semver based ignoring / grouping doesn't work without package-lock.json

[EdJoPaTo]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

10.5

Language version

18

Manifest location and content before the Dependabot update

/package.json

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    open-pull-requests-limit: 30
    schedule:
      interval: "weekly"
      day: "saturday"
      time: "02:42" # UTC
    commit-message:
      prefix: "build(npm):"
    ignore:
      - dependency-name: "@types/node"
        update-types: ["version-update:semver-major"]

Updated dependency

bump @types/node from 18.19.31 to 20.12.8

What you expected to see, versus what you actually saw

ignore:
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-major"]

Versions within 18 can be updated but 19 or 20 are major updates that should have been ignored and were ignored in the past

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

EdJoPaTo/typescript-node-module-template#47

In the logs it looks like it knows not to update semver-major. Interestingly there are two spaces after the package name and I assume it should show the current version there so it might fail on that?
The PR knows the last version, so I'm not sure on that.

updater | 2024/05/04 02:13:38 INFO <job_823752064> Checking if @types/node  needs updating
2024/05/04 02:13:38 INFO <job_823752064> Ignored versions:
updater | 2024/05/04 02:13:38 INFO <job_823752064>   version-update:semver-major - from .github/dependabot.yml
  proxy | 2024/05/04 02:13:38 [947] GET [https://registry.npmjs.org:443/@types%2Fnode](https://registry.npmjs.org/@types%2Fnode)
  proxy | 2024/05/04 02:13:38 [947] 200 [https://registry.npmjs.org:443/@types%2Fnode](https://registry.npmjs.org/@types%2Fnode)
  proxy | 2024/05/04 02:13:39 [949] HEAD [https://registry.npmjs.org:443/@types/node/-/node-20.12.8.tgz](https://registry.npmjs.org/@types/node/-/node-20.12.8.tgz)
  proxy | 2024/05/04 02:13:39 [949] 200 [https://registry.npmjs.org:443/@types/node/-/node-20.12.8.tgz](https://registry.npmjs.org/@types/node/-/node-20.12.8.tgz)
updater | 2024/05/04 02:13:39 INFO <job_823752064> Latest version is 20.12.8

Smallest manifest that reproduces the issue

Untested but likely this:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    ignore:
      - dependency-name: "@types/node"
        update-types: ["version-update:semver-major"]

[EdJoPaTo]

dependency grouping based on semver doesnt does not work without package-lock.json. When there is a package-lock.json it works and shows current versions in the log.

As dependabot worked without a package-lock.json in the past this is likely a regression.

#9492 has another issue based on the missing package-lock.json.

[EdJoPaTo]

The first PR about this I have are on 2024-04-06. I run them weekly so whatever caused this regression was in the week before that.