NPM version detection broken #11234
Assignees
Labels
Comments
|
+1 |
|
Not sure if this is the same issue, but we've noticed dependabot fails to resolve the npm version and errors assuming the version is empty, even though it previously detects 9.6.5 |
|
We are having the same issue where Dependabot suddenly says our npm version is not supported. This started happening yesterday. |
|
We ran into the same error in multiple repositories. It started happening from 21.01.2025 on.
|
|
+1 on this - running into exact same thing where it's claiming the but only on one repo, even though rest are exact same configuration. Having engines or not doesn't seem to change it. |
|
The same issue arises when dependabot is used with nodejs monorepos, this is my dependabot.yml version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'daily'
open-pull-requests-limit: 30
labels:
- 'dependencies'
- 'npm'
versioning-strategy: auto
- package-ecosystem: 'npm'
directory: '/apps/backend'
schedule:
interval: 'daily'
labels:
- 'dependencies'
- 'npm'
- 'backend'
- package-ecosystem: 'npm'
directory: '/packages/db'
schedule:
interval: 'daily'
labels:
- 'dependencies'
- 'npm'
- 'db'it only updates for the root |
5 tasks
|
I am also having the same issue |
|
Hi everyone, The PR addressing the npm version detection issue has been shipped. Could you test your repositories and let us know if the problem is resolved? If not, please share details or logs here for further investigation. |
|
Restarted a job, same issue for our jobs |
|
Packages that define an engines range like this, without a "engines": {
"node": ">=19.0.0",
"npm": ">=9.0.0"
},Stopped working last week, and started working again after the fix that just went out. However, repos that don't define a npm engine range and also don't have a lockfile still don't work, and stopped working last week. Essentially, these repos don't define an npm engines range, or just define their node version range now have broken dependabot integrations. It's really important that these repos continue to get updates. Failing to find a specific range shouldn't result in an error. Can you make it so that repos that don't define an npm engine range or have a lockfile work by default, by selecting some default working version of npm? Omitting this field definitely doesn't mean "use npm 6 or lower". |
|
Hi everyone, I believe the following PR will resolve the unsupported error issue. It still requires testing on a repository similar to yours, but I'll proceed with deployment after receiving feedback and approval. Feel free to review it. Note: You can ignore pipeline errors for now which are not related to the PR. |
5 tasks
|
Hi everyone, The fix for the unsupported error has been shipped. Please confirm if the issue is now resolved. |
|
The issue has been fixed: |
|
@kbukum1 unfortunately the issue persists for us (I think because the comments comments describe other issues then I initially reported, especially the one that confirmed your PR to be working): So we can still not ensure that npm Although the log states Basically it got worse now. The initial logs at least tried to install now I cannot find any logs anymore, that try to install Also referering to a comment in the PR #11430 (comment) it looks like we are running into a state that should not happen. Can you please have a look again? |
|
For us the job is working again and Dependabot opened a bunch of PRs again. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
10.8.2
Language version
20.16.0
Manifest location and content before the Dependabot update
package.json excerpt
´´´
"engines": {
"npm": ">=10",
"node": ">=20"
},
´´´
.npmrc
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Problem: Somewhen between 05.12.2024 and 9.12.2024 our dependabot setup for NPM broke for all projects that included above mentioned config (
npm >= 10+engine-strict=true) and so did not update any NPM dependencies anymore.The timespan is based on the last successful and then following first failed run, no run in between.
It's very hard to get all information together but I will try in the following:
Partial log of a successful run on 05.12.2024:
Partial log of a failing run on 09.12.2024:
And now all dependabot jobs run with
npm 9.6.5instead of10like before.What can be noticed is, that in the successful run,
corepackis used. In the later failing run,corepackcalls are missing.From this comment #10985 (comment) it sounds like, that actually version
10of NPM should be used, but as said, it's not.The only way to work around this right now is to remove
engine-strict=truefrom the.npmrc, what we would like to prevent.And in the end dependabot does not run the NPM version we would like to see.
As the whole issue (and for me connecting all the dots) is relatively hard, please tell me, if / what more information you need to have a look at the issue.
As the projects are private, I cannot provide direct likes or so.
Related:
#10982
https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories (says only npm 9 is supported)
#11159 (announces that NPM 11 is supported)
#10985 (sounds related but only a feeling...)
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: