dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Dependabot doesn't work with monorepos using pnpm

Open jamescrowley opened this issue 1 year ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

npm/pnpm

Package manager version

8.15.9

Language version

No response

Manifest location and content before the Dependabot update

package.json pnpm-lock.yaml pnpm-workspace.yaml front/package.json

dependabot.yml content

https://github.com/boxwise/boxtribute/blob/master/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

When explicitly listing directories, such as

directories:

  • /
  • /front

Dependabot generates updates for packages in the root package.json and in /front. However, it does not update the pnpm-lock.yaml in PRs for packages in the subfolder (for instance: https://github.com/boxwise/boxtribute/pull/1599)

When only listing the 'root' directory (suggested by https://github.com/dependabot/dependabot-core/issues/4993), dependabot ignores the package.json within /front entirely.

Possibly related to https://github.com/dependabot/dependabot-core/issues/6346 (npm, not pnpm)

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

https://github.com/boxwise/boxtribute/pull/1599

Smallest manifest that reproduces the issue

No response

jamescrowley avatar Oct 08 '24 23:10 jamescrowley

FWIW we also see the same behaviour with [email protected]

Yurickh avatar Oct 16 '24 11:10 Yurickh

Seeing the same with [email protected] Folder structure

pnpm-lock.json
apps/fe/package.json

Only package.json updates

Tried versioning-strategy: increase as advised in https://github.com/dependabot/dependabot-core/issues/4993#issuecomment-1289133027 but doesn't work

scottquested avatar Nov 18 '24 10:11 scottquested

The issue is mainly that we don't have a tree crawl for pnpm workspaces package.json files, like we do for some other files in dependabot's codebase. I've tried to propose a fix in #10806, but haven't heard back from the maintainers so far.

Yurickh avatar Nov 18 '24 11:11 Yurickh

Need to deploy https://github.com/dependabot/dependabot-core/pull/10806 PR

thavaahariharangit avatar Nov 27 '24 16:11 thavaahariharangit

@jamescrowley

I have created a sample repo to recreate this problem

Note: In above repo I have used below sample dependencies,

  1. root level: [email protected]
  2. project level: [email protected]

Current behaviour of dependabot

Scenario 1

When updates.directory is

directories:
      - /
      - /packages/*

then PRs generated

 +---------------------------------------------+
 |     Changes to Dependabot Pull Requests     |
 +---------+-----------------------------------+
 | created | express ( from 4.10.0 to 4.21.1 ) |
 | created | vue ( from 3.2.0 to 3.5.13 )      |
 +---------+-----------------------------------+

Scenario 2

When updates.directory is

directories:
      - /

then PRs generated

 +---------------------------------------------+
 |     Changes to Dependabot Pull Requests     |
 +---------+-----------------------------------+
 | created | express ( from 4.10.0 to 4.21.1 ) |
 +---------+-----------------------------------+

Scenario 3

When updates.directory is

directories:
      - /packages/*

then PRs generated

 +----------------------------------------+
 |  Changes to Dependabot Pull Requests   |
 +---------+------------------------------+
 | created | vue ( from 3.2.0 to 3.5.13 ) |
 +---------+------------------------------+

As far as I know things are working as per the dependabot documentation.

Could you please help me on recreating this issue..

Note: updates.directory is dependabot.yml config. Ex : https://github.com/dsp-testing/pnpm-monorepo-sample/blob/main/.github/dependabot.yml#L4

FYI @landongrindheim

thavaahariharangit avatar Nov 29 '24 15:11 thavaahariharangit

I suspect the key to reproducing might be having it update both directories/package.json files in a single PR. In our alveusgg repository we are combining directories and groups which seems to cause that?

MattIPv4 avatar Nov 29 '24 15:11 MattIPv4

I suspect the key to reproducing might be having it update both directories/package.json files in a single PR. In our alveusgg repository we are combining directories and groups which seems to cause that?

@jakecoffman Could you please let me know your thoughts. How this supposed to be working. I could not find the documents on this.

thavaahariharangit avatar Dec 02 '24 17:12 thavaahariharangit

@MattIPv4 As we have deployed and merged this PR, Please feel free test this and reopen this if you still facing this issue.

thavaahariharangit avatar Dec 03 '24 13:12 thavaahariharangit

~~I'm not sure how I can tell if the new version of Dependabot was used, but I recreated the problematic update PR from before, and it is still not updating the workspace lockfile correctly: https://github.com/alveusgg/alveusgg/pull/867~~

After further testing, it is working! Turns out for a pnpm monorepo, you only want to tell dependabot about the root, not the packages within: https://github.com/alveusgg/alveusgg/pull/868 / https://github.com/alveusgg/alveusgg/pull/870

MattIPv4 avatar Dec 03 '24 16:12 MattIPv4