dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Dependabot unable to generate package-lock with subdependency even with existing dependency range allows it

Open PythonCoderAS opened this issue 3 years ago • 2 comments

Package ecosystem

npm

Package manager version

npm 8

Language version

node 17.3 Manifest location and content prior to update

/package-lock.json: https://github.com/HealthScreening/HealthScreeningBot/blob/35a156e093798083409723908a62c8dbde485bb7/package-lock.json dependabot.yml content https://github.com/HealthScreening/HealthScreeningBot/blob/35a156e093798083409723908a62c8dbde485bb7/.github/dependabot.yml

Updated dependency

axios --> follow-redirects What you expected to see, versus what you actually saw Follow-redirects has a vulnerability, so it should get updated to the latest version. However, dependabot security is unable to make the upgrade because it is required by a subdependency, axios. Axios has the dependency at ^1.14.4, and I am trying to upgrade to 1.14.7, so it is in-range.

Native package manager behavior

It correctly overwrites the subdependency. Images of the diff or a link to the PR, issue or logs

🕹 Bonus points: Smallest manifest that reproduces the issue

PythonCoderAS avatar Jan 14 '22 17:01 PythonCoderAS

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

github-actions[bot] avatar Mar 30 '25 00:03 github-actions[bot]

This is still an issue.

PythonCoderAS avatar Apr 03 '25 13:04 PythonCoderAS

@PythonCoderAS I tested this in a test repository and I can see follow-redirects getting an update in the package-lock.json file. Attaching screenshots below:

dependabot.yml:

{
  "name": "test-npm-subdependency-issue",
  "version": "1.0.0",
  "description": "Test case for reproducing Dependabot npm subdependency update issue",
  "main": "index.js",
  "dependencies": {
    "axios": "0.24.0"
  },
  "engines": {
    "node": ">=16.0.0"
  }
}
Image Image

Can you please confirm if the issue is still reproducible and I'll have another look at this. Thanks!

AbhishekBhaskar avatar Dec 16 '25 21:12 AbhishekBhaskar

Hello, this project has been archived for years, and limited testing shows that it does work now.

PythonCoderAS avatar Dec 17 '25 00:12 PythonCoderAS