package-lock files with version 3 are not handled correctly by Dependabot

[ferferga]

We recently upgraded to Node 16 and the lockfile version 3 of package-lock.json (the version without backwards-compatible features of the lockfile, see docs here, as we want to enforce always the most current features with the latest LTSs).

Lockfiles proposed by dependabot have massive changes, even when recreated or rebased

Package ecosystem npm Package manager version npm 8.1.0 Language version

• Node 16

Relevant PRs

• https://github.com/jellyfin/jellyfin-vue/pull/1585
• https://github.com/jellyfin/jellyfin-vue/pull/1584
• https://github.com/jellyfin/jellyfin-vue/pull/1583
• https://github.com/jellyfin/jellyfin-vue/pull/1582
• https://github.com/jellyfin/jellyfin-vue/pull/1581
• https://github.com/jellyfin/jellyfin-vue/pull/1580
• https://github.com/jellyfin/jellyfin-vue/pull/1579
• https://github.com/jellyfin/jellyfin-vue/pull/1578
• https://github.com/jellyfin/jellyfin-vue/pull/1577

[cedric-anne]

I confirm the issue. Same problem on this PR: https://github.com/glpi-project/glpi/pull/10035 .

[jeffwidman]

Closing, as I think this was fixed by the bump to NPM 8:

• https://github.com/dependabot/dependabot-core/pull/4763

Please comment if I'm misreading/misunderstanding something, and we can re-open.

[cedric-anne]

Indeed, it seems to be OK now.