search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.62k stars 986 forks source link

[ERROR] could not install from symfony/ux-* using symfony asset mapper for npm dependencies #8898

Open vinceAmstoutz opened 7 months ago

vinceAmstoutz commented 7 months ago

Is there an existing issue for this?

Package ecosystem

npm

Package manager version

pnpm 8.14.3

Language version

Node 20.11

Manifest location and content before the Dependabot update

package.json

{
  "name": "sigedi-gestio",
  "description": "Gestio : The SIGEDI ERP's",
  "license": "proprietary",
  "author": "SIGEDI",
  "main": "app.js",
  "packageManager": "pnpm@8.14.3",
  "scripts": {
    "build": "encore production --progress",
    "dev": "encore dev",
    "dev-server": "encore dev-server",
    "format": "node ./assets/js/scripts/lint.js --fix",
    "lint": "node ./assets/js/scripts/lint.js",
    "watch": "encore dev --watch"
  },
  "dependencies": {
    "@babel/plugin-transform-runtime": "^7.23.7",
    "@babel/runtime-corejs3": "^7.23.8",
    "@fortawesome/fontawesome-free": "^5.15.4",
    "@fullcalendar/core": "^4.3.1",
    "@fullcalendar/daygrid": "^4.3.0",
    "@fullcalendar/interaction": "^4.3.0",
    "@fullcalendar/list": "^4.3.0",
    "@fullcalendar/resource-common": "^4.3.1",
    "@fullcalendar/resource-daygrid": "^4.3.0",
    "@fullcalendar/resource-timegrid": "^4.3.0",
    "@fullcalendar/resource-timeline": "^4.3.0",
    "@fullcalendar/timegrid": "^4.3.0",
    "@fullcalendar/timeline": "^4.3.0",
    "alertifyjs": "^1.13.1",
    "bootstrap": "^3.4.1",
    "chart.js": "^4.4.1",
    "datatables.net": "^1.13.8",
    "datatables.net-autofill-dt": "^2.6.0",
    "datatables.net-buttons": "^2.4.2",
    "datatables.net-buttons-dt": "^2.4.2",
    "datatables.net-colreorder-dt": "^1.7.0",
    "datatables.net-dt": "^1.13.8",
    "datatables.net-fixedcolumns-dt": "^4.3.0",
    "datatables.net-fixedheader-dt": "^3.4.0",
    "datatables.net-plugins": "^1.13.6",
    "datatables.net-responsive-dt": "^2.5.0",
    "datatables.net-scroller-dt": "^2.3.0",
    "datatables.net-select-dt": "^1.7.0",
    "exceljs": "^4.4.0",
    "flatpickr": "^4.6.13",
    "jquery": "^3.7.1",
    "jszip": "^3.10.1",
    "pdfmake": "^0.2.9",
    "select2": "^4.1.0-rc.0"
  },
  "devDependencies": {
    "@babel/core": "^7.23.7",
    "@babel/preset-env": "^7.23.8",
    "@babel/preset-react": "^7.23.3",
    "@hotwired/stimulus": "^3.0.0",
    "@symfony/stimulus-bridge": "^3.2.0",
    "@symfony/ux-react": "file:vendor/symfony/ux-react/assets",
    "@symfony/webpack-encore": "^4.5.0",
    "autoprefixer": "^10.4.16",
    "chalk": "^4.0.0",
    "compression-webpack-plugin": "^10.0.0",
    "core-js": "^3.35.0",
    "eslint": "^8.56.0",
    "eslint-config-prettier": "^9.1.0",
    "eslint-plugin-prettier": "^5.1.3",
    "eslint-plugin-react": "^7.33.2",
    "eslint-plugin-react-hooks": "^4.6.0",
    "eslint-webpack-plugin": "^4.0.1",
    "file-loader": "^6.2.0",
    "image-minimizer-webpack-plugin": "^3.8.3",
    "npm-package-json-lint": "^7.1.0",
    "npm-package-json-lint-config-default": "^6.0.0",
    "postcss": "^8.4.33",
    "postcss-loader": "^7.3.4",
    "postcss-nesting": "^12.0.2",
    "prettier": "^3.2.2",
    "prop-types": "^15.8.1",
    "react": "^18.0",
    "react-dom": "^18.0",
    "regenerator-runtime": "^0.14.1",
    "sass": "^1.69.7",
    "sass-loader": "^13.3.3",
    "sharp": "^0.33.2",
    "tailwindcss": "^3.4.1",
    "terser-webpack-plugin": "^5.3.10",
    "webpack": "^5.89.0",
    "webpack-bundle-analyzer": "^4.10.1",
    "webpack-cli": "^5.1.4",
    "webpack-notifier": "^1.15.0"
  },
  "private": true
}

dependabot.yml content

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  # Maintain back dependencies for Composer
  - package-ecosystem: "composer"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 50

  # Maintain front dependencies for PNPM
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 50
    ignore:
      - dependency-name: "@fullcalendar/core"
      - dependency-name: "@fullcalendar/daygrid"
      - dependency-name: "@fullcalendar/interaction"
      - dependency-name: "@fullcalendar/list"
      - dependency-name: "@fullcalendar/resource-common"
      - dependency-name: "@fullcalendar/resource-daygrid"
      - dependency-name: "@fullcalendar/resource-timegrid"
      - dependency-name: "@fullcalendar/resource-timeline"
      - dependency-name: "@fullcalendar/timegrid"
      - dependency-name: "@fullcalendar/timeline"
      - dependency-name: "@fortawesome/fontawesome-free"
      - dependency-name: "bootstrap"
      - dependency-name: "chalk"
      - dependency-name: "@symfony/ux-react"

  # Maintain Github actions dependencies
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 25

Updated dependency

"@symfony/ux-react": "file:vendor/symfony/ux-react/assets",

What you expected to see, versus what you actually saw

Ignore @symfony/ux-react completely and don't throw an error when dependabot looks for dependency updates. I'm using importmap using symfony/ux (official doc here) for @symfony/ux-react dep only

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

image

Smallest manifest that reproduces the issue

  1. Use the default config to updates npm packages
  2. Dependabot works
  3. Install a dependency using symfony/ux
  4. Dependabot won't works anymore
vinceAmstoutz commented 7 months ago

@weaverryan @kbond Any idea ?

vinceAmstoutz commented 7 months ago

In addition, I also tried to delete all the entries in the dependabot GitHub actions cache, without success.

vinceAmstoutz commented 7 months ago

@greysteil @feelepxyz Any idea?

greysteil commented 7 months ago

Sorry @vinceAmstoutz - I haven't worked on Dependabot for years. No insight to share!

vinceAmstoutz commented 7 months ago

Sorry @vinceAmstoutz - I haven't worked on Dependabot for years. No insight to share!

Thanks for you response @greysteil! No idea how to globally ignore a dependency (ignored even from the scan)? Thanks for allin advance!

alcohol commented 2 weeks ago

I think the problem is that the symfony components switched to path based entries at some point, but those paths are only available after running composer install.

Unfortunately I am not really sure how to work around this. Ignoring those dependencies is not going to work (I think). My knowledge of Ruby and the inner workings of the dependabot ecosystem setup is also too limited to understand if adding a composer install step optionally in some way, shape or form is viable or not.