fix: add dependabot.yml to fix npm workspaces issues #3077
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds dependabot configuration to address npm workspace lockfile issues that caused PR #3021 to fail. The root cause was Dependabot trying to update the same package (glob) to different major versions across workspace directories, creating an inconsistent package-lock.json that fails `npm ci`. Key changes: - Configure npm updates from root directory only (per issue #6346) - Use versioning-strategy: increase for consistent lockfile updates - Explicitly configure security update grouping via applies-to See: - dependabot/dependabot-core#6346 - dependabot/dependabot-core#7157
Member
Author
|
(I think we should do something like this, OR disable dependabot updates generally because they always fail) |
Member
Author
|
Managed to poke around in the settings and got #3076 working. Gonna see if that holds for now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds dependabot configuration to address npm workspace lockfile issues that caused PR #3021 to fail.
Problem
PR #3021 (Dependabot security update for glob) failed with:
Root cause: Dependabot tried to update
globto different major versions across workspace directories (11.1.0 for transitive deps, 12.0.0 for filesystem's direct dep), creating an inconsistentpackage-lock.json.This is a known Dependabot limitation with npm workspaces:
Solution
Add
dependabot.ymlthat:versioning-strategy: increasefor consistent lockfile updatesapplies-to: security-updatesAlso adds config for Python packages and GitHub Actions.