[Stimulus] Dependabot NPM updates fail due to local file paths in package.json / package-lock.json

[ToshY]

For a while I've noticed that Dependabot no longer updates my dependencies in my package.json, and now after a bit of trial-and-error, I've found that Dependabot fails to run due to Stimulus (and other UX packages) having references to local file paths. The error in logging that dependabot shows is as follows:

2024-09-26T20:12:55.5383203Z updater | 2024/09/26 20:12:55 ERROR <job_891655384> Error during file fetching; aborting: The following path based dependencies could not be retrieved: @symfony/stimulus-bundle
2024-09-26T20:12:55.6591948Z   proxy | 2024/09/26 20:12:55 [008] POST /update_jobs/891655384/record_update_job_error
2024-09-26T20:12:55.7579478Z   proxy | 2024/09/26 20:12:55 [008] 204 /update_jobs/891655384/record_update_job_error
2024-09-26T20:12:55.8079080Z   proxy | 2024/09/26 20:12:55 [010] PATCH /update_jobs/891655384/mark_as_processed
2024-09-26T20:12:55.8718565Z   proxy | 2024/09/26 20:12:55 [010] 204 /update_jobs/891655384/mark_as_processed
2024-09-26T20:12:55.8748757Z updater | 2024/09/26 20:12:55 INFO <job_891655384> Finished job processing
2024-09-26T20:12:55.8774655Z updater | 2024/09/26 20:12:55 INFO Results:
2024-09-26T20:12:55.8779603Z Dependabot encountered '1' error(s) during execution, please check the logs for more details.
2024-09-26T20:12:55.8784340Z +---------------------------------+
2024-09-26T20:12:55.8787953Z |             Errors              |
2024-09-26T20:12:55.8790659Z +---------------------------------+
2024-09-26T20:12:55.8795300Z | path_dependencies_not_reachable |
2024-09-26T20:12:55.8796169Z +---------------------------------+
2024-09-26T20:12:56.0448570Z Failure running container f4dc4b7d8d61497057cd9e3c0ec13ac8464e6587d6a9745cd9c067bebef1e20d
2024-09-26T20:12:56.1228791Z Cleaned up container f4dc4b7d8d61497057cd9e3c0ec13ac8464e6587d6a9745cd9c067bebef1e20d
2024-09-26T20:12:56.1381106Z   proxy | 2024/09/26 20:12:56 0/5 calls cached (0%)
2024-09-26T20:12:56.1386530Z   proxy | 2024/09/26 20:12:56 Posting metrics to remote API endpoint
2024-09-26T20:12:56.5379023Z ##[error]Dependabot encountered an error performing the update

Error: The updater encountered one or more errors.

The following package.json and package-lock.json are in my project.

package.json

  "devDependencies": {
    "@symfony/stimulus-bridge": "^3.2.2",
    "@symfony/stimulus-bundle": "file:vendor/symfony/stimulus-bundle/assets",
    "@symfony/ux-autocomplete": "file:vendor/symfony/ux-autocomplete/assets",
    "@symfony/ux-lazy-image": "file:vendor/symfony/ux-lazy-image/assets",

package-lock.json

    "node_modules/@symfony/stimulus-bundle": {
      "resolved": "vendor/symfony/stimulus-bundle/assets",
      "link": true
    },
    "node_modules/@symfony/ux-autocomplete": {
      "resolved": "vendor/symfony/ux-autocomplete/assets",
      "link": true
    },
    "node_modules/@symfony/ux-lazy-image": {
      "resolved": "vendor/symfony/ux-lazy-image/assets",
      "link": true
    },

My .github/dependabot.yml is as follows:

version: 2
updates:
  - package-ecosystem: "composer"
    directory: "/"
    target-branch: "master"
    schedule:
      interval: "weekly"
      day: "sunday"

  - package-ecosystem: "npm"
    directory: "/"
    target-branch: "master"
    schedule:
      interval: "weekly"
      day: "sunday"

So I think the problem is that the the Symfony Stimulus/UX packages add a section to the package.json that points to assets in the vendor directory, but the Dependabot NPM updater knows nothing about this vendor directory as there's none.

My question: does anyone have an idea how I can make Dependabot "work" again to update NPM packages?

---

Sidenotes:

I've already tried adding ignore key to the NPM section in dependabot.yml

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    target-branch: "master"
    schedule:
      interval: "weekly"
      day: "sunday"
    ignore:
      - dependency-name: "@symfony/stimulus-bundle"
      - dependency-name: "@symfony/ux-autocomplete"
      - dependency-name: "@symfony/ux-lazy-image"

It picks up these settings in the job definition when checking the logging:

"ignore-conditions":[{"dependency-name":"@symfony/stimulus-bundle","version-requirement":">= 0","update-types":null,"source":".github/dependabot.yml","updated-at":"2024-09-26T20:12:08.000Z"},{"dependency-name":"@symfony/ux-autocomplete","version-requirement":">= 0","update-types":null,"source":".github/dependabot.yml","updated-at":"2024-09-26T20:12:08.000Z"},{"dependency-name":"@symfony/ux-lazy-image","version-requirement":">= 0","update-types":null,"source":".github/dependabot.yml","updated-at":"2024-09-26T20:12:08.000Z"}

But it still fails with the same error (probably tries to fetch files before trying to ignore).

[ToshY]

🦗

Isn't there someone else that has this issue using Symfony Stimulus/UX bundles? Hardly believe that I would be the only one that has Dependabot setup for NPM updates on a Symfony repo using these bundles 🙁

[Santorinie]

I've been having the same problem for weeks now. I haven't seemed to find any solutions yet.

[ToshY]

Okay, good to see I'm not the only one experiencing this problem.

As it seems there isn't much traction on this question, I will create an issue if no possible workaround/solution will be presented.

Edit

Created #58678