package-lock.json is reset to lockfileVersion 1 despite npm 7 constraints #9220

Closed cypressious closed 3 years ago

What Renovate type, platform and version are you using?

We're using Renovate on a private GitLab via GitLab CI.

Out templates/renovate.gitlab-ci.yml file looks as follows:

include: '/templates/_common.gitlab-ci.yml'

image: renovate/renovate:24.89.2@sha256:a9a5cd72ba9161898c4b2bc8923bb058ad15431b3e12bafe7a46db50dfb51cb0

Describe the bug

We have a Frontend project that we've recently upgraded to npm 7 which comes with a new package-lock.json format signified by the "lockfileVersion": 2 line.

Every Merge Request by Renovate now wants to revert the package-lock.json file back to "lockfileVersion": 1 resulting in a giant diff which we can't merge because we want to stay on "lockfileVersion": 2.

Relevant debug logs

DEBUG: processRepo() (repository=***/frontend)
DEBUG: Processing 13 branches: renovate/angularcli-monorepo, renovate/angularmaterial-monorepo, renovate/chalk-4.x, renovate/datorama-akita-4.x, renovate/datorama-akita-6.x, renovate/ionic-angular-toolkit-3.x, renovate/jasmine-monorepo, renovate/karma-6.x, renovate/mockdate-3.x, renovate/node-12.x, renovate/nrwl-monorepo, renovate/ruby-3.x, renovate/typescript-4.x (repository=***/frontend)
DEBUG: Calculating hourly PRs remaining (repository=***/frontend)
DEBUG: currentHourStart=2021-03-19T13:00:00.000+00:00 (repository=***/frontend)
DEBUG: PR hourly limit remaining: 2 (repository=***/frontend)
DEBUG: Calculating prConcurrentLimit (5) (repository=***/frontend)
DEBUG: getBranchPr(renovate/angularcli-monorepo) (repository=***/frontend)
DEBUG: findPr(renovate/angularcli-monorepo, undefined, open) (repository=***/frontend)
DEBUG: getPr(289) (repository=***/frontend)
DEBUG: getBranchStatus(renovate/angularcli-monorepo) (repository=***/frontend)
DEBUG: Got res with 5 results (repository=***/frontend)
DEBUG: getBranchPr(renovate/angularmaterial-monorepo) (repository=***/frontend)
DEBUG: findPr(renovate/angularmaterial-monorepo, undefined, open) (repository=***/frontend)
DEBUG: getPr(290) (repository=***/frontend)
DEBUG: getBranchStatus(renovate/angularmaterial-monorepo) (repository=***/frontend)
DEBUG: Got res with 5 results (repository=***/frontend)
DEBUG: getBranchPr(renovate/datorama-akita-4.x) (repository=***/frontend)
DEBUG: findPr(renovate/datorama-akita-4.x, undefined, open) (repository=***/frontend)
DEBUG: getPr(254) (repository=***/frontend)
DEBUG: getBranchStatus(renovate/datorama-akita-4.x) (repository=***/frontend)
DEBUG: Got res with 5 results (repository=***/frontend)
DEBUG: getBranchPr(renovate/ionic-angular-toolkit-3.x) (repository=***/frontend)
DEBUG: findPr(renovate/ionic-angular-toolkit-3.x, undefined, open) (repository=***/frontend)
DEBUG: getPr(291) (repository=***/frontend)
DEBUG: getBranchStatus(renovate/ionic-angular-toolkit-3.x) (repository=***/frontend)
DEBUG: Got res with 5 results (repository=***/frontend)
DEBUG: getBranchPr(renovate/nrwl-monorepo) (repository=***/frontend)
DEBUG: findPr(renovate/nrwl-monorepo, undefined, open) (repository=***/frontend)
DEBUG: getBranchPr(renovate/node-12.x) (repository=***/frontend)
DEBUG: findPr(renovate/node-12.x, undefined, open) (repository=***/frontend)
DEBUG: getBranchPr(renovate/jasmine-monorepo) (repository=***/frontend)
DEBUG: findPr(renovate/jasmine-monorepo, undefined, open) (repository=***/frontend)
DEBUG: getBranchPr(renovate/karma-6.x) (repository=***/frontend)
DEBUG: findPr(renovate/karma-6.x, undefined, open) (repository=***/frontend)
DEBUG: getBranchPr(renovate/mockdate-3.x) (repository=***/frontend)
DEBUG: findPr(renovate/mockdate-3.x, undefined, open) (repository=***/frontend)
DEBUG: getBranchPr(renovate/typescript-4.x) (repository=***/frontend)
DEBUG: findPr(renovate/typescript-4.x, undefined, open) (repository=***/frontend)
DEBUG: getBranchPr(renovate/datorama-akita-6.x) (repository=***/frontend)
DEBUG: findPr(renovate/datorama-akita-6.x, undefined, open) (repository=***/frontend)
DEBUG: getPr(256) (repository=***/frontend)
DEBUG: getBranchStatus(renovate/datorama-akita-6.x) (repository=***/frontend)
DEBUG: Got res with 5 results (repository=***/frontend)
DEBUG: getBranchPr(renovate/chalk-4.x) (repository=***/frontend)
DEBUG: findPr(renovate/chalk-4.x, undefined, open) (repository=***/frontend)
DEBUG: getBranchPr(renovate/ruby-3.x) (repository=***/frontend)
DEBUG: findPr(renovate/ruby-3.x, undefined, open) (repository=***/frontend)
DEBUG: 5 PRs are currently open (repository=***/frontend)
DEBUG: PR concurrent limit remaining: 0 (repository=***/frontend)
DEBUG: Calculated maximum PRs remaining this run (repository=***/frontend)
       "prsRemaining": 0
DEBUG: PullRequests limit = 0 (repository=***/frontend)
DEBUG: Calculating branchConcurrentLimit (5) (repository=***/frontend)
DEBUG: 5 already existing branches found: renovate/angularcli-monorepo,renovate/angularmaterial-monorepo,renovate/datorama-akita-4.x,renovate/ionic-angular-toolkit-3.x,renovate/datorama-akita-6.x (repository=***/frontend)
DEBUG: Branch concurrent limit remaining: 0 (repository=***/frontend)
DEBUG: Calculated maximum branches remaining this run (repository=***/frontend)
       "branchesRemaining": 0
DEBUG: Branches limit = 0 (repository=***/frontend)
DEBUG: processBranch with 2 upgrades (repository=***/frontend, dependencies=@angular-devkit/build-angular,@angular/cli, branch=renovate/angularcli-monorepo)
DEBUG: Setting current branch to master (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: latest commit (repository=***/frontend, branch=renovate/angularcli-monorepo)
       "branchName": "master",
       "latestCommitDate": "2021-03-19T14:41:19+01:00"
DEBUG: getBranchPr(renovate/angularcli-monorepo) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: findPr(renovate/angularcli-monorepo, undefined, open) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getPr(289) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getBranchStatus(renovate/angularcli-monorepo) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Got res with 5 results (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: branchExists=true (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Branch pr rebase requested: false (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Branch has 2 upgrade(s) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Checking if PR has been edited (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Found existing branch PR (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Checking schedule(at any time, null) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: No schedule defined (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Branch already exists (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getBranchPr(renovate/angularcli-monorepo) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: findPr(renovate/angularcli-monorepo, undefined, open) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getPr(289) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getBranchStatus(renovate/angularcli-monorepo) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Got res with 5 results (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Branch is up-to-date (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Branch does not need rebasing (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Using reuseExistingBranch: true (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: manager.getUpdatedPackageFiles() reuseExistinbranch=true (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: npm.updateDependency(): devDependencies.@angular-devkit/build-angular = 0.1102.5 (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: npm.updateDependency(): devDependencies.@angular/cli = 11.2.5 (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: No package files need updating (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Getting updated lock files (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Writing package.json files (repository=***/frontend, branch=renovate/angularcli-monorepo)
       "packageFiles": ["package.json"]
DEBUG: Writing package-lock.json (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Writing any updated package files (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: No updated lock files in branch (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: No files to commit (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Checking if we can automerge branch (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: mergeStatus=no automerge (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Ensuring PR (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: There are 0 errors and 0 warnings (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getBranchPr(renovate/angularcli-monorepo) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: findPr(renovate/angularcli-monorepo, undefined, open) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getPr(289) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: getBranchStatus(renovate/angularcli-monorepo) (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Got res with 5 results (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Found existing PR (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Processing existing PR (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Merge Request #289 does not need updating (repository=***/frontend, branch=renovate/angularcli-monorepo)
DEBUG: Checking #289 for automerge (repository=***/frontend, branch=renovate/angularcli-monorepo)
       "automerge": false,
       "automergeType": "pr",
       "automergeComment": "automergeComment"
DEBUG: No automerge (repository=***/frontend, branch=renovate/angularcli-monorepo)

