Open ahilke opened 1 year ago
Hello!
Thanks for the report, this is a bug.
The problem is that dependabot only detects first level peer dependency conflicts, but in this case, the relevant conflict is happening at the second level:
npm WARN Could not resolve dependency:
npm WARN peer commander@"^8.0.0" from @fig/complete-commander@2.0.1
npm WARN node_modules/nest-commander/node_modules/@fig/complete-commander
npm WARN @fig/complete-commander@"^2.0.1" from nest-commander@3.12.0
npm WARN node_modules/nest-commander
It's mainly the following line that's relevant to us, but we don't parse it:
npm WARN @fig/complete-commander@"^2.0.1" from nest-commander@3.12.0
The relevant regex is here (and the code using it lives in that same file):
We should expand the logic so that we're able to scan all unmet peer dependencies, not just the first level.
Can confirm. I just run this in Angular 17 repository, it caused conflicting peer dependency on 2 separate occassion.
Curious if anyone has come up with a work-around? (e.g. maybe making one of these conflicts explicit/top-level to appease dependabot?) We hit this with eslint-parser across 4 of our repos, rendering dependabot useless for npm updates unfortunately.
Same problem here, very keen to hear a workaround or solution.
Same problem, in this case with eslint
being bumped to v9 despite eslint-plugin-import
not being v9-ready:
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: eslint-plugin-import@2.29.1
npm error Found: eslint@9.9.1
npm error node_modules/eslint
npm error dev eslint@"^9.9.1" from the root project
npm error peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/eslint-utils@4.4.0
npm error node_modules/@eslint-community/eslint-utils
npm error @eslint-community/eslint-utils@"^4.4.0" from @typescript-eslint/utils@8.3.0
npm error node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils
npm error @typescript-eslint/utils@"8.3.0" from @typescript-eslint/eslint-plugin@8.3.0
npm error node_modules/@typescript-eslint/eslint-plugin
npm error dev @typescript-eslint/eslint-plugin@"^8.3.0" from the root project
npm error @eslint-community/eslint-utils@"^4.4.0" from @typescript-eslint/utils@8.3.0
npm error node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/utils
npm error @typescript-eslint/utils@"8.3.0" from @typescript-eslint/type-utils@8.3.0
npm error node_modules/@typescript-eslint/type-utils
npm error @typescript-eslint/type-utils@"8.3.0" from @typescript-eslint/eslint-plugin@8.3.0
npm error node_modules/@typescript-eslint/eslint-plugin
npm error 3 more (@typescript-eslint/utils, eslint, eslint-plugin-astro)
npm error 10 more (@tanstack/eslint-plugin-query, ...)
npm error
npm error Could not resolve dependency:
npm error peer eslint@"^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8" from eslint-plugin-import@2.29.1
npm error node_modules/eslint-plugin-import
npm error dev eslint-plugin-import@"^2.29.1" from the root project
npm error
npm error Conflicting peer dependency: eslint@8.57.0
npm error node_modules/eslint
npm error peer eslint@"^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8" from eslint-plugin-import@2.29.1
npm error node_modules/eslint-plugin-import
npm error dev eslint-plugin-import@"^2.29.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
from github.com/loculus-project/loculus/pull/2583
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
9.6.7
Language version
v18.17.1
Manifest location and content before the Dependabot update
./package.json
https://github.com/ahilke/js-crap-score/blob/bf7a32705e23a1f7733493b7be9d4573ce3dfee2/package.json
dependabot.yml content
./.github/dependabot.yml
https://github.com/ahilke/js-crap-score/blob/bf7a32705e23a1f7733493b7be9d4573ce3dfee2/.github/dependabot.yml
Updated dependency
nest-commander from 3.11.1 to 3.12.0.
What you expected to see, versus what you actually saw
A PR was created to bump
nest-commander
from 3.11.1 to 3.12.0. This creates an invalid dependency tree. When checked out and runningnpm ci
locally, it produces the following warnings:When running
npm ls commander
, it shows the invalid dependency resolution:While I'm aware there could be an issue with
npm
or the related packages producing the invalid dependency tree in the first place, I'd expect Dependabot to not create invalid updates or at least create some sort of warning. Since there is no way to bumpnest-commander
with a valid dependency tree, I expect no PR to be opened or at least some sort of warning within the PR.Native package manager behavior
A manual update produce the same warning as above:
Images of the diff or a link to the PR, issue, or logs
https://github.com/ahilke/js-crap-score/pull/28
Smallest manifest that reproduces the issue
Using node 18.7.1 and npm 9.6.7, add this to an empty folder and run
npm i
to create a valid dependency tree. Run thennpm i nest-commander@3.12.0
to create the invalid dependency tree.