-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handling package-lock.json updates #1806
Comments
It might be helpful to compare equivalent PRs from renovate and dependabot. One current example is for updating axios from 0.x to 1.x:
Notice that the renovate one is also "undoing" some of those second hunk changes, e.g.: (Aside: There is some serious undocumented voodoo in what dependabot is and is not doing to update package-lock.json files!) |
Yes it also looks to me like the second part of changes should not have been part of the renovate PR (#1723). I was actually assuming that it was doing a
Interstingly also in #1810, when it actually updates the patch versions, the dependencies in the Another thing I've seen: when taking the Somewhat releated: another side effect from using the |
I was able to reproduce the behavior that I saw in #1810 with a repo containing two packages and a top-level The two packges are set up as follows:
Here's the PR renovate created on my reproducer repo: pichlermarc-sample-organization/repro-1806#6 This PR
When switching to that branch, then running |
I created a discussion there as that is the recommended way to report bugs/problems, here's the link: |
@trentm it looks like in the PRs you linked dependabot did the right thing, unless I am misunderstanding. maybe the easiest solution is just to switch to dependabot? |
@dyladan I think almost. Yes the dependabot PR (#1801) did the right thing for those "second hunk" changes, so that is better. However what is going on here? That sure seems like a dependabot bug. If you checkout the branch for that PR and run diff --git a/package-lock.json b/package-lock.json
index 23eebcbe..0709ee84 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -36311,7 +36311,7 @@
"@opentelemetry/contrib-test-utils": "^0.34.3",
"@opentelemetry/sdk-trace-base": "^1.8.0",
"@types/mocha": "7.0.2",
- "@types/mysql2": "git+ssh://[email protected]/types/mysql2.git#89378b2cb3974ea8cdd1d633b8f056e54e5d2384",
+ "@types/mysql2": "github:types/mysql2",
"@types/node": "18.6.5",
"@types/semver": "7.5.3",
"mocha": "7.2.0",
@@ -45086,7 +45086,7 @@
"@opentelemetry/semantic-conventions": "^1.0.0",
"@opentelemetry/sql-common": "^0.40.0",
"@types/mocha": "7.0.2",
- "@types/mysql2": "git+ssh://[email protected]/types/mysql2.git#89378b2cb3974ea8cdd1d633b8f056e54e5d2384",
+ "@types/mysql2": "github:types/mysql2",
"@types/node": "18.6.5",
"@types/semver": "7.5.3",
"mocha": "7.2.0", That said, having a dependency on a github repo branch -- So, I'm inclined to say dependabot is doing a better job, but still has bugs we might have to workaround. For example, we might need/want to avoid dependencies other than version ranges. workaround for
|
So, a possible path forward is:
|
Types are included in 'mysql2' now (as of some 2.x release). The github:types/mysql2 dependency is problematic for dependabot version updates. See: open-telemetry#1806 (comment)
Types are included in 'mysql2' now (as of some 2.x release). The github:types/mysql2 dependency is problematic for dependabot version updates. See: open-telemetry#1806 (comment)
Types are included in 'mysql2' now (as of some 2.x release). The github:types/mysql2 dependency is problematic for dependabot version updates. See: #1806 (comment) Co-authored-by: Marc Pichler <[email protected]>
…lemetry#1812) Types are included in 'mysql2' now (as of some 2.x release). The github:types/mysql2 dependency is problematic for dependabot version updates. See: open-telemetry#1806 (comment) Co-authored-by: Marc Pichler <[email protected]>
Has there been any more discussion about whether to continue to use renovate, or to switch to dependabot? (I was looking at dependabot security alerts, and one of them would be fixed by upgrading mocha from v7 to v10. Originally that update PR (#1007) was closed because at the time it bumped the mocha min-supported Node.js beyond what this repo supported. However, since then this repo has bumped its min node version such that mocha v10 would be fine. I'm not sure whether to consider re-opening that renovate PR, or to look for an equivalent dependabot PR.) |
There has not been any discussion on it as far as I'm aware. I was hoping that the discussion I created in the renovate repo would yield some results, (last time I filed a bug with them they were very quick to respond and fix it - but the one I found back then was also higher priority), which would have enabled us to stick with renovate without changing anything. Since it's been 10 days, I think not waiting anymore and switching to dependabot is reasonable, with the new grouping feature we should be able to replicate renovate bot's behavior. I'll create an issue (Created #1827) (EDIT: yes we should update mocha if possible, let's try to use an equivalent dependabot PR) |
Closing this, because I think it'll be resolved via #1827. |
@pichlermarc I'm not sure what the right thing to do for package-lock.json updates is with the following.
#1771 went in, adding the package-lock.json file.
Then, the #1723 renovate PR was just merged. Looking at just a part of that change:
systeminformation
from5.21.15
to5.21.17
. That's well and good.dependencies["systeminformation"]
value for what I had understood was meant to be a cache of the value in "packages/opentelemetry-host-metrics/package.json". However the value in those two files are no longer the same thing. (My understanding comes from the somewhat loose docs of the package-lock.json format here -- https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#packages -- and from the following commands.)If one gets the latest and tries to regenerate the package-lock.json file:
The result is this diff that undoes all those second hunk changes:
trentm@81ea8df
I came across this same issue with sync'ing the "package-lock.json" file when trying to update my PR #1763 now that there is a package-lock.json file. The latest commit there is also "undoing" those renovate second hunk changes:
b0b74e0
Is it possible that renovate changes, like #1723, are not updating package-lock.json correctly?
The text was updated successfully, but these errors were encountered: