Open hanseartic opened 3 months ago
We are experiencing the exact same issue in regards to the wrong version being selected for any @types/...
dependencies. We are also using Github's npm registry which has outdated packages and dependabot does not select the newer versions from theregistry.npmjs.org
registry. Below is our dependabot config:
version: 2
registries:
npm-github:
type: 'npm-registry'
url: 'https://npm.pkg.github.com'
token: ${{ secrets.GHEC_PACKAGES_TOKEN }}
updates:
- package-ecosystem: 'npm'
directory: 'packages/cdk'
registries:
- 'npm-github'
schedule:
interval: 'daily'
open-pull-requests-limit: 10
allow:
- dependency-name: '@hypoport/ep-1-click-infrastructure-common'
I tried adding the npm-registry explicitly to force dependabot to prefer it, but I don't have credentials and without it the config failed validation somehow. But the OP seems to have that covered in their config and it doesn't seem to help.
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
pnpm 9.1.4
Language version
Node.js 20.x
Manifest location and content before the Dependabot update
/package.json
/pnpm-lock.json
dependabot.yml content
Updated dependency
@types/jest:
@29.0.0
➡️@29.5.12
fails with
after
npm.pkg.github.com
is configured as (additional) registry for dependabotWhat you expected to see, versus what you actually saw
The dependencies originally have been added to the project with npm from npmjs.org's registry. Hence the base-URLs point to
npmjs.org
's registry.Later in the project we switched to
pnpm
and Dependabot was still able to update the versions.After adding another dependency the is only available as a private package we needed to switch to private registry configuration.
As it turned out
npm.pkg.github.com
does not have the latest version (that was fetched fromregistry.npmjs.org
) of@types/jest
.Expected
As two registries are configured in the dependabot file I would expect that both of the registries are checked and the latest matching version is installed / created a PR for
What happened instead
Native package manager behavior
npm
can successfully create a PR but it seems to ignore the configured registry (npm.pkg.github.com
).See
this job's
```json { "job": { "allowed-updates": [ { "dependency-type": "direct", "update-type": "all" } ], "commit-message-options": { "include-scope": null, "prefix": null, "prefix-development": null }, "credentials-metadata": [ { "registry": "npm.pkg.github.com", "type": "npm_registry" }, { "host": "github.com", "type": "git_source" } ], "debug": null, "dependencies": null, "dependency-group-to-refresh": null, "dependency-groups": [], "existing-group-pull-requests": [], "existing-pull-requests": [ [ { "dependency-name": "aws-cdk-lib", "dependency-version": "2.144.0" } ] ], "experiments": { "dependency-change-validation": true, "proxy-cached": true, "record-ecosystem-versions": true, "record-update-job-unknown-error": true }, "ignore-conditions": [], "lockfile-only": false, "max-updater-run-time": 2700, "package-manager": "npm_and_yarn", "proxy-log-response-body-on-auth-failure": true, "reject-external-code": false, "repo-private": false, "requirements-update-strategy": null, "security-advisories": [], "security-updates-only": false, "source": { "api-endpoint": "https://api.github.com/", "branch": "gh", "directory": "/npm", "hostname": "github.com", "provider": "github", "repo": "hanseartic/dependabot_fails_on_additional_private_registry" }, "update-subdependencies": false, "updating-a-pull-request": false, "vendor-dependencies": false } } ```log
It seems the
replaces-base
setting independabot.yml
is ignored and the base-URLs frompackage-lock.json
are used. When invoking locally with--registry https://npm.pkg.github.com
flag the dependencies can't be updated either:Images of the diff or a link to the PR, issue, or logs
I created a demo-repo to showcase how the
pnpm
command failed updating the dependencies. see the loges here: https://github.com/hanseartic/dependabot_fails_on_additional_private_registry/network/updatesSmallest manifest that reproduces the issue