Grouped NPM/Yarn update deletes a Git submodule when the submodule is managed as a workspace

[whitphx]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

yarn

Package manager version

1.22.21

Language version

Node 20.11.0

Manifest location and content before the Dependabot update

$ find . -type d \( -name 'node_modules' -o -name '.venv' \) -prune -o -type f -name 'package.json' -print

./streamlit/frontend/app/package.json
./streamlit/frontend/package.json
./streamlit/frontend/lib/package.json
./streamlit/component-lib/package.json
./package.json
./packages/sharing-editor/package.json
./packages/sharing/package.json
./packages/sharing-common/package.json
./packages/desktop/package.json
./packages/mountable/package.json
./packages/vscode-stlite/package.json
./packages/common/package.json
./packages/common-react/package.json
./packages/kernel/package.json

• These are managed as a Yarn workspace.
• ./streamlit is a Git submodule.

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
  - package-ecosystem: "pip"
    directory: "/packages/kernel/py/stlite-server"
    schedule:
      interval: "daily"

Updated dependency

Example: https://github.com/whitphx/stlite/pull/719

Dependabot updates streamlit/frontend/lib/package.json which is in the submodule, but it leads to deleting the submodule and commit the streamlit/frontend/lib/package.json as a new file.

What you expected to see, versus what you actually saw

• The best would be create two PRs: one is for the main repo and the other is for the submodule repo.
• Another solution is to ignore the submodule.
• Anyway, deleting the submodule should be stopped.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[jas88]

I'm seeing the same issue with .Net (Nuget) dependencies and a submodule - Dependabot is trying to update a Directories.Packages.props file in a submodule, and deleting the entire submodule to do it, e.g. https://github.com/HicServices/RdmpExtensions/pull/93