Have you created a minimal reproduction repository?

[ ] This is a really small bug, it does not need a reproduction (think small typo)
[X] I have provided a minimal reproduction repository
[ ] I don't have time for that, but it happens in a public repository I have linked to
[ ] I don't have time for that, and cannot share my private repository
[ ] The nature of this bug means it's impossible to reproduce publicly

Minimal Reproduction Example: https://github.com/cypressious/renovate-npm7-issue. Note that the issue happens on GitLab, GitHub is only used for hosting the example.

Additional context

I've tried a number of variations of constraints and force options in the renovate.json. The current version is the following but the issue persists:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ],
  "prConcurrentLimit": 5,
  "labels": ["renovate-bot"],
  "constraints": {
    "npm": "^7.0.0",
    "node": "^15.0.0"
  },
  "force": {
    "constraints": {
      "npm": ">= 7.0.0",
      "node": ">= 15.0.0"
    }
  }
}

Your reproduction repository does not reproduce for me: https://github.com/renovate-tests/renovate-npm7-issue/pulls

Please generate PRs yourself to verify.

BTW you should not need to use constraints or force in your renovate.json at all.

Hi there,

The Renovate team needs your help! Before we can start work on your issue we first need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.

To get started, please read our guide on minimal reproductions to understand what is needed.

We may close the issue if you have not provided a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.

Good luck,

The Renovate team

We're using GitLab CI on a Self-Hosted GitLab instance where I'm able to reproduce on the given sample, so I'm assuming it has something to do with it.

Simply remove force and constraints from config and it should work work, renovate will use the engines from package.json

@viceice That's what we had initially when the issue started occuring, so it doesn't seem to help.

@cypressious You need to use the dind version, because we have node v14 with npm v6 preinstalled on the full renovate image.

Your other option is to downgrade to npm v6 if you can't use dind.

@viceice Can you point me to a documentation on how to use the didn version? Thanks

constraints are only working when using renovate with binarySource=docker otherwise renovate can only use global installed tools.

So another options is to build your own renovate image and install npm v7 ontop the default image

@viceice Can you point me to a documentation on how to use the didn version? Thanks

https://gitlab.com/renovate-bot/renovate-runner

We have ready to use templates there

renovatebot / renovate

package-lock.json is reset to lockfileVersion 1 despite npm 7 constraints #9220