dependabot fails to update pnpm-lock.yaml

[gferreri]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

pnpm

Package manager version

8.8.0

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Expected postCSS to be updated in pnpm-lock.yaml

Actual: received error message: Dependabot cannot update postcss to a non-vulnerable version

However, running pnpm audit --fix successfully patches the dependency.

truncated logs:

proxy | 2023/10/11 21:26:31 [139] GET https://registry.npmjs.org:443/type-fest
  proxy | 2023/10/11 21:26:31 [140] GET https://registry.npmjs.org:443/caniuse-lite/-/caniuse-lite-1.0.30001547.tgz
  proxy | 2023/10/11 21:26:31 [143] GET https://registry.npmjs.org:443/electron-to-chromium/-/electron-to-chromium-1.4.550.tgz
  proxy | 2023/10/11 21:26:31 [138] 200 https://registry.npmjs.org:443/escalade
  proxy | 2023/10/11 21:26:31 [144] GET https://registry.npmjs.org:443/update-browserslist-db/-/update-browserslist-db-1.0.13.tgz
  proxy | 2023/10/11 21:26:31 [139] 200 https://registry.npmjs.org:443/type-fest
  proxy | 2023/10/11 21:26:31 [140] 200 https://registry.npmjs.org:443/caniuse-lite/-/caniuse-lite-1.0.30001547.tgz
  proxy | 2023/10/11 21:26:31 [143] 200 https://registry.npmjs.org:443/electron-to-chromium/-/electron-to-chromium-1.4.550.tgz
  proxy | 2023/10/11 21:26:31 [144] 200 https://registry.npmjs.org:443/update-browserslist-db/-/update-browserslist-db-1.0.13.tgz
updater | 2023/10/11 21:26:32 INFO <job_734059994> VulnerabilityAuditor: starting audit
updater | 2023/10/11 21:26:32 INFO <job_734059994> VulnerabilityAuditor: missing lockfile
updater | 2023/10/11 21:26:32 INFO <job_734059994> Requirements to unlock update_not_possible
updater | 2023/10/11 21:26:32 INFO <job_734059994> Requirements update strategy bump_versions
updater | 2023/10/11 21:26:33 INFO <job_734059994> The latest possible version of postcss that can be installed is 8.4.29
updater | 2023/10/11 21:26:33 INFO <job_734059994> The earliest fixed version is 8.4.31.
updater | 2023/10/11 21:26:33 INFO <job_734059994> Finished job processing
updater | 2023/10/11 21:26:33 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +------------------------------+
updater | |            Errors            |
updater | +------------------------------+
updater | | security_update_not_possible |
updater | +------------------------------+
updater | time="2023-10-11T21:26:33Z" level=info msg="task complete" container_id=job-734059994-updater exit_code=0 job_id=734059994 step=updater

Native package manager behavior

❯ pnpm audit --fix
1 overrides were added to package.json to fix vulnerabilities.
Run "pnpm install" to apply the fixes.

The added overrides:
{
  "postcss@<8.4.31": ">=8.4.31"
}

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[Phoenixmatrix]

Hitting this too. Possibly a problem with pnpm workspaces since the pnpm-lock isn't in the same package as the security issue? (it's one folder up, as per how workspaces work).

[deivid-rodriguez]

Thanks for letting us know. Can any of you share an example repository showing this problem?

[gferreri]

Here's a minimal example.

[czerwiukk]

I am encountering a similar issue. My lockfile is not at the top level of the repo (frontend/pnpm-lock.yaml).

updater | 2023/12/18 09:33:03 INFO <job_763337106> VulnerabilityAuditor: starting audit
updater | 2023/12/18 09:33:03 INFO <job_763337106> VulnerabilityAuditor: missing lockfile
updater | 2023/12/18 09:33:03 INFO <job_763337106> Requirements to unlock update_not_possible
updater | 2023/12/18 09:33:03 INFO <job_763337106> Requirements update strategy bump_versions
updater | 2023/12/18 09:33:04 INFO <job_763337106> The latest possible version of @koa/cors that can be installed is 4.0.0
updater | 2023/12/18 09:33:04 INFO <job_763337106> The earliest fixed version is 5.0.0.
updater | 2023/12/18 09:33:04 INFO <job_763337106> Finished job processing
updater | 2023/12/18 09:33:04 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +------------------------------+
updater | |            Errors            |
updater | +------------------------------+
updater | | security_update_not_possible |
updater | +------------------------------+
updater | time="2023-12-18T09:33:04Z" level=info msg="task complete" container_id=job-763337106-updater exit_code=0 job_id=763337106 step=updater

[devonpmack]

Also running into this issue in our monorepo.

[ardokirsipuu]

Same issue with also yarn.lock. Monorepo but no workspaces (one package.json, one yarn.lock, one node_modules - all in the root of the repo).

[Apostolos-Daniel]

We're having the same issue with pnpm and dependabot. Are there any plans to support pnpm-lock.yaml? Our lock file is in the root directory.

[Catatomik]

Any plan on fixing this ? It's used by a lot of people.

[dancallaghan]

We've run into this issue when using dependabot in a repository using pnpm workspaces.

Mimicking the behaviour on my local machine, I've noticed that running pnpm update from the root will not update a dependency in a child workspace, however running pnpm update -r does.

I just had a quick dig through the code and it looks like dependabot is not passing the -r (recursive) flag when running the update: https://github.com/dependabot/dependabot-core/blob/86ab940b72ad9253610e70af76a4834559b17567/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb#L572-L575

Here is the doc on pnpm's recursive flag https://pnpm.io/cli/recursive

I haven't thought too hard about this, but it seems like a sensible thing to add.

[crbraun]

We are having this issue as well, can we get an update from the dependabot team?