Open eikowagenknecht opened 1 month ago
I am also experiencing the same problem, considering downgrading until this is solved.
Did you find any workaround @eikowagenknecht?
Cheers 😄
Only what I described above: Remove and readd the packages manually to fix the lockfile.
Aha, but that would not prevent dependabot to re-update that again in the next update, no?
Sorry I omitted that but I saw also your comment here https://github.com/dependabot/dependabot-core/issues/10124#issuecomment-2250218611
Thanks for your kindness and replying so fast ⏩
Yes, with the next dependabot update it‘s the same problem again. I‘m currently fixing this manually again every time.
Hmm, that's sad. I'll downgrade to v8 and stay subscribed to this issue and see if it gets solved at some point. Thanks.
is this a regression ?
how to fix this ?
try this
ssh-keyscan -t rsa "github.com" >> ~/.ssh/known_hosts
ssh-keyscan -t ed25519 "github.com >> ~/.ssh/known_hosts
A (pretty involved) workaround is to add a SSH private key to the actions runner.
It doesn't need special privileges to clone public repos, but GitHub does need to recognise it.
For this I used a read-only deploy key for the given repo.
ssh-keygen -t rsa -q -P "" -f temp_key
temp_key.pub
as a repository deploy key: PNPM_GIT_CLONE_WORKAROUND
temp_key
as a repository secret: PNPM_GIT_CLONE_WORKAROUND_SSH_KEY
temp_key
as a dependabot secret: PNPM_GIT_CLONE_WORKAROUND_SSH_KEY
pnpm install
# Workaround for https://github.com/dependabot/dependabot-core/issues/10124
- name: Add SSH key (enables pnpm to run `git clone`)
run: |
mkdir -p ~/.ssh
echo "${{ secrets.PNPM_GIT_CLONE_WORKAROUND_SSH_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
Obviously you'll need to keep your private key secret, I'd recommend deleting it once you've set it up.
Verify latest release
pnpm version
9.6.0
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
In one of my repositories, I have Dependabot set up and pnmp.
package.json
:Every time Dependabot updated the dependencies, entries for git repos in the lockfile look like this:
Running
pnpm i
with this leads to the following error:My current solution is to remove the packages from
package.json
, runpnpm i
, revert the changes topackage.json
and runpnpm i
again. After that, the above entries in the lockfile have changed toand it works again.
SSH key should be set up correctly, from the same console running
git.EXE -c core.longpaths=true clone git@github.com:tauri-apps/tauri-plugin-store.git
manually works fine.Describe the Bug
pnpm i
failsExpected Behavior
pnpm i
runs without problemsWhich Node.js version are you using?
20.11.1
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response