[CI] Warning: Dependabot does not support your npm version

[chalin]

Originally posted by @dependabot[bot] in #5946 (comment):

Dependabot does not support your npm version. Because of this, Dependabot cannot update this pull request.

Anyone know how to fix this? We have https://github.com/open-telemetry/opentelemetry.io/blob/main/.nvmrc, so it shouldn't be using a deprecated version of NPM.

Any ideas @svrnm @trask et al.?

Resources:

• https://github.blog/changelog/2025-01-20-dependabot-will-no-longer-support-npm-v6/

[trask]

maybe @open-telemetry/javascript-approvers have seen this before?

[trentm]

I haven't seen this, no. If this is indeed because of https://github.blog/changelog/2025-01-20-dependabot-will-no-longer-support-npm-v6/ then this is very recent.

The OTel JS repos are using renovate, rather than dependabot, so I wouldn't expect to see it there.
I haven't (not yet at least), seen this on other JS-y/npm-y dependabot-using repos I work with.

I don't know how Dependabot is deciding the version of npm that is intended to be used.

[trentm]

Some, older, but possibly related discussion at: dependabot/dependabot-core#9277

[trentm]

• Looking at dependabot updaets for the repo: https://github.com/open-telemetry/opentelemetry.io/actions/workflows/dependabot/dependabot-updates
• E.g. at https://github.com/open-telemetry/opentelemetry.io/actions/runs/12885385114/job/35923711572

 updater | 2025/01/21 10:52:40 ERROR <job_951243673> Dependabot detected the following npm requirement for your project: ''.

Currently, the following npm versions are supported in Dependabot: v7.*, v8.*, v9.*, v10.*.
  proxy | 2025/01/21 10:52:40 [157] POST /update_jobs/951243673/record_update_job_error
  proxy | 2025/01/21 10:52:40 [157] 204 /update_jobs/951243673/record_update_job_error
  proxy | 2025/01/21 10:52:40 [159] PATCH /update_jobs/951243673/mark_as_processed
  proxy | 2025/01/21 10:52:40 [159] 204 /update_jobs/951243673/mark_as_processed
updater | 2025/01/21 10:52:40 INFO <job_951243673> Finished job processing
updater | 2025/01/21 10:52:40 INFO Results:
Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+----------------------------+
|           Errors           |
+----------------------------+
| tool_version_not_supported |
+----------------------------+

which looks the same as dependabot/dependabot-core#11359

From looking at the recent commits to dependabot-core in this area: https://github.com/dependabot/dependabot-core/commits/main/npm_and_yarn/
there is a lot of recent activity, including dependabot/dependabot-core@d6d0437 and linked issues around corepack usage. corepack is a Node.js core thing that attempts to put a common facade onto the various package managers (npm, pnpm, yarn). It may be that this is a temporary bug in dependabot.

Total guesses at workarounds:

• you could try adding an "engines.npm" section to your package.json
• you could try adding a "packageManager" entry to your package.json (https://nodejs.org/api/all.html#all_packages_packagemanager), which is what corepack uses.

[trentm]

dependabot/dependabot-core#11359 was resolved. I wonder if this issue has gone away now.

[chalin]

Cool, thanks for all the feedback. I think that @trask just gave it a try, but it, at the moment, is still complaining about NPM versions.

[realityking]

I wonder if this is the same issue as dependabot/dependabot-core#11373 - dependabot failing if there's no package.lock file.

[chalin]

Thanks for the link to that issue. While I'm working on getting the lock file into the repo (it isn't there yet), Dependabot was working before. I tried it again and it still isn't working. Btw, our packages file has an engines entry (you mentioned this before).

[rwc]

This PR https://github.com/dependabot/dependabot-core/pull/11367/files updated dependabot’s lockfile handling for npm. Not sure if it’s a red herring but correlates to about the time we began experiencing the issue.