dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

npm increase mode doesn't increase package.json if lock at latest

Open broksonic21 opened this issue 2 years ago • 6 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

npm

Package manager version

10.1.0

Language version

20.9

Manifest location and content before the Dependabot update

https://github.com/broksonic21/nx-dependabot-increase/blob/main/package.json

dependabot.yml content

https://github.com/broksonic21/nx-dependabot-increase/blob/main/.github/dependabot.yml

Updated dependency

nx - in the lock it's 18.0.3, but in package.json it's ^18.0.1

What you expected to see, versus what you actually saw

I'd expect 'increase' mode to bump it to ^18.0.3 as that's later

However logs show:

updater | 2024/02/08 17:55:01 INFO <job_784823603> Checking all dependencies for version updates...
updater | 2024/02/08 17:55:01 INFO <job_784823603> Checking if nx 18.0.3 needs updating
  proxy | 2024/02/08 17:55:01 [015] GET https://registry.npmjs.org:443/nx
  proxy | 2024/02/08 17:55:01 [015] 200 https://registry.npmjs.org:443/nx
  proxy | 2024/02/08 17:55:02 [019] HEAD https://registry.npmjs.org:443/nx/-/nx-18.0.3.tgz
  proxy | 2024/02/08 17:55:02 [019] 200 https://registry.npmjs.org:443/nx/-/nx-18.0.3.tgz
updater | 2024/02/08 17:55:02 INFO <job_784823603> Latest version is 18.0.3
updater | 2024/02/08 17:55:02 INFO <job_784823603> No update needed for nx 18.0.3

Native package manager behavior

~/git/nx npx npm-check-updates
Checking /Users/REDACTED/git/nx/package.json
[====================] 2/2 100%

 nx  ^18.0.1  →  ^18.0.3

npm outdated doesn't show it as outdated however

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

https://github.com/broksonic21/nx-dependabot-increase reproes it. note: @jscutlery/semver depends on nx as well, which is why it's on 18.0.3 as it bumped it, in the lock.

~/git/nx npm ls nx
[email protected] /Users/REDACTED/git/nx
├─┬ @jscutlery/[email protected]
│ └─┬ @nx/[email protected]
│   └── [email protected] deduped
└─┬ [email protected]
  └─┬ @nrwl/[email protected]
    └── [email protected] deduped
    
    ```

broksonic21 avatar Feb 08 '24 18:02 broksonic21

similar to https://github.com/dependabot/dependabot-core/issues/7606 albeit that was for grouped, and this repos both inside groups and standalone upgrade issues.

broksonic21 avatar Feb 08 '24 18:02 broksonic21

To clarify, it was Dependabot that bumped you to 18.0.3 without also bumping package.json?

carogalvin avatar Feb 13 '24 16:02 carogalvin

@carogalvin in our private repo, yes, as 18.0.3 was a minimum version for a transitive dependency for a different npm package so it got bumped in the lock as it met the semver rule.

But not sure how that changes things - shouldn't increase increase the lock always?

broksonic21 avatar Feb 13 '24 17:02 broksonic21

Dependabot uses the lock to determine if it needs to perform an update for a package, so if the lock is already at 18.0.3 it won't perform an update to the package.json.

Just clarifying because this would be expected if it hadn't been Dependabot itself that updated the transitive dep.

carogalvin avatar Feb 13 '24 17:02 carogalvin

Is there a pathway to get this fixed up?

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy

definitely reads like we want - always increase the package.json to the new version (even if semver would make it legal to only update the lock). With group'd versions, this is causing inconsistent related packages that I'd like to avoid.

broksonic21 avatar Mar 08 '24 15:03 broksonic21

any update on this? thanks!

broksonic21 avatar Jun 25 '24 14:06 broksonic21