dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

semver based ignoring / grouping doesn't work without package-lock.json

Open EdJoPaTo opened this issue 1 year ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

npm

Package manager version

10.5

Language version

18

Manifest location and content before the Dependabot update

/package.json

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    open-pull-requests-limit: 30
    schedule:
      interval: "weekly"
      day: "saturday"
      time: "02:42" # UTC
    commit-message:
      prefix: "build(npm):"
    ignore:
      - dependency-name: "@types/node"
        update-types: ["version-update:semver-major"]

Updated dependency

bump @types/node from 18.19.31 to 20.12.8

What you expected to see, versus what you actually saw

ignore:
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-major"]

Versions within 18 can be updated but 19 or 20 are major updates that should have been ignored and were ignored in the past

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

https://github.com/EdJoPaTo/typescript-node-module-template/pull/47

In the logs it looks like it knows not to update semver-major. Interestingly there are two spaces after the package name and I assume it should show the current version there so it might fail on that? The PR knows the last version, so I'm not sure on that.

updater | 2024/05/04 02:13:38 INFO <job_823752064> Checking if @types/node  needs updating
2024/05/04 02:13:38 INFO <job_823752064> Ignored versions:
updater | 2024/05/04 02:13:38 INFO <job_823752064>   version-update:semver-major - from .github/dependabot.yml
  proxy | 2024/05/04 02:13:38 [947] GET [https://registry.npmjs.org:443/@types%2Fnode](https://registry.npmjs.org/@types%2Fnode)
  proxy | 2024/05/04 02:13:38 [947] 200 [https://registry.npmjs.org:443/@types%2Fnode](https://registry.npmjs.org/@types%2Fnode)
  proxy | 2024/05/04 02:13:39 [949] HEAD [https://registry.npmjs.org:443/@types/node/-/node-20.12.8.tgz](https://registry.npmjs.org/@types/node/-/node-20.12.8.tgz)
  proxy | 2024/05/04 02:13:39 [949] 200 [https://registry.npmjs.org:443/@types/node/-/node-20.12.8.tgz](https://registry.npmjs.org/@types/node/-/node-20.12.8.tgz)
updater | 2024/05/04 02:13:39 INFO <job_823752064> Latest version is 20.12.8

Smallest manifest that reproduces the issue

Untested but likely this:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    ignore:
      - dependency-name: "@types/node"
        update-types: ["version-update:semver-major"]

EdJoPaTo avatar May 08 '24 07:05 EdJoPaTo

dependency grouping based on semver doesnt does not work without package-lock.json. When there is a package-lock.json it works and shows current versions in the log.

As dependabot worked without a package-lock.json in the past this is likely a regression.

#9492 has another issue based on the missing package-lock.json.

EdJoPaTo avatar May 08 '24 17:05 EdJoPaTo

The first PR about this I have are on 2024-04-06. I run them weekly so whatever caused this regression was in the week before that.

EdJoPaTo avatar May 11 '24 10:05 EdJoPaTo

I can confirm the issue as reported on the Azure DevOps extension also It's annoying because then dependabot proposes plenty of upgrades on the package-lock.json while it depends on the version of the libs in the package.json and upgrading versions in the latter would likely fix the package-lock.json...

rdehouss avatar Aug 01 '24 11:08 rdehouss