Dependabot fails to update root pnpm-lock.yaml
when splitting updates by directory
in pnpm workspaces
#11135
Labels
pnpm-lock.yaml
when splitting updates by directory
in pnpm workspaces
#11135
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
pnpm
9.4.0
Language version
Node.js
22
Manifest location and content before the Dependabot update
dependabot.yml content
https://github.com/vluoto/pnpm-workspace-with-dependabot-version-updates/blob/main/.github/dependabot.yml
Updated dependency
No response
What you expected to see, versus what you actually saw
What I expected to see:
When using Dependabot to manage version updates in a pnpm workspace, splitting updates by
directory
(where eachdirectory
corresponds to a package within the workspace) should create separate pull requests for each directory. Each pull request should update thepackage.json
file in the corresponding directory and the shared workspace lockfile at the root (/pnpm-lock.yaml
). This ensures consistency across the workspace and allows dependency installations to succeed in all environments, including CI.What I actually saw:
Dependabot created separate pull requests for each directory and updated the
package.json
files as expected. However, the sharedpnpm-lock.yaml
file at the root was not updated in any of the pull requests. This left the workspace in an inconsistent state. Moreover, it caused dependency installations to fail in CI environments (e.g., GitHub Actions), whereCI=true
is set. In such cases, pnpm implicitly applies the--frozen-lockfile
flag, which requires the lockfile to match the dependencies inpackage.json
.Native package manager behavior
or
results in
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: