dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Dependabot does not support devEngines spec

Open wrslatz opened this issue 1 month ago • 4 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Package ecosystem

npm

Package manager version

11

Language version

Node.js 24

Manifest location and content before the Dependabot update

https://github.com/github-community-projects/private-mirrors/blob/30590c4db4f8467c7aa0764955ff97e954f84620/package.json#L87-L91

dependabot.yml content

version: 2
updates:
  - package-ecosystem: 'npm'
    directory: '/'
    schedule:
      interval: 'weekly'
    commit-message:
      prefix: 'chore'
      prefix-development: 'chore'
      include: 'scope'
    groups:
      dependencies:
        applies-to: version-updates
        update-types:
          - 'minor'
          - 'patch'
  - package-ecosystem: 'docker'
    directory: '/'
    schedule:
      interval: 'weekly'
    commit-message:
      prefix: 'chore'
      prefix-development: 'chore'
      include: 'scope'
    groups:
      dependencies:
        applies-to: version-updates
        update-types:
          - 'minor'
          - 'patch'
  - package-ecosystem: 'github-actions'
    directory: '/'
    schedule:
      interval: 'weekly'
    commit-message:
      prefix: 'chore'
      prefix-development: 'chore'
      include: 'scope'
    groups:
      dependencies:
        applies-to: version-updates
        update-types:
          - 'minor'
          - 'patch'

Updated dependency

npm group (any npm or yarn dependency)

What you expected to see, versus what you actually saw

Dependabot is able to update the dependency. I expect this is due to https://github.com/nodejs/corepack/issues/729. It seems like specifying devEngines as an array is a workaround.

Native package manager behavior

npm is able to install and update dependencies just fine with the devEngines defined the way they are

Images of the diff or a link to the PR, issue, or logs

https://github.com/github-community-projects/private-mirrors/actions/runs/19980055193/job/57304745358

Smallest manifest that reproduces the issue

A basic package.json with devEngines defined according to https://github.com/openjs-foundation/package-metadata-interoperability-collab-space/blob/main/devengines-field-proposal.md

wrslatz avatar Dec 06 '25 01:12 wrslatz

https://github.com/nextcloud-libraries/nextcloud-vite-config/issues/679, https://github.com/nextcloud-libraries/nextcloud-vite-config/commit/64400cd976c9159d41eadcbd1218b85615d0bb27

wrslatz avatar Dec 06 '25 02:12 wrslatz

@wrslatz thank you for your accurate description, and providing all necessary files in order to reproduce the issue. https://github.com/github-community-projects/private-mirrors/blob/main/package.json#L91C4-L92C1

In your repo you have set the version field as a range, the error message coming from dependabot reflects corepack behavior: "Error: Invalid package manager specification in package.json (npm@^10 || ^11); expected a semver version"

https://github.com/nodejs/corepack/blob/main/sources/specUtils.ts#L40-42

"devEngines": {
  "runtime": {
    "name": "node",
    "version": "^18 || ^20 || ^22",
    "onFail": "warn"
  },
  "packageManager": [
    {
      "name": "npm",
      "version": "^10 || ^11",
      "onFail": "warn"
    }
  ]
}

Also, packageManager can be an object, but not an array of objects.

Corepack needs something like:

"devEngines": {
  "packageManager": {
    "name": "npm",
    "version": "11.6.2",
    "onFail": "warn"
  }
}

runtime.version has the same problem, although some tools may ignore it, for strict Corepack enforcement, it is invalid.

a-schur avatar Dec 09 '25 19:12 a-schur

Makes sense. Seems like this needs to be fixed upstream in corepack, since it doesn't seem to align to the spec.

wrslatz avatar Dec 10 '25 01:12 wrslatz

@wrslatz I need to revise my previous inaccurate comment,

https://github.com/openjs-foundation/package-metadata-interoperability-collab-space/blob/main/devengines-field-proposal.md

It does show an array of objects is acceptable, packageManager?: DevEngineDependency | DevEngineDependency[];

it also claims The version field syntax would match that defined for [engines.node](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#engines), so something like ">= 16.0.0 < 22" or ">= 20"

So the range should also work. We are investigating if there is something we can do from our side about this.

a-schur avatar Dec 10 '25 17:12 a-schur

I think this might be breaking dependabot update PRs still with the workaround. See https://github.com/github-community-projects/private-mirrors/pull/395. The PR gets created but the lock file seems to be invalid. I confirmed the build step uses the Node.js and npm version based on .nvmrc that are compatible with the devEngines but I can't tell what version of npm dependabot ended up using in the update workflow (happy to share logs if needed). I'll keep debugging in the meantime.

wrslatz avatar Dec 13 '25 19:12 wrslatz