Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root workspace pnpm-lock.yml is updated instead of the nested project one #10203

Closed
1 task done
bdoof opened this issue Jul 12, 2024 · 1 comment
Closed
1 task done

Root workspace pnpm-lock.yml is updated instead of the nested project one #10203

bdoof opened this issue Jul 12, 2024 · 1 comment
Labels
L: javascript T: bug 🐞 Something isn't working

Comments

@bdoof
Copy link

bdoof commented Jul 12, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

pnpm

Package manager version

9.5.0

Language version

Node.js 20

Manifest location and content before the Dependabot update

/package.json
/pnpm-lock.yml
/deploy/package.json
/deploy/pnpm-lock.yml

dependabot.yml content

version: 2
updates:

  • package-ecosystem: npm
    directory: '/'
    schedule:
    interval: monthly
    open-pull-requests-limit: 10

Description

I've got a private GitHub repo with a pnpm workspace, i.e. there's a root project with package.json and pnpm-lock.yml plus a nested project (part of the workspace) with it's own package.json and pnpm-lock.yml. I want dependabot to update depdendencies for both root and nested project.

Expected behavior

PR for /deploy (nested) project must affect /deploy/package.json and /deploy/pnpm-lock.yml only.

Actual behavior

PR for /deploy (nested) project affects /deploy/package.json (correct one) and pnpm-lock.yml of the root project (incorrect one).

Native package manager behavior

pnpm install <dependency-name> in /deploy (nested) project affects /deploy/package.json and /deploy/pnpm-lock.yml only - i.e., what I expect from dependabot to do.

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

Create a pnpm workspace, i.e.:

  1. Initialize a root pnpm project.
  2. Create a folder in the root project and initialize a new (nested) pnpm project there.
  3. Link nested project with the root one, introducing a workspace (pnpm-workspace.yml).
  4. Install some dependencies in both projects.
  5. Let dependabot create a PR for the nested project.
@bdoof bdoof added the T: bug 🐞 Something isn't working label Jul 12, 2024
@jakecoffman jakecoffman removed the L: go:modules Golang modules label Jul 15, 2024
@bdoof
Copy link
Author

bdoof commented Jul 16, 2024

Actually, the behavior above is correct!

By default, pnpm must update <root-dir>/<project-dir>/package.json and <root-dir>/pnpm-lock.yaml.

This behavior may be altered by shared-workspace-lockfile=false in .npmrc. Not sure if Dependabot follows this behavior if the option is set though.

@bdoof bdoof closed this as completed Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: javascript T: bug 🐞 Something isn't working
Projects
Dependabot
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jakecoffman @bdoof