Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot runs fail due to strict node and npm pinning #507

Closed
jeffwidman opened this issue Mar 21, 2024 · 5 comments
Closed

Dependabot runs fail due to strict node and npm pinning #507

jeffwidman opened this issue Mar 21, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@jeffwidman
Copy link
Member

jeffwidman commented Mar 21, 2024

From https://github.com/dependabot/fetch-metadata/network/updates/803622934:

updater | 2024/03/21 21:28:55 INFO <job_803622934> Updating @actions/github from 5.1.1 to 6.0.0
updater | 2024/03/21 21:28:57 INFO <job_803622934> Handled error whilst updating @actions/github: dependency_file_not_resolvable {:message=>"Dependabot uses Node.js v20.11.1\n and NPM 10.2.4\n. Due to the engine-strict setting, the update will not succeed."}

My guess is something in #443 is a little too strict or pinned to the wrong version...

@jeffwidman jeffwidman added the bug Something isn't working label Mar 21, 2024
@jeffwidman jeffwidman changed the title Dependabot currently broken for this action Dependabot runs fail due to strict node and npm pinning Mar 21, 2024
@JamieMagee
Copy link

Either relax the strictness here:

engine-strict=true

Or update the node and npm versions here to at least the versions mentioned in the error message:

https://github.com/dependabot/dependabot-core/blob/c7b16a1a6eb6d35d3be0218e110ebc84b49c1c27/npm_and_yarn/Dockerfile#L13-L18

@JamieMagee
Copy link

Related dependabot/dependabot-core#9213

@Nishnha
Copy link
Member

Nishnha commented Mar 21, 2024

another alternative if we don't care about pinning the minor version is:

"engines": {
  "node": ">=20.x",
  "npm": ">=10.x"
},

we might have to get rid of engine-strict=true for it to work

@jeffwidman
Copy link
Member Author

After looking at this, I think dropping engine-strict (since it defaults to false) will probably suffice for the fetch-metadata usecase.

I'm normally a fan of pinning, but given that if we do break something it's not hard to temp pin to an older version, then I'm okay if we relax this for now... and if it becomes a problem in the future, then we can tighten the screws again.

jeffwidman added a commit that referenced this issue Mar 21, 2024
Looking at git history, this was added in #251 and was probably an overzealous add TBH.

I often like pinning, but here it's breaking our :dependabot: runs:
#507

So let's relax it for now. If we later run into problems, we can always tighten the screws later.
jeffwidman added a commit that referenced this issue Mar 21, 2024
Looking at git history, this was added in #251 and was probably an overzealous add TBH.

I often like pinning, but here it's breaking our :dependabot: runs:
#507

So let's relax it for now. If we later run into problems, we can always tighten the screws later.
@jeffwidman
Copy link
Member Author

Fixed by:

And :dependabot: is now working again in #453!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants