search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.66k stars 1.01k forks source link

pnpm9: version is incompatible with "/home/dependabot/dependabot-updater/repo". #9682

Closed fallemand closed 3 months ago

fallemand commented 5 months ago

Package ecosystem

npm

Package manager version

pnpm 9

Language version

Node 20

What you expected to see, versus what you actually saw

My repo is now using pnpm 9, so we define in the package.json

"engines": {
    "node": ">=20.6.0",
    "pnpm": "^9.0.4"
  },

But all dependabot updates are failing, since dependabot runs in v8:

updater | Your pnpm version is incompatible with "/home/dependabot/dependabot-updater/repo".
updater | 
updater | Expected version: ^9.0.4
updater | Got: 8.15.6
updater | 
updater | This is happening because the package's manifest has an engines.pnpm field specified.
updater | To fix this issue, install the required pnpm version globally.
updater | 
updater | To install the latest version of pnpm, run "pnpm i -g pnpm".
updater | To check your pnpm version, run "pnpm -v".

If we allow pnpm8, Dependabot will create the PR, but the newly generated pnpm-lock will be broken since it's generated with version 6.

fallemand commented 5 months ago

If we allow pnpm8, Dependabot will create the PR, but the new generated pnpm-lock will be broken, since it's generated with version 6.

image

VIKTORVAV99 commented 5 months ago

We are seeing the same issue with all our dependabot jobs fail due to the above error since updating. Which is quite unfortunate as we expected pnpm 9 to be supported by now.

pboling commented 4 months ago

Many times during the job I see errors like this, which must get caught, since the job continues to run...

  proxy | 2024/05/24 10:07:40 [245] GET https://registry.npmjs.org:443/pnpm
  proxy | 2024/05/24 10:07:40 [245] 200 https://registry.npmjs.org:443/pnpm
  proxy | 2024/05/24 10:07:40 [245] WARN: Cannot write TLS response header from mitm'd client: write tcp 192.168.1.1:1080->192.168.1.2:45206: write: broken pipe
updater | 2024/05/24 10:07:40 ERROR <job_832552953> Error processing globals (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | 2024/05/24 10:07:40 ERROR <job_832552953>  ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)
updater | 
updater | Your pnpm version is incompatible with "/home/dependabot/dependabot-updater/repo".
updater | 
updater | Expected version: ^9.1.2
updater | Got: 8.15.6
updater | 
updater | This is happening because the package's manifest has an engines.pnpm field specified.
updater | To fix this issue, install the required pnpm version globally.
updater | 
updater | To install the latest version of pnpm, run "pnpm i -g pnpm".
updater | To check your pnpm version, run "pnpm -v".

Then at the end of the job:

updater | 2024/05/24 10:08:53 INFO <job_832552953> Finished job processing
updater | 2024/05/24 10:08:53 INFO Results:
updater | Dependabot encountered '20' error(s) during execution, please check the logs for more details.
updater | +--------------------------------------------------+
updater | |          Dependencies failed to update           |
updater | +----------------------------------+---------------+
updater | | svelte-persisted-store           | unknown_error |
updater | | svelte                           | unknown_error |
updater | | @playwright/test                 | unknown_error |
updater | | @inlang/paraglide-sveltekit      | unknown_error |
updater | | typescript-eslint                | unknown_error |
updater | | svelte-ux                        | unknown_error |
updater | | globals                          | unknown_error |
updater | | bits-ui                          | unknown_error |
updater | | @sentry/sveltekit                | unknown_error |
updater | | drizzle-kit                      | unknown_error |
updater | | postcss-nesting                  | unknown_error |
updater | | @inlang/cli                      | unknown_error |
updater | | arctic                           | unknown_error |
updater | | @inlang/paraglide-js             | unknown_error |
updater | | lucide-svelte                    | unknown_error |
updater | | postcss-preset-env               | unknown_error |
updater | | eslint-plugin-jsdoc              | unknown_error |
updater | | @typescript-eslint/eslint-plugin | unknown_error |
updater | | @internationalized/date          | unknown_error |
updater | | tsx                              | unknown_error |
updater | +----------------------------------+---------------+
updater | time="2024-05-24T10:08:53Z" level=info msg="task complete" container_id=job-832552953-updater exit_code=0 job_id=832552953 step=updater

Refs:

fallemand commented 3 months ago

We were able to fix the issue by adding the packageManager field with the desired version of pnpm you wish to use. We don't use corepack, but adding this will help Dependabot install the correct version. This solution was commented on another issue.

  "engines": {
    "node": ">=20.6.0",
    "pnpm": "^9.3.0"
  },
  "packageManager": "pnpm@9.3.0",
abdulapopoola commented 3 months ago

@deivid-rodriguez fix here should address this, please let us know if it still doesn't work

fallemand commented 3 months ago

Fix works 👍