dependabot
incorrectly updates pnpm lock `specifier` for versions specified in workspace catalog
Is there an existing issue for this?
- [x] I have searched the existing issues
Package ecosystem
pnpm
Package manager version
9.15.14
Language version
Node.js 22.13.0
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Dependabot updates both the specifier and the version which then causes pnpm dedupe --check to fail becuase the specifier is out of sync with what is in pnpm-workspace.yaml#/catalog
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
any version range for a package specified in pnpm-workspace.yaml with an accompanying valid specifier and version pnpm-lock.yaml that will cause an update in the lock file (this is similar to #11953 except the issue for me isn't that the catalog isn't updated but that dependabot updates the specifier when it only needs to update the version from what I can tell, otherwise dedupe checks fail)
~This also occurs with pnpm 10.x~ This is fixed as of 10.12! Thank you 🎉
Not sure if related, but when depedabot is updating a dependancy defined in catalog I get:
ERR_PNPM_OUTDATED_LOCKFILE Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/package.json
Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"
Failure reason:
specifiers in the lockfile don't match specifiers in package.json:
* 1 dependencies are mismatched:
- vite (lockfile: 7.1.3, manifest: catalog:)
After locally running pnpm install the issue is resolved.
