govuk-design-system icon indicating copy to clipboard operation
govuk-design-system copied to clipboard

Published 20 hours ago verified publisher icon alphagov

Dependabot sometimes hoists optional dependencies to dependencies

Open domoscargin opened this issue 11 months ago • 0 comments

What

For some packages/groups (especially @types/node), dependabot will hoist a devDependency or optionalDependency to a dependency.

This is likely due to a problem with overrides at the npm level, so not something that'll go away any time soon. https://github.com/npm/cli/issues/7018 https://github.com/npm/cli/issues/7019

Why

The fix is simple: we just need to run npm install which removes the hoisted dependency, then commit that change. But it is an annoyance to have to do that manually each time!

Enough of an annoyance that we have a test to check when it happens: https://github.com/alphagov/govuk-design-system/blob/1399e2313a2b55f065ba567825c80edcd3477cb4/package-lock.json.unit.test.mjs#L17

It'd be good to automate this process, ie: have GitHub Actions run npm install if that particular test fails, and commit the changes, so we don't have to manually fix it.

Who needs to work on this

Developer

Who needs to review this

Developer

Done when

  • [ ] devDependencies and optionalDependencies are no longer hoisted to dependencies by Dependabot

domoscargin avatar Mar 11 '24 16:03 domoscargin