You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What you expected to see, versus what you actually saw
Problem: Somewhen between 05.12.2024 and 9.12.2024 our dependabot setup for NPM broke for all projects that included above mentioned config (npm >= 10 + engine-strict=true) and so did not update any NPM dependencies anymore.
The timespan is based on the last successful and then following first failed run, no run in between.
It's very hard to get all information together but I will try in the following:
Partial log of a successful run on 05.12.2024:
updater | 2024/12/04 05:18:39 INFO <job_927237043> Guessed version info "npm" : "10"
updater | 2024/12/04 05:18:39 INFO <job_9272[37](SOME_URL)043> Installing "npm@10"
proxy | 2024/12/04 05:18:39 [008] GET https://registry.npmjs.org:443/npm
proxy | 2024/12/04 05:18:39 [008] 200 [https://registry.npmjs.org:443/npm](SOME_URL) [010] GET https://registry.npmjs.org:443/npm/-/npm-10.9.1.tgz
proxy | 2024/12/04 05:18:39 [010] 200 [https://registry.npmjs.org:443/npm](https://registry.npmjs.org/npm)/-/npm-10.9.1.tgz
updater | 2024/12/04 05:18:[40](SOME_URL) INFO <job_927237043> Fetching version for package manager: npm
updater | 2024/12/04 05:18:40 INFO <job_927237043> Running package manager command: corepack npm -v
updater | 2024/12/04 05:18:[41](SOME_URL) INFO <job_927237043> Command executed successfully: corepack npm -v
2024/12/04 05:18:41 INFO <job_927237043> Version for npm: 10.9.1
updater | 2024/12/04 05:18:41 INFO <job_9272370[43](SOME_URL)> Installed version of npm: 10.9.1
proxy | 2024/12/04 05:18:41 [012] POST /update_jobs/927237043/record_ecosystem_versions
proxy | 2024/12/04 05:18:41 [012] 204 /update_jobs/927237043/record_ecosystem_versions
updater | 2024/12/04 05:18:41 INFO <job_927237043> Base commit SHA: ...[44](SOME_URL)
updater | 2024/12/04 05:18:41 INFO <job_927237043> Finished job processing
updater | 2024/12/04 05:18:44 INFO <job_927237043> Starting job processing
updater | 2024/12/04 05:18:44 INFO <job_927237043> Detected package manager: npm
updater | 2024/12/04 05:18:44 INFO <job_927237043> Resolving package manager for: npm
updater | 2024/12/04 05:18:44 INFO <job_927237043> Fetching version for package manager: npm
updater | 2024/12/04 05:18:44 INFO <job_927237043> Running package manager command: corepack npm -v
updater | 2024/12/04 05:18:44 INFO <job_927237043> Command executed successfully: corepack npm -v
2024/12/04 05:18:44 INFO <job_927237043> Version for npm: 10.9.1
updater | 2024/12/04 05:18:44 INFO <job_927237043> Installed version for npm: 10.9.1
Partial log of a failing run on 09.12.2024:
updater | 2024/12/09 18:17:25 INFO <job_929896445> Guessed version info "npm" : "10"
updater | 2024/12/09 18:17:25 INFO <job_929896445> Installing "npm@10"
proxy | 2024/12/09 18:17:25 [008] GET [https://registry.npmjs.org:443/npm](https://registry.npmjs.org/npm)
proxy | 2024/12/09 18:17:25 [008] 200 https://registry.npmjs.org:443/npm
proxy | 2024/12/09 18:17:25 [010] GET https://registry.npmjs.org:443/npm/-/npm-10.9.2.tgz
proxy | 2024/12/09 18:17:25 [010] 200 https://registry.npmjs.org:443/npm/-/npm-10.9.2.tgz
updater | 2024/12/09 18:17:26 INFO <job_929896445> npm@10 successfully installed.
updater | 2024/12/09 18:17:26 INFO <job_929896445> Fetching version for package manager: npm
updater | 2024/12/09 18:17:27 INFO <job_929896445> Installed version of npm: 9.6.5
proxy | 2024/12/09 18:17:27 [012] POST /update_jobs/929896445/record_ecosystem_versions
proxy | 2024/12/09 18:17:27 [012] 204 /update_jobs/929896445/record_ecosystem_versions
updater | 2024/12/09 18:17:27 INFO <job_929896445> Base commit SHA: 8755fd18fe4c768b[39](SOME_URL)965e541a5fd991ce4322fa
updater | 2024/12/09 18:17:27 INFO <job_929896445> Finished job processing
updater | 2024/12/09 18:17:30 INFO <job_929896445> Starting job processing
updater | 2024/12/09 18:17:30 INFO <job_929896445> Detected package manager: npm
updater | 2024/12/09 18:17:30 INFO <job_929896[44](SOME_URL)5> Resolving package manager for: npm
updater | 2024/12/09 18:17:30 INFO <job_9298964[45](SOME_URL)> Fetching version for package manager: npm
updater | 2024/12/09 18:17:30 INFO <job_929896445> Installed version of npm: 9.6.5
updater | 2024/12/09 18:17:30 INFO <job_929896445> Installed version for npm: 9.6.5
And now all dependabot jobs run with npm 9.6.5 instead of 10 like before.
What can be noticed is, that in the successful run, corepack is used. In the later failing run, corepack calls are missing.
From this comment #10985 (comment) it sounds like, that actually version 10 of NPM should be used, but as said, it's not.
The only way to work around this right now is to remove engine-strict=true from the .npmrc, what we would like to prevent.
And in the end dependabot does not run the NPM version we would like to see.
As the whole issue (and for me connecting all the dots) is relatively hard, please tell me, if / what more information you need to have a look at the issue.
As the projects are private, I cannot provide direct likes or so.
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
10.8.2
Language version
20.16.0
Manifest location and content before the Dependabot update
package.json excerpt
´´´
"engines": {
"npm": ">=10",
"node": ">=20"
},
´´´
.npmrc
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Problem: Somewhen between 05.12.2024 and 9.12.2024 our dependabot setup for NPM broke for all projects that included above mentioned config (
npm >= 10+engine-strict=true) and so did not update any NPM dependencies anymore.The timespan is based on the last successful and then following first failed run, no run in between.
It's very hard to get all information together but I will try in the following:
Partial log of a successful run on 05.12.2024:
Partial log of a failing run on 09.12.2024:
And now all dependabot jobs run with
npm 9.6.5instead of10like before.What can be noticed is, that in the successful run,
corepackis used. In the later failing run,corepackcalls are missing.From this comment #10985 (comment) it sounds like, that actually version
10of NPM should be used, but as said, it's not.The only way to work around this right now is to remove
engine-strict=truefrom the.npmrc, what we would like to prevent.And in the end dependabot does not run the NPM version we would like to see.
As the whole issue (and for me connecting all the dots) is relatively hard, please tell me, if / what more information you need to have a look at the issue.
As the projects are private, I cannot provide direct likes or so.
Related:
#10982
https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories (says only npm 9 is supported)
#11159 (announces that NPM 11 is supported)
#10985 (sounds related but only a feeling...)
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: