Dependabot changed GitHub https dependency to ssh, breaking pnpm install

[advaith1]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

pnpm 8.6.12

Language version

Node.js v20.5.1

Manifest location and content before the Dependabot update

pnpm-lock.yaml https://gist.github.com/advaith1/0e6ea682f1169e6062260fe02a965dd3

dependabot.yml content

I did not enable or configure Dependabot.

Updated dependency

github:advaith1/Spark#main, commit hash did not change

What you expected to see, versus what you actually saw

I did not enable Dependabot, but GitHub automatically enabled it on my repo and it created some PRs. All of these PRs modified an unrelated GitHub dependency from https to ssh, which broke installing, both locally and in CI.

This seems to be the opposite issue as #5071

Native package manager behavior

To fix the issue, I ran pnpm i github:advaith1/Spark#main, which reverted the change and converted the dependency back to https.

Images of the diff or a link to the PR, issue, or logs

The problematic Dependabot change in all 4 PRs:

The dependency updates Dependabot was doing:

Smallest manifest that reproduces the issue

No response

[kylebenji]

Also seeing this issue. It entirely breaks all vercel previews for Dependabot PRs since pnpm install is now failing for all of them.

dependancy is also a "github/" dependancy exactly as above and dependabot is converting the version field in pnpm-lock from "github/<...rest of version>" to "[email protected]+<...rest of version>".

[TonyRL]

Looks like a duplicate of #7258. See pnpm/pnpm#6050 and pnpm/pnpm#6530 for more details.