New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependabot fails to update pnpm-lock.yaml #8186
Comments
Hitting this too. Possibly a problem with pnpm workspaces since the pnpm-lock isn't in the same package as the security issue? (it's one folder up, as per how workspaces work). |
Thanks for letting us know. Can any of you share an example repository showing this problem? |
Here's a minimal example. |
I am encountering a similar issue. My lockfile is not at the top level of the repo (
|
Also running into this issue in our monorepo. |
Same issue with also yarn.lock. Monorepo but no workspaces (one package.json, one yarn.lock, one node_modules - all in the root of the repo). |
We're having the same issue with |
Is there an existing issue for this?
Package ecosystem
pnpm
Package manager version
8.8.0
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Expected
postCSS
to be updated in pnpm-lock.yamlActual: received error message:
Dependabot cannot update postcss to a non-vulnerable version
However, running
pnpm audit --fix
successfully patches the dependency.truncated logs:
Native package manager behavior
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: