NPM alpha/prerelease dependencies don't update as expected

[blimmer]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

Yarn

Package manager version

yarn 4.4.0

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/blimmer/dependabot-bug-report/blob/main/package.json

{
  "name": "dependabot-bug-report",
  "version": "0.1.0",
  "bin": "bin/dependabot-bug-report.js",
  "scripts": {
    "build": "tsc",
    "watch": "tsc -w",
    "test": "jest",
    "cdk": "cdk"
  },
  "devDependencies": {
    "@aws-cdk/aws-scheduler-alpha": "2.149.0-alpha.0",
    "@aws-cdk/aws-scheduler-targets-alpha": "2.149.0-alpha.0",
    "@types/jest": "^29.5.12",
    "@types/node": "20.14.9",
    "aws-cdk": "2.149.0",
    "jest": "^29.7.0",
    "ts-jest": "^29.1.5",
    "ts-node": "^10.9.2",
    "typescript": "~5.5.3"
  },
  "dependencies": {
    "aws-cdk-lib": "2.149.0",
    "constructs": "^10.0.0",
    "source-map-support": "^0.5.21"
  },
  "packageManager": "yarn@4.4.0"
}

https://github.com/blimmer/dependabot-bug-report/blob/main/yarn.lock

dependabot.yml content

https://github.com/blimmer/dependabot-bug-report/blob/main/.github/dependabot.yml

version: 2
updates:
  - package-ecosystem: 'npm'
    directory: '/'
    schedule:
      interval: 'daily'
    commit-message:
      prefix: 'chore(deps): '
    groups:
      cdk-updates:
        applies-to: version-updates
        patterns:
          - '@aws-cdk/*'
          - 'aws-cdk'
          - 'aws-cdk-lib'
        update-types:
          - patch
          - minor
          - major
      security-updates:
        applies-to: security-updates
        update-types:
          - patch
          - minor
          - major
      safe-updates:
        applies-to: version-updates
        update-types:
          - patch
          - minor
        exclude-patterns:
          - '@types/node'
      major-updates:
        applies-to: version-updates
        exclude-patterns:
          - '@types/node'
        update-types:
          - major

Updated dependency

This should update the following:

aws-cdk from 2.149.0 -> 2.152.0 aws-cdk-lib from 2.149.0 -> 2.152.0 @aws-cdk/aws-scheduler-alpha from 2.149.0-alpha.0 -> 2.152.0-alpha.0 @aws-cdk/aws-scheduler-targets-alpha from 2.149.0-alpha.0 -> 2.152.0-alpha.0

What you expected to see, versus what you actually saw

Dependabot successfully figures out the aws-cdk and aws-cdk-lib updates, but not the alpha packages.

GitHub actions run: https://github.com/blimmer/dependabot-bug-report/actions/runs/10427035923/job/28881042089

Log archive: 3_Run Dependabot.txt

Relevant part of logs:

updater | 2024/08/16 22:28:25 INFO <job_870468449> Checking if @aws-cdk/aws-scheduler-alpha 2.149.0-alpha.0 needs updating
  proxy | 2024/08/16 22:28:25 [120] GET [https://registry.npmjs.org:443/@aws-cdk%2Faws-scheduler-alpha](https://registry.npmjs.org/@aws-cdk%2Faws-scheduler-alpha)
2024/08/16 22:28:25 [120] 200 [https://registry.npmjs.org:443/@aws-cdk%2Faws-scheduler-alpha](https://registry.npmjs.org/@aws-cdk%2Faws-scheduler-alpha)
  proxy | 2024/08/16 22:28:25 [122] HEAD [https://registry.npmjs.org:443/@aws-cdk/aws-scheduler-alpha/-/aws-scheduler-alpha-2.149.0-alpha.0.tgz](https://registry.npmjs.org/@aws-cdk/aws-scheduler-alpha/-/aws-scheduler-alpha-2.149.0-alpha.0.tgz)
2024/08/16 22:28:25 [122] 200 [https://registry.npmjs.org:443/@aws-cdk/aws-scheduler-alpha/-/aws-scheduler-alpha-2.149.0-alpha.0.tgz](https://registry.npmjs.org/@aws-cdk/aws-scheduler-alpha/-/aws-scheduler-alpha-2.149.0-alpha.0.tgz)
updater | 2024/08/16 22:28:25 INFO <job_870468449> Latest version is 2.149.0-alpha.0
updater | 2024/08/16 22:28:25 INFO <job_870468449> Checking if @aws-cdk/aws-scheduler-targets-alpha 2.149.0-alpha.0 needs updating
  proxy | 2024/08/16 22:28:25 [124] GET [https://registry.npmjs.org:443/@aws-cdk%2Faws-scheduler-targets-alpha](https://registry.npmjs.org/@aws-cdk%2Faws-scheduler-targets-alpha)
2024/08/16 22:28:25 [124] 200 [https://registry.npmjs.org:443/@aws-cdk%2Faws-scheduler-targets-alpha](https://registry.npmjs.org/@aws-cdk%2Faws-scheduler-targets-alpha)
  proxy | 2024/08/16 22:28:26 [126] HEAD [https://registry.npmjs.org:443/@aws-cdk/aws-scheduler-targets-alpha/-/aws-scheduler-targets-alpha-2.149.0-alpha.0.tgz](https://registry.npmjs.org/@aws-cdk/aws-scheduler-targets-alpha/-/aws-scheduler-targets-alpha-2.149.0-alpha.0.tgz)
2024/08/16 22:28:26 [126] 200 [https://registry.npmjs.org:443/@aws-cdk/aws-scheduler-targets-alpha/-/aws-scheduler-targets-alpha-2.149.0-alpha.0.tgz](https://registry.npmjs.org/@aws-cdk/aws-scheduler-targets-alpha/-/aws-scheduler-targets-alpha-2.149.0-alpha.0.tgz)
updater | 2024/08/16 22:28:26 INFO <job_870468449> Latest version is 2.149.0-alpha.0

