Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot modifying dependency URLs causes Git clone error after upgrading to PNPM 9.4.0 #10124

Closed
CaoMeiYouRen opened this issue Jul 2, 2024 · 11 comments · Fixed by #11465
Closed

Dependabot modifying dependency URLs causes Git clone error after upgrading to PNPM 9.4.0 #10124

CaoMeiYouRen opened this issue Jul 2, 2024 · 11 comments · Fixed by #11465
Labels
L: git:submodules Git submodules L: javascript:pnpm npm packages via pnpm L: javascript

Comments

@CaoMeiYouRen
Copy link

CaoMeiYouRen commented Jul 2, 2024
edited
Loading

Hi ,
I noticed that after upgrading to PNPM 9.4.0, Dependabot is modifying the dependency URLs from https://codeload.github.com/ to git+https://[email protected], which is causing the following error:

ERROR  Command failed with exit code 128: /usr/bin/git clone [email protected]:CaoMeiYouRen/rss-parser.git /home/runner/setup-pnpm/node_modules/.bin/store/v3/tmp/_tmp_1835_81cad7a39cafa01315f02c3d60683486

CaoMeiYouRen/rss-impact-server/pull/178

This seems to be related to the way PNPM handles Git dependencies.
I would like to know if it is related to this change

Originally posted by @CaoMeiYouRen in #10073 (comment)
@deivid-rodriguez
Copy link
Contributor

Seems related to #7851, or #7258. I did have an upstream patch to propose but I was not able to finish it and did not get much attention from upstream maintainers.

@deivid-rodriguez
Copy link
Contributor

I think pnpm/pnpm#8005 may have fixed this? If that's the case, #10058 just merged a few hours ago should've done the trick (assuming it's deployed already). Can you verify?

@CaoMeiYouRen
Copy link
Author

I think pnpm/pnpm#8005 may have fixed this? If that's the case, #10058 just merged a few hours ago should've done the trick (assuming it's deployed already). Can you verify?

I don't think so, dependabot continues to open incorrect pull requests. e.g.
https://github.com/CaoMeiYouRen/rss-impact-server/pull/191/files

@jonjanego jonjanego added the L: javascript:pnpm npm packages via pnpm label Jul 8, 2024
@abdulapopoola
Copy link
Member

@CaoMeiYouRen is this still happening? I see successful Dependabot PRs in that repo

@n3dst4
Copy link

n3dst4 commented Jul 9, 2024

Looks like they got rid of their git dependencies instead: CaoMeiYouRen/rss-impact-server@b50fd76

@abdulapopoola
Copy link
Member

@n3dst4 ; yes, you're right. Thanks for the pointer

@abdulapopoola abdulapopoola moved this to Scoping in Dependabot Jul 9, 2024
@matteo-cristino
Copy link

matteo-cristino commented Jul 12, 2024
edited
Loading

I bumped in the same issue, is there any update?

@ghost ghost mentioned this issue Jul 12, 2024
Closed
@ghost
Copy link

ghost commented Jul 12, 2024

Looks like they got rid of their git dependencies instead: CaoMeiYouRen/rss-impact-server@b50fd76

@eikowagenknecht
Copy link

Same problem for me. I opened an issue with pnpm before finding this one here: pnpm/pnpm#8343 Not sure if Dependabot or pnpm needs to fix this.

@GabrielGil
Copy link

I believe PNPM is not doing a good job with this as it also mixes my dependencies to use git instead of https://codeload.github.com every time the lockfile is updated, breaking the build because due a SHH error. I will need to downgrade to v8 in my project, until a clear solution is achieved :)

The same error of pnpm/pnpm#8343 I am experiencing.

