Open sjlehn opened 2 years ago
👋 apologies, I'm not super familiar with the npm
ecosystem.
How does native npm
realize that ts-jest
is associated with jest
/@types/jest
? Where is that mapping specified? Is it in the package.json
of one of the underlying packages?
I'm not super familiar with the intricacies of npm
, but from what I can tell, ts-jest
specifies a peer dependency on jest in its package.json
Right, so that makes sense that if updating ts-jest
that Dependabot needs to also bump jest
/@types/jest
...
But if bumping only jest
/@types/jest
, unless they specify ts-jest
as a peer dependency, then how would npm
(and thereby Dependabot) realize it needs to bump ts-jest
? I guess if we're running npm
against the whole thing and not individual packages, then it should complain when it realizes ts-jest
is no longer compatible with the proposed bump...
So what did running native npm
do here when trying to bump only jest
/@types/jest
? Did it also bump ts-jest
, or complain, or let the update proceed w/o bumping ts-jest
?
I'll ask a colleague who knows more about npm
to take a peek at this...
Also, what did running native npm
do here when trying to bump only jest
/@types/jest
? Did it also bump ts-jest
, or complain, or let the update proceed w/o bumping ts-jest
?
I don't recall exactly, I'd have to recreate the environment and play with it a bit. Updating jest
without ts-jest
didn't cause npm
to fail (it may have emitted a warning), as we ended up getting the errors farther on when we actually tried to use jest
. I can try to refresh my memory on this on Monday if somebody hasn't already figured it out.
We added the capability to automatically update the corresponding @types/
package when updating a dependency last year. AFAIK this doesn't extend to peerDependencies. Still, even though jest
is a peerDependency of ts-jest
, the reverse is not true.
even though jest is a peerDependency of ts-jest, the reverse is not true.
which would imply that there's no good way to pick up this sort of error?
I just tried the following:
npm install
(using node 16)jest
; got the following warnings:
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: api@0.0.0
npm WARN Found: jest@26.6.3
npm WARN node_modules/jest
npm WARN peer jest@">=26 <27" from ts-jest@26.5.6
npm WARN node_modules/ts-jest
npm WARN dev ts-jest@"^26.5.6" from the root project
npm WARN 1 more (the root project)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer jest@">=26 <27" from ts-jest@26.5.6
npm WARN node_modules/ts-jest
npm WARN dev ts-jest@"^26.5.6" from the root project
added 130 packages, removed 226 packages, changed 60 packages, and audited 848 packages in 5s
71 packages are looking for funding
run npm fund
for details
found 0 vulnerabilities
Try to upgrade on Node 14 is similar:
npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN ts-jest@26.5.6 requires a peer of jest@>=26 <27 but none is installed. You must install peer dependencies yourself. npm WARN api@0.0.0 No description npm WARN api@0.0.0 No repository field.
added 769 packages from 638 contributors and audited 772 packages in 19.608s
71 packages are looking for funding
run npm fund
for details
found 0 vulnerabilities
Upgrading `ts-jest` with node 16 actually fails:
$ npm install ts-jest@29.0.3 ⬡ system npm ERR! code ERESOLVE npm ERR! ERESOLVE unable to resolve dependency tree npm ERR! npm ERR! While resolving: api@0.0.0 npm ERR! Found: jest@26.6.3 npm ERR! node_modules/jest npm ERR! dev jest@"^26.6.3" from the root project npm ERR! npm ERR! Could not resolve dependency: npm ERR! peer jest@"^29.0.0" from ts-jest@29.0.3 npm ERR! node_modules/ts-jest npm ERR! dev ts-jest@"29.0.3" from the root project npm ERR! npm ERR! Fix the upstream dependency conflict, or retry npm ERR! this command with --force, or --legacy-peer-deps npm ERR! to accept an incorrect (and potentially broken) dependency resolution. npm ERR! npm ERR! See /Users/stevenlehn/.npm/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in: npm ERR! /Users/stevenlehn/.npm/_logs/2023-02-03T21_55_26_730Z-debug-0.log
One last test, upgrading with node 14, this just emits a warning:
$ npm install ts-jest@29.0.3 ⬡ 14.20.1 npm WARN ts-jest@29.0.3 requires a peer of jest@^29.0.0 but none is installed. You must install peer dependencies yourself. npm WARN api@0.0.0 No description npm WARN api@0.0.0 No repository field.
73 packages are looking for funding
run npm fund
for details
found 0 vulnerabilities
Hopefully that's some help.
So @bdragon did a little more digging, and the upshot was:
npm 6
is a warning, vs npm 7+
is an error. In Dependabot, we try to parse the npm 6
warning and error out, like npm 7/8
does.ts-jest
peerDependency
constraint should have resulted in an update_not_possible
error, not sure why it didn't...peerDependencies
for conflicts to try to see what else it needs to bump, that behavior could be extended later... that falls under the broader grouped updates category, which we do want to tackle at some point, but unclear what shape that would eventually land in.So again, this does appear to be a bug that ts-jest
peerDependency
constraint wasn't accounted for, probably if it was accounted for it would have resulted in no update possible rather than a PR at all.
Unfortunately I can't look into this further right now, and I already nerdsniped _bdragon enough today, but if you want to step further with it it should be relatively straightforward to use docker
and use the dry-run
script to step through what's happening here... even if you don't know ruby, it's not hard to add some debugger
+ puts
statements to step through what's happening. If you can narrow it down a bit, then myself or someone else might be able to help put together a fix.
"nerdsniped"...TIL. I hope I'm not getting myself in trouble for it. :) Maybe I can play with it a bit tomorrow and see what I can learn.
If you want to play with this, the dry-run or CLI tool are both good options for simulating the job locally.
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
npm 6.14.17
Language version
nodejs v14.20.1
Manifest location and content before the Dependabot update
package.json:
dependabot.yml content
Updated dependency
Updates jest from 26.6.3 to 29.2.0 Updates @types/jest from 27.0.2 to 29.1.2
Should update ts-jest from 26.5.6 to 29.0.3
What you expected to see, versus what you actually saw
A PR was opened to update
jest
and@types/jest
, butts-jest
was not included. This resulted in a failure during the CI run:Manually updating
ts-jest
resolved the error.Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response