Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot runs fail due to strict node and npm pinning #507

Closed
jeffwidman opened this issue Mar 21, 2024 · 5 comments
Closed

Dependabot runs fail due to strict node and npm pinning #507

jeffwidman opened this issue Mar 21, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@jeffwidman
Copy link
Member

jeffwidman commented Mar 21, 2024
edited

From https://github.com/dependabot/fetch-metadata/network/updates/803622934:

updater | 2024/03/21 21:28:55 INFO <job_803622934> Updating @actions/github from 5.1.1 to 6.0.0
updater | 2024/03/21 21:28:57 INFO <job_803622934> Handled error whilst updating @actions/github: dependency_file_not_resolvable {:message=>"Dependabot uses Node.js v20.11.1\n and NPM 10.2.4\n. Due to the engine-strict setting, the update will not succeed."}

My guess is something in #443 is a little too strict or pinned to the wrong version...
@jeffwidman jeffwidman added the bug Something isn't working label Mar 21, 2024
@jeffwidman jeffwidman changed the title Dependabot currently broken for this action Dependabot runs fail due to strict node and npm pinning Mar 21, 2024
@JamieMagee
Copy link

Either relax the strictness here:

fetch-metadata/.npmrc

Line 1 in dc2c459

engine-strict=true

Or update the node and npm versions here to at least the versions mentioned in the error message:

https://github.com/dependabot/dependabot-core/blob/c7b16a1a6eb6d35d3be0218e110ebc84b49c1c27/npm_and_yarn/Dockerfile#L13-L18

@JamieMagee
Copy link

Related dependabot/dependabot-core#9213

@Nishnha
Copy link
Member

Nishnha commented Mar 21, 2024
edited

another alternative if we don't care about pinning the minor version is:

"engines": {
  "node": ">=20.x",
  "npm": ">=10.x"
},

we might have to get rid of engine-strict=true for it to work

@jeffwidman
Copy link
Member Author

After looking at this, I think dropping engine-strict (since it defaults to false) will probably suffice for the fetch-metadata usecase.

I'm normally a fan of pinning, but given that if we do break something it's not hard to temp pin to an older version, then I'm okay if we relax this for now... and if it becomes a problem in the future, then we can tighten the screws again.

jeffwidman added a commit that referenced this issue Mar 21, 2024
@jeffwidman
Relax engine-strict=true
f487996 
Looking at git history, this was added in #251 and was probably an overzealous add TBH.

I often like pinning, but here it's breaking our :dependabot: runs:
#507

So let's relax it for now. If we later run into problems, we can always tighten the screws later.
@jeffwidman jeffwidman mentioned this issue Mar 21, 2024
Merged
jeffwidman added a commit that referenced this issue Mar 21, 2024
@jeffwidman
Relax engine-strict=true (#510)
518993c 
Looking at git history, this was added in #251 and was probably an overzealous add TBH.

I often like pinning, but here it's breaking our :dependabot: runs:
#507

So let's relax it for now. If we later run into problems, we can always tighten the screws later.
@jeffwidman
Copy link
Member Author

Fixed by:

And :dependabot: is now working again in #453!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeffwidman @JