search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.67k stars 1.01k forks source link

Should not add references to packages within a monorepo #6773

Open danmarshall opened 1 year ago

danmarshall commented 1 year ago

Is there an existing issue for this?

Package ecosystem

npm

Package manager version

npm 8

Language version

Node.js

Manifest location and content before the Dependabot update

https://github.com/microsoft/SandDance/blob/main/packages/vega-morphcharts/package.json https://github.com/microsoft/SandDance/blob/main/packages/vega-morphcharts/package-lock.json

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Expected: patches only, no additions Actual: additional references within the parent monorepo

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

https://github.com/microsoft/SandDance/pull/623

image

Smallest manifest that reproduces the issue

No response

jeffwidman commented 1 year ago

I'm not super familiar with the npm ecosystem, so a few questions:

  1. Why does this being a monorepo matter?
  2. What does running straight npm give you? Because Dependabot is focused on being the glue code, and then transparently (as much as possible) handing off to npm and returning whatever it says...
  3. It's unclear to me what's triggering that reference... as I don't see that package mentioned anywhere in the underlying vega-functions dep tree, so it has to be coming from somewhere else... any idea where? Is that why you're saying monorepo matters, because its coming from another package/module that is completely unrelated but sits next to this one in the monorepo directory structure??
danmarshall commented 1 year ago

My monorepo is set up like this:

root/
└── packages/
    ├── dep1/
    │   ├── package.json
    │   └── package-lock.json
    └── dep2/
        ├── package.json
        └── package-lock.json

Let's say that dep2 depends on dep1, this will appear in dep2's package.json but should not in package-lock.json. It should not appear in the lockfile because it's a local reference, not from the global registry. If you run npm install in the dep2 folder, you will get the errorneous result, so monorepos usually use a tool like Lerna.