Thanks for the great work of Dependabot and PNPM's teams 🙌 🙏

@GabrielGil GabrielGil mentioned this issue Aug 1, 2024
Open
4 tasks
@gilest
Copy link

gilest commented Aug 12, 2024

Posted a workaround in pnpm/pnpm#8343 (comment)

@al al mentioned this issue Aug 13, 2024
Closed
davidtaylorhq added a commit to discourse/discourse that referenced this issue Sep 3, 2024
@davidtaylorhq
DEV: Use blob URL to install discourse/squoosh fork
1e0c1a9 
Workaround for dependabot/dependabot-core#10124
@davidtaylorhq davidtaylorhq mentioned this issue Sep 3, 2024
Merged
davidtaylorhq added a commit to discourse/discourse that referenced this issue Sep 3, 2024
@davidtaylorhq
DEV: Use blob URL to install discourse/squoosh fork (#28704)
967af18 
Workaround for dependabot/dependabot-core#10124
krmax44 added a commit to okfde/fragdenstaat_de that referenced this issue Sep 23, 2024
@krmax44
🔧 disable dependabot for frontend deps for now
37fbd54 
dependabot creates corrupt lock file entries for git dependencies. wait until that issue is resolved. see dependabot/dependabot-core#10124
@krmax44 krmax44 mentioned this issue Sep 23, 2024
Merged
krmax44 added a commit to okfde/fragdenstaat_de that referenced this issue Sep 23, 2024
@krmax44
🔧 disable dependabot for frontend deps for now
73f764d 
dependabot creates corrupt lock file entries for git dependencies. wait until that issue is resolved. see dependabot/dependabot-core#10124
bikubi pushed a commit to okfde/fragdenstaat_de that referenced this issue Sep 23, 2024
@krmax44 @bikubi
🔧 disable dependabot for frontend deps for now
bd0b1f4 
dependabot creates corrupt lock file entries for git dependencies. wait until that issue is resolved. see dependabot/dependabot-core#10124
krmax44 added a commit to okfde/froide that referenced this issue Oct 7, 2024
@krmax44
🔧 disable dependabot for frontend deps temporarily
387707a 
dependabot creates corrupt lock file entries for git dependencies. wait until that issue is resolved. see dependabot/dependabot-core#10124
krmax44 added a commit to okfde/froide that referenced this issue Oct 7, 2024
@krmax44
🔧 disable dependabot for frontend deps temporarily
355b5f6 
dependabot creates corrupt lock file entries for git dependencies. wait until that issue is resolved. see dependabot/dependabot-core#10124
TonyRL added a commit to DIYgod/RSSHub that referenced this issue Nov 5, 2024
@TonyRL
chore: pin difflib to github tarball in package.json
12e7cf9 
remove auto commit since it skips tests

related:
dependabot/dependabot-core#7258
dependabot/dependabot-core#7851
dependabot/dependabot-core#10124

pnpm/pnpm#6050
pnpm/pnpm#6530
pnpm/pnpm#8343
Gnosnay pushed a commit to Gnosnay/RSSHub that referenced this issue Nov 11, 2024
@TonyRL @Gnosnay
chore: pin difflib to github tarball in package.json
5e02223 
remove auto commit since it skips tests

related:
dependabot/dependabot-core#7258
dependabot/dependabot-core#7851
dependabot/dependabot-core#10124

pnpm/pnpm#6050
pnpm/pnpm#6530
pnpm/pnpm#8343
artefaritaKuniklo pushed a commit to artefaritaKuniklo/RSSHub that referenced this issue Dec 13, 2024
@artefaritaKuniklo
chore: pin difflib to github tarball in package.json
7f3cb0d 
remove auto commit since it skips tests

related:
dependabot/dependabot-core#7258
dependabot/dependabot-core#7851
dependabot/dependabot-core#10124

pnpm/pnpm#6050
pnpm/pnpm#6530
pnpm/pnpm#8343
@anatawa12 anatawa12 mentioned this issue Feb 2, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: git:submodules Git submodules L: javascript:pnpm npm packages via pnpm L: javascript
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: bump pnpm to 9.15.5 and corepack to 0.31.0 anatawa12/dependabot-core
10 participants
@gilest @n3dst4 @abdulapopoola @GabrielGil @jonjanego @eikowagenknecht @deivid-rodriguez @CaoMeiYouRen @matteo-cristino and others