remote git+ssh://git@github.com/postlight/difflib.js.git HEAD
updater | error: cannot run ssh: No such file or directory
updater | fatal: unable to fork
updater |     at makeError (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:24230:17)
updater |     at handlePromise (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:24801:33)
updater |     at runMicrotasks (<anonymous>)
updater |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
updater |     at async getRepoRefs (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:110651:23)
updater |     at async resolveRef (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:110663:20)
updater |     at async resolveGit (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:110614:24)
updater |     at async Object.resolve (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:113185:173)
updater |     at async run (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:124970:23)
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/common/lib/dependabot/shared_helpers.rb:329:in `run_shell_command'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:58:in `run_pnpm_updater'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:42:in `block (2 levels) in run_pnpm_update'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/common/lib/dependabot/shared_helpers.rb:181:in `with_git_configured'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:41:in `block in run_pnpm_update'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/common/lib/dependabot/shared_helpers.rb:36:in `block in in_a_temporary_repo_directory'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/common/lib/dependabot/shared_helpers.rb:36:in `chdir'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/common/lib/dependabot/shared_helpers.rb:36:in `in_a_temporary_repo_directory'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:40:in `run_pnpm_update'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:25:in `updated_pnpm_lock_content'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:245:in `updated_pnpm_lock_content'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:174:in `pnpm_lock_changed?'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:207:in `block in updated_lockfiles'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:206:in `each'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:206:in `updated_lockfiles'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb:42:in `updated_dependency_files'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:85:in `generate_dependency_files'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:36:in `run'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:25:in `create_from'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:122:in `check_and_create_pull_request'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:59:in `check_and_create_pr_with_error_handling'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `block in perform'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `each'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `perform'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:72:in `run'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:38:in `perform_job'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:52:in `run'
updater | 2023/05/08 21:05:16 ERROR <job_659665566> bin/update_files.rb:23:in `<main>'

Here is a live repo for repro.
The dependency that cause the same issue here is @postlight/parser

https://github.com/postlight/parser/blob/e8ba7ece291efa4d915d50dd4deeec17d54359f2/package.json#L116-L134

"difflib": "github:postlight/difflib.js",

[deivid-rodriguez]

Thanks for that example, will make this much easier to fix confidently!

[jakecoffman]

@deivid-rodriguez We might be able to fix it with a small change to the Git shim. It's currently restricted to which commands to run here, and the protocols to rewrite here.

[deivid-rodriguez]

Yep, I was just looking at that!

[deivid-rodriguez]

We'd need to allow ls-remote command and git+ssh protocol, right?

[jakecoffman]

@deivid-rodriguez Yep, I think that would do it!

[deivid-rodriguez]

Awesome, I'll look into it. This is reproducible with the CLI only, so I'll add a smoke tests since I'm at it!

[deivid-rodriguez]

I wasn't lucky with the git-shim changes, but this other tweak seems to do the trick!

diff --git a/common/lib/dependabot/shared_helpers.rb b/common/lib/dependabot/shared_helpers.rb
index 80294552d..9870c1ac9 100644
--- a/common/lib/dependabot/shared_helpers.rb
+++ b/common/lib/dependabot/shared_helpers.rb
@@ -274,6 +274,10 @@ module Dependabot
         "git config --global --add url.https://#{host}/." \
         "insteadOf git://#{host}/"
       )
+      run_shell_command(
+        "git config --global --add url.https://#{host}/." \
+        "insteadOf git+ssh://git@#{host}/"
+      )
     end
 
     def self.reset_git_repo(path)

[jakecoffman]

@deivid-rodriguez probably still worth updating the pnpm smoke test to include this case?

[deivid-rodriguez]

There's no pnpm smoke test yet 😳, I'll be adding one though to test this case, yeah.

[deivid-rodriguez]

Just to post today's debugging of this issue, I found the culprit is here:

https://github.com/pnpm/pnpm/blob/1de07a4af3941b01fac991fae51be8b0d994c8ef/resolving/git-resolver/src/parsePref.ts#L64-L120

In that method PNPM tries to do a manual HEAD request to https://github.com/postlight/difflib.js, but since that does not succeed, it assumes it's a private repo and uses git+ssh://git@github.com/postlight/difflib.js.git instead.

Some debugging prints on the failing HEAD request shows this error:

FetchError: request to https://github.com/postlight/difflib.js failed, reason: getaddrinfo EAI_AGAIN github.com
    at ClientRequest.<anonymous> (/home/dependabot/.cache/node/corepack/pnpm/8.3.1/dist/pnpm.cjs:61067:18)
    at ClientRequest.emit (node:events:513:28)
    at TLSSocket.socketErrorListener (node:_http_client:494:9)
    at TLSSocket.emit (node:events:513:28)
    at emitErrorNT (node:internal/streams/destroy:157:8)
    at emitErrorCloseNT (node:internal/streams/destroy:122:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21) {
  type: 'system',
  errno: 'EAI_AGAIN',
  code: 'EAI_AGAIN',
  erroredSysCall: 'getaddrinfo'
}

It seems like some DNS issue/misconfiguration specific to our CLI/production environment 😬.

One potential solution would be to change PNPM to use git ls-remotes with GIT_TERMINAL_PROMPT like I'm doing at #7241, instead of a manual request, but I think it'd be best to figure out how to make this request succeed in our environment so that this works consistently across PNPM versions.

[deivid-rodriguez]

I think I figured it out! node-fetch, used by PNPM here, does not respect proxy environment variables. I'm working on a patch for PNPM.

[jakecoffman]

@deivid-rodriguez That makes sense. Since the Updater container is on a network where only HTTP(S) is allowed to the proxy, if it were to ignore the proxy setting the first thing it would do is make a DNS request, which will fail. When using the proxy the DNS request happens on the Proxy container.

[deivid-rodriguez]

I opened an issue and a raw patch to PNPM!