Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uncertainty in Dependabot's NPM Version #9277

Open
joni3k opened this issue Mar 13, 2024 · 2 comments
Open

Uncertainty in Dependabot's NPM Version #9277

joni3k opened this issue Mar 13, 2024 · 2 comments
Labels
L: javascript:npm npm packages via npm

Comments

@joni3k
Copy link

joni3k commented Mar 13, 2024
edited
Loading

There seems to be a discrepancy between the npm version Dependabot appears to be using and what is indicated by its logs. Based on this, the NPM version should be 9.6.5, but Dependabot's logs indicate the usage of version 10.2.4.

Specifically, our project setup enforces strict engine versions with the following configurations, resulting in errors when attempting to use Dependabot:

  1. .npmrc with engine-strict=true
  2. package.json specifying "engines": {"node": ">=20 <21", "npm": ">=10.2 <11"}

Dependabot fails with an error due to version mismatches:

dependency_file_not_resolvable {:message=>"Dependabot uses Node.js v20.11.1\n and NPM 10.2.4\n. Due to the engine-strict setting, the update will not succeed."}

This scenario forces a dilemma where we must allow older NPM versions than we would want, or disable strict engine versions altogether.

Dependabot's Node-version was bumped to v20 recently here.

Reproduction Steps

  1. Set up a Node.js project with engine-strict=true in .npmrc and "engines": {"node": ">=20 <21", "npm": ">=10.2 <11"} in package.json.
  2. Initiate a Dependabot update check.

Workaround

Disable engine-strict in .npmrc or adjust package.json to accept "npm": ">=9.6.5" to resolve the issue.
@abdulapopoola abdulapopoola added the L: javascript:npm npm packages via npm label Mar 13, 2024
@yeikel
Copy link
Contributor

yeikel commented Mar 16, 2024
edited
Loading

From what I understand:

  1. Dependabot is tested using the NPM version listed in the build
  2. The version of NPM in the docker image is behind due to [BUG] npm removes invalid references instead of failing with an error starting in 9.6.6  npm/cli#6742

The error you're seeing is definitely confusing and the version of NPM cannot stay behind node for long as it will cause this confusion. I am trying to address it with #9213

@cedric-anne
Copy link

Yes, it is really confusing.

I have the same case with the following configuration:

    "engines": {
        "node": ">= 20.9",
        "npm": ">= 10.1"
    }

and it gives me this message: dependency_file_not_resolvable {:message=>"Dependabot uses Node.js v20.12.2\n and NPM 10.5.0\n. Due to the engine-strict setting, the update will not succeed."}.

@orangemug orangemug mentioned this issue Jun 10, 2024
Merged
@virgilchiriac virgilchiriac mentioned this issue Aug 14, 2024
Merged
3 tasks
@dejohansson dejohansson mentioned this issue Sep 11, 2024
Merged
@gkc gkc mentioned this issue Oct 14, 2024
Merged
thewilkybarkid added a commit to PREreview/prereview.org that referenced this issue Dec 5, 2024
@thewilkybarkid
Fix Dependabot
fa4e84b 
Dependabot respects the `engine-strict` setting and is currently silently failing. This change removes it from being globally enabled; instead, it is enabled wherever we run `npm install` or `npm ci`.

Refs dependabot/dependabot-core#9277
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: javascript:npm npm packages via npm
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@abdulapopoola @yeikel @joni3k @cedric-anne