Native package manager behavior

> yarn upgrade-interactive
 Press <up>/<down> to select packages.            Press <enter> to install.
 Press <left>/<right> to select versions.         Press <ctrl+c> to abort.

? Pick the packages you want to upgrade.          Current          Range            Latest

   @aws-cdk/aws-scheduler-alpha ---------------- ◯ 2.149.0-alpha…                  ◉ 2.152.0 ------
   @aws-cdk/aws-scheduler-targets-alpha -------- ◯ 2.149.0-alpha…                  ◉ 2.152.0 ------
   @types/node --------------------------------- ◉ 20.14.9 ------ ◯ 20.15.0 ------ ◯ 22.4.0 -------
   aws-cdk-lib --------------------------------- ◯ 2.149.0 ------ ◉ 2.152.0 ------
 > aws-cdk ------------------------------------- ◯ 2.149.0 ------ ◉ 2.152.0 ------
   constructs ---------------------------------- ◉ ^10.0.0 ------ ◯ ^10.3.0 ------
   ts-jest ------------------------------------- ◉ ^29.1.5 ------ ◯ ^29.2.4 ------
   typescript ---------------------------------- ◉ ~5.5.3 ------- ◯ ~5.5.4 -------
➤ YN0000: · Yarn 4.4.0
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @aws-cdk/aws-scheduler-alpha@npm:2.152.0-alpha.0, @aws-cdk/aws-scheduler-targets-alpha@npm:2.152.0-alpha.0, aws-cdk-lib@npm:2.152.0, aws-cdk@npm:2.152.0
➤ YN0085: │ - @aws-cdk/aws-scheduler-alpha@npm:2.149.0-alpha.0, @aws-cdk/aws-scheduler-targets-alpha@npm:2.149.0-alpha.0, aws-cdk-lib@npm:2.149.0, aws-cdk@npm:2.149.0
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed in 0s 294ms
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed in 1s 914ms
➤ YN0000: · Done in 2s 324ms

yarn upgrade-interactive allows the upgrade.

Images of the diff or a link to the PR, issue, or logs

See above.

Smallest manifest that reproduces the issue

I have a simple repro repository here: https://github.com/blimmer/dependabot-bug-report

[dreamorosi]

We are seeing the same issue with dependencies of the same kind.

This is our Dependabot config:

version: 2
updates:
  - package-ecosystem: npm
    directories:
      - "/"
    labels: [ ]
    schedule:
      interval: daily
    versioning-strategy: increase
    ignore:
      - dependency-name: "@middy/core"
        update-types: [ "version-update:semver-major" ]
    groups:
      aws-sdk-v3:
        patterns:
        - "@aws-sdk/*"
        - "@smithy/*"
        - "aws-sdk-client-mock"
        - "aws-sdk-client-mock-jest"
      aws-cdk:
        patterns:
        - "@aws-cdk/cli-lib-alpha"
        - "aws-cdk-lib"
        - "aws-cdk"
      typedoc:
        patterns:
        - "typedoc"
        - "typedoc-plugin-*"

Which doesn't pick up the pre-release packages. Here are the Dependabot logs

In all cases the @aws-cdk/cli-lib-alpha package is always left behind.

I am not familiar with the codebase at all, but looking at the tests, there seems to be one that says that this should not be happening and that tests pre-release updates explicitly: https://github.com/dependabot/dependabot-core/blob/ddb9722dd9ed00daf54b5115ccfe033c6bb910b7/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/requirements_updater_spec.rb#L320-L342