Dependabot runs fail due to strict node and npm pinning

[jeffwidman]

From https://github.com/dependabot/fetch-metadata/network/updates/803622934:

updater | 2024/03/21 21:28:55 INFO <job_803622934> Updating @actions/github from 5.1.1 to 6.0.0
updater | 2024/03/21 21:28:57 INFO <job_803622934> Handled error whilst updating @actions/github: dependency_file_not_resolvable {:message=>"Dependabot uses Node.js v20.11.1\n and NPM 10.2.4\n. Due to the engine-strict setting, the update will not succeed."}

My guess is something in https://github.com/dependabot/fetch-metadata/pull/443 is a little too strict or pinned to the wrong version...

[JamieMagee]

Either relax the strictness here:

https://github.com/dependabot/fetch-metadata/blob/dc2c459ae6444ea1d108233ed87ce5ff16cf2fa2/.npmrc#L1

Or update the node and npm versions here to at least the versions mentioned in the error message:

https://github.com/dependabot/dependabot-core/blob/c7b16a1a6eb6d35d3be0218e110ebc84b49c1c27/npm_and_yarn/Dockerfile#L13-L18

[JamieMagee]

Related https://github.com/dependabot/dependabot-core/pull/9213

[Nishnha]

another alternative if we don't care about pinning the minor version is:

"engines": {
  "node": ">=20.x",
  "npm": ">=10.x"
},

we might have to get rid of engine-strict=true for it to work

[jeffwidman]

After looking at this, I think dropping engine-strict (since it defaults to false) will probably suffice for the fetch-metadata usecase.

I'm normally a fan of pinning, but given that if we do break something it's not hard to temp pin to an older version, then I'm okay if we relax this for now... and if it becomes a problem in the future, then we can tighten the screws again.

[jeffwidman]

Fixed by:

• 510

And :dependabot: is now working again in https://github.com/dependabot/fetch-metadata/pull/453!