deivid-rodriguez
commented
1 year ago The ignore configuration means that Dependabot won't open PRs for the ignored dependencies, but in general, Dependabot still needs to access all dependencies to be able to provide a valid result. This is not because of what Dependabot does, but because we delegate to package managers (in this case, to PNPM) and PNPM needs to fetch the dependency.
This particular problem may be fixed once this upstream issue is closed.
Is there an existing issue for this?
Package ecosystem
pnpm
Package manager version
7.5.0
Language version
No response
Manifest location and content before the Dependabot update
example demo: https://github.com/leileiDemo/dependabot_demo/network/updates
dependabot.yml content
version: 2 updates:
Updated dependency
No response
What you expected to see, versus what you actually saw
I want to ignore the private packages which means dependabot will not have access to the private package, but it still accesses to the private package, that causes couples of error like below
WARN GET https://liveramp/browserslist-config-common/-/@liveramp/browserslist-config-common-0.0.1.tgz failed, reason: socket hang up updater | updater | FetchError: request to https://library.liveramp.net/artifactory/api/npm/npm/@liveramp/browserslist-config-common/-/@liveramp/browserslist-config-common-0.0.1.tgz failed, reason: socket hang up updater | at ClientRequest.<anonymous> (/home/dependabot/.cache/node/corepack/pnpm/8.8.0/dist/pnpm.cjs:69204:18) updater | at ClientRequest.emit (node:events:517:28) updater | at TLSSocket.socketOnEnd (node:_http_client:525:9) updater | at TLSSocket.emit (node:events:529:35) updater | at endReadableNT (node:internal/streams/readable:1368:12) updater | at process.processTicksAndRejections (node:internal/process/task_queues:82:21)Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response