Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot fails to update root pnpm-lock.yaml when splitting updates by directory in pnpm workspaces #11135

Open
1 task done
vluoto opened this issue Dec 16, 2024 · 0 comments
Labels
L: javascript T: bug 🐞 Something isn't working

Comments

@vluoto
Copy link

vluoto commented Dec 16, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

npm

Package manager version

pnpm 9.4.0

Language version

Node.js 22

Manifest location and content before the Dependabot update

dependabot.yml content

https://github.com/vluoto/pnpm-workspace-with-dependabot-version-updates/blob/main/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

What I expected to see:

When using Dependabot to manage version updates in a pnpm workspace, splitting updates by directory (where each directory corresponds to a package within the workspace) should create separate pull requests for each directory. Each pull request should update the package.json file in the corresponding directory and the shared workspace lockfile at the root (/pnpm-lock.yaml). This ensures consistency across the workspace and allows dependency installations to succeed in all environments, including CI.

What I actually saw:

Dependabot created separate pull requests for each directory and updated the package.json files as expected. However, the shared pnpm-lock.yaml file at the root was not updated in any of the pull requests. This left the workspace in an inconsistent state. Moreover, it caused dependency installations to fail in CI environments (e.g., GitHub Actions), where CI=true is set. In such cases, pnpm implicitly applies the --frozen-lockfile flag, which requires the lockfile to match the dependencies in package.json.

Native package manager behavior

pnpm --filter a update --latest react

or

cd packages/a && pnpm update --latest react

results in

diff --git a/packages/a/package.json b/packages/a/package.json
index 7ecd7ed..96bf809 100644
--- a/packages/a/package.json
+++ b/packages/a/package.json
@@ -10,6 +10,6 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "react": "18"
+    "react": "^19.0.0"
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index e6f42a8..bcf7b39 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -11,8 +11,8 @@ importers:
   packages/a:
     dependencies:
       react:
-        specifier: '18'
-        version: 18.3.1
+        specifier: ^19.0.0
+        version: 19.0.0
 
   packages/b:
     dependencies:
@@ -39,6 +39,10 @@ packages:
     resolution: {integrity: sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==}
     engines: {node: '>=0.10.0'}
 
+  [email protected]:
+    resolution: {integrity: sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ==}
+    engines: {node: '>=0.10.0'}
+
 snapshots:
 
   [email protected]: {}
@@ -50,3 +54,5 @@ snapshots:
   [email protected]:
     dependencies:
       loose-envify: 1.4.0
+
+  [email protected]: {}

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
L: javascript T: bug 🐞 Something isn't working
Projects
Status: No status
Development

No branches or pull requests

1 participant