Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pnpm-lock.yaml incorrectly updated for url dependencies. #7656

Closed
1 task done
Jason3S opened this issue Jul 28, 2023 · 3 comments
Closed
1 task done

pnpm-lock.yaml incorrectly updated for url dependencies. #7656

Jason3S opened this issue Jul 28, 2023 · 3 comments
Labels
L: javascript:pnpm npm packages via pnpm T: bug 🐞 Something isn't working

Comments

@Jason3S
Copy link

Jason3S commented Jul 28, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

pnpm

Package manager version

8.5.1

Language version

No response

Manifest location and content before the Dependabot update

At the root: ./package.json

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"

  - package-ecosystem: "github-actions"
    # Workflow files stored in the
    # default location of `.github/workflows`
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

build(deps-dev): bump inject-markdown from 1.5.0 to 2.0.0

streetsidesoftware/cspell-dicts#2376

What you expected to see, versus what you actually saw

The issues seem to come from when a version specifier contains a url and not a version number.

dictionaries/en_US/package.json

  "devDependencies": {
    "@cspell/dict-en-shared": "workspace:*",
    "aoo-mozilla-en-dict": "https://github.com/marcoagpinto/aoo-mozilla-en-dict"
  }

The updater changes unrelated entries in the pnpm-lock.yaml file.

Example:

      aoo-mozilla-en-dict:
        specifier: https://github.com/marcoagpinto/aoo-mozilla-en-dict
-       version: github.com/marcoagpinto/aoo-mozilla-en-dict/649ef961082001eac808db982736f52aac8ebc1e
+       version: git/github.com+marcoagpinto/aoo-mozilla-en-dict/649ef961082001eac808db982736f52aac8ebc1e

Native package manager behavior

pnpm doesn't change those entries.

Images of the diff or a link to the PR, issue, or logs

streetsidesoftware/cspell-dicts#2376

Smallest manifest that reproduces the issue

No response
@Jason3S Jason3S added the T: bug 🐞 Something isn't working label Jul 28, 2023
@jakecoffman jakecoffman added the L: javascript:pnpm npm packages via pnpm label Jul 28, 2023
@mindrunner
Copy link

npm_lockfile_updater.rb has some special handling for git-urls which seems to be absent in pnpm_lockfile_updater.rb

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

Line 277 in 77e002c

if git_requirement

I am not super solid in ruby nor did I set-up a dependabot dev env, yet. But I would really love this to be fixed. Anyone who can help out? I am sure that's a quick thing for someone who is a bit more familiar with the setup here.

@abdulapopoola
Copy link
Member

@Jason3S and @mindrunner , this should be fixed by the upstream contribution. Please reopen if this still repros.

@Jason3S
Copy link
Author

Jason3S commented Feb 3, 2025

@abdulapopoola,

I'm happy to hear that. I'm look forward to having it work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: javascript:pnpm npm packages via pnpm T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@abdulapopoola @jakecoffman @mindrunner @Jason3S