jeffwidman
commented
1 year ago 👋 Sorry for the slow response.
Pretty sure this is a duplicate of:
Open JimNero009 opened 2 years ago
jeffwidman
commented
1 year ago 👋 Sorry for the slow response.
Pretty sure this is a duplicate of:
deivid-rodriguez
commented
1 year ago @jeffwidman I think this one is not actually requesting to bump the nodejs version in .nvmrc but to actually respect it.
We have discussed this internally a bit since it's a recurrent issue across ecosystems, but we don't have a good solution yet. We do it for python, it's true, and I wish we could do it for other ecosystems, but it's not an easy thing to do. Ideally, package managers would support some mode that allows to generate a lockfile as-if you were running specific versions of the language. But this is also not a popular feature across package managers.
So, we don't have a good solution for this but I feel the pain this causes and I'd like us to keep thinking about this problem and improving the situation, so I'm going to reopen!
exalted
commented
3 months ago Throwing out an idea here:
For a .github/dependabot.yml that looks like
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"It would've been nice to add;
actions:
- uses: actions/setup-node@v4
with:
node-version: 16… to "complement" Dependabot Docker image with whatever else is "missing" or wanted to be changed, by leveraging existing GitHub Actions.
So the final .github/dependabot.yml would look like:
version: 2
updates:
- package-ecosystem: "npm"
actions:
- uses: actions/setup-node@v4
with:
node-version: 16
directory: "/"
schedule:
interval: "weekly"What do you think?
This is actually a duplicate of https://github.com/dependabot/dependabot-core/issues/1462, but it was closed off and I'd like to suggest we re-open the discussion.
One really nice feature of Dependabot is its ability to use pyenv to install correct versions of Python/pip in order to bump repos in a sensible way. We have recently started moving to Node 16 and it came to my attention that Dependabot does not have a similar mechanism for Node.
I found this quite surprising, as nvm as a tool for this is well established and simple to install and use. Since the npm version in Node 16 is npm 8, and this brings with it a change in lockfile format, and we are running Dependabot with Node 12/npm 6, each PR right now is rewriting the lockfile format to the old way. While I believe this not to be breaking at the moment, it is a source of toil for our users.
I could upgrade to Node 16, but then I will have the opposite problem of users still on Node 12 having their lockfiles rewritten.
Instead, it would be great if dependabot could, e.g., understand a .nvmrc file and run the commands it needs to run with the version specified there, installing it if needed, just like in Python. Is this something that is being considered on your roadmap?