search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.63k stars 990 forks source link

ERR_PNPM_NO_MATCHING_VERSION after adding private registry #9891

Open hanseartic opened 3 months ago

hanseartic commented 3 months ago

Is there an existing issue for this?

Package ecosystem

npm

Package manager version

pnpm 9.1.4

Language version

Node.js 20.x

Manifest location and content before the Dependabot update

/package.json /pnpm-lock.json

dependabot.yml content

version: 2
registries:
  npm-npmjs:
    type: npm-registry
    url: https://registry.npmjs.org
    token: ${{ secrets.NPM_TOKEN }}
  npm-github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.NPM_GH_TOKEN }}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-npmjs
      - npm-github
    schedule:
      interval: "weekly"

Updated dependency

@types/jest: @29.0.0 ➡️ @29.5.12

fails with

 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for @types/jest@29.0.0

after npm.pkg.github.com is configured as (additional) registry for dependabot

What you expected to see, versus what you actually saw

The dependencies originally have been added to the project with npm from npmjs.org's registry. Hence the base-URLs point to npmjs.org's registry.

Later in the project we switched to pnpm and Dependabot was still able to update the versions.

After adding another dependency the is only available as a private package we needed to switch to private registry configuration.

As it turned out npm.pkg.github.com does not have the latest version (that was fetched from registry.npmjs.org) of @types/jest.

Expected

As two registries are configured in the dependabot file I would expect that both of the registries are checked and the latest matching version is installed / created a PR for

What happened instead

Native package manager behavior

npm can successfully create a PR but it seems to ignore the configured registry (npm.pkg.github.com).

See

this job's ```json { "job": { "allowed-updates": [ { "dependency-type": "direct", "update-type": "all" } ], "commit-message-options": { "include-scope": null, "prefix": null, "prefix-development": null }, "credentials-metadata": [ { "registry": "npm.pkg.github.com", "type": "npm_registry" }, { "host": "github.com", "type": "git_source" } ], "debug": null, "dependencies": null, "dependency-group-to-refresh": null, "dependency-groups": [], "existing-group-pull-requests": [], "existing-pull-requests": [ [ { "dependency-name": "aws-cdk-lib", "dependency-version": "2.144.0" } ] ], "experiments": { "dependency-change-validation": true, "proxy-cached": true, "record-ecosystem-versions": true, "record-update-job-unknown-error": true }, "ignore-conditions": [], "lockfile-only": false, "max-updater-run-time": 2700, "package-manager": "npm_and_yarn", "proxy-log-response-body-on-auth-failure": true, "reject-external-code": false, "repo-private": false, "requirements-update-strategy": null, "security-advisories": [], "security-updates-only": false, "source": { "api-endpoint": "https://api.github.com/", "branch": "gh", "directory": "/npm", "hostname": "github.com", "provider": "github", "repo": "hanseartic/dependabot_fails_on_additional_private_registry" }, "update-subdependencies": false, "updating-a-pull-request": false, "vendor-dependencies": false } } ```

log

It seems the replaces-base setting in dependabot.yml is ignored and the base-URLs from package-lock.json are used. When invoking locally with --registry https://npm.pkg.github.com flag the dependencies can't be updated either:

npm ERR! code ETARGET npm ERR! notarget No matching version found for @types/jest@^29.0.0. npm ERR! notarget In most cases you or one of your dependencies are requesting npm ERR! notarget a package version that doesn't exist.

Images of the diff or a link to the PR, issue, or logs

I created a demo-repo to showcase how the pnpm command failed updating the dependencies. see the loges here: https://github.com/hanseartic/dependabot_fails_on_additional_private_registry/network/updates

Smallest manifest that reproduces the issue

{
  "dependencies": {
    "aws-cdk-lib": "^2.143.1"
  },
  "devDependencies": {
    "@types/jest": "^29.0.0"
  },
  "packageManager": "pnpm@9.1.4+sha512.9df9cf27c91715646c7d675d1c9c8e41f6fce88246f1318c1aa6a1ed1aeb3c4f032fcdf4ba63cc69c4fe6d634279176b5358727d8f2cc1e65b65f43ce2f8bfb0"
}
smmnloes commented 2 months ago

We are experiencing the exact same issue in regards to the wrong version being selected for any @types/... dependencies. We are also using Github's npm registry which has outdated packages and dependabot does not select the newer versions from theregistry.npmjs.org registry. Below is our dependabot config:

version: 2

registries:
  npm-github:
    type: 'npm-registry'
    url: 'https://npm.pkg.github.com'
    token: ${{ secrets.GHEC_PACKAGES_TOKEN }}
updates:
  - package-ecosystem: 'npm'
    directory: 'packages/cdk'
    registries:
      - 'npm-github'
    schedule:
      interval: 'daily'
    open-pull-requests-limit: 10
    allow:
      - dependency-name: '@hypoport/ep-1-click-infrastructure-common'

I tried adding the npm-registry explicitly to force dependabot to prefer it, but I don't have credentials and without it the config failed validation somehow. But the OP seems to have that covered in their config and it doesn't seem to help.

smmnloes commented 2 months ago

https://github.com/dependabot/dependabot-core/issues/8242