threat-dragon icon indicating copy to clipboard operation
threat-dragon copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Dependabot Does not Recognize pnpm-lock.yaml

Open lreading opened this issue 3 years ago • 3 comments

Describe the bug This repository uses Dependabot to notify maintainers when vulnerabilities are discovered in installed packages. Dependabot relies on a package-lock.json or the equivalent from yarn. It does not recognize pnpm-lock.yaml files.

There's an issue requesting pnpm support, but it doesn't seem to have moved at all: https://github.com/dependabot/dependabot-core/issues/1736

After merging v2-development to main, we started getting dependabot alerts for versions of libraries that are not in use.

A couple of potential solutions:

  • Switch to another system that has pnpm support (Renovatebot)[https://docs.renovatebot.com/javascript/] or similar?
  • Generate a package-lock.json file (Not a fan of maintaining two lockfiles...)

I haven't vetted Renovatebot, nor do I have much experience with the Github specific integrations of these tools. Open to any and all suggestions! Ideally, we still want notifications in the "security" section of the repository so that maintainers are alerted when vulnerable libraries are discovered. Bonus points if an automated PR could be opened as well!

lreading avatar Feb 09 '22 23:02 lreading

One of the things I liked about dependabot is the overrides and also the manner of its pull requests and generally dependency handling. So my preference would be to stick with it and:

  1. delete any dependabot pull requests that are not relevant
  2. tough it out and wait for an update for dependabot to handle pnpm

Generating a package-lock.json file in addition to the pnpm-lock.yaml file does seem least favourite - the overrides would not be visible to dependabot so we are back to square 1. Having said all that I am happy with anything, if it works it works :)

jgadsden avatar Feb 10 '22 07:02 jgadsden

Based on the linked discussion, I'm not hopeful they will be supporting it any time soon. That said, if you like dependabot, I'm totally fine with sticking it out as long as there's visibility into why some of these alerts are less meaningful. :smile:

lreading avatar Feb 10 '22 16:02 lreading

Generating a package-lock.json file in addition to the pnpm-lock.yaml file does seem least favourite - the overrides would not be visible to dependabot so we are back to square 1. Having said all that I am happy with anything, if it works it works :)

Hello @lreading I now understood what you are saying, I had misunderstood before, in that dependabot is not useful to us because we do not use package-lock.json files? So it will never give us the alerts we need? (Along with giving us alerts that are not relevant, so doubly unuseful)

So I agree we need to switch away from dependabot - and my answer above should be ignored

jgadsden avatar Feb 11 '22 07:02 jgadsden

No longer using dependabot so closing this issue

jgadsden avatar Jan 17 '23 06:01 jgadsden