dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago verified publisher icon dependabot

Dependabot sometimes only edits package-lock.json, not package.json

Open adamlui opened this issue 1 year ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

npm

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/KudoAI/chatgpt.js/blob/main/package.json https://github.com/adamlui/js-utils/blob/main/scss-to-css/package.json

dependabot.yml content

https://github.com/KudoAI/chatgpt.js/blob/main/.github/dependabot.yml https://github.com/adamlui/js-utils/blob/main/.github/dependabot.yml

Updated dependency

@adamlui/scss-to-css from 1.0.1 to 1.1.1 sass from 1.70.0 to 1.71.0

What you expected to see, versus what you actually saw

Expected: bumps to new dependency versions in both package.json and package-lock.json Seen: bump to new dependency version in package-lock.json only

Native package manager behavior

When running npm update --save it updates both manifests

Images of the diff or a link to the PR, issue, or logs

https://github.com/KudoAI/chatgpt.js/pull/180 https://github.com/adamlui/js-utils/pull/4

Smallest manifest that reproduces the issue

No response

adamlui avatar Feb 17 '24 16:02 adamlui

https://github.com/dependabot/dependabot-core/issues/2178#issuecomment-2093932026

carlincherry avatar May 06 '24 20:05 carlincherry