Open danmarshall opened 1 year ago
I'm not super familiar with the npm
ecosystem, so a few questions:
npm
give you? Because Dependabot is focused on being the glue code, and then transparently (as much as possible) handing off to npm
and returning whatever it says...vega-functions
dep tree, so it has to be coming from somewhere else... any idea where? Is that why you're saying monorepo matters, because its coming from another package/module that is completely unrelated but sits next to this one in the monorepo directory structure??My monorepo is set up like this:
root/
└── packages/
├── dep1/
│ ├── package.json
│ └── package-lock.json
└── dep2/
├── package.json
└── package-lock.json
Let's say that dep2 depends on dep1, this will appear in dep2's package.json but should not in package-lock.json. It should not appear in the lockfile because it's a local reference, not from the global registry. If you run npm install
in the dep2 folder, you will get the errorneous result, so monorepos usually use a tool like Lerna.
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
npm 8
Language version
Node.js
Manifest location and content before the Dependabot update
https://github.com/microsoft/SandDance/blob/main/packages/vega-morphcharts/package.json https://github.com/microsoft/SandDance/blob/main/packages/vega-morphcharts/package-lock.json
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Expected: patches only, no additions Actual: additional references within the parent monorepo
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
https://github.com/microsoft/SandDance/pull/623
Smallest manifest that reproduces the issue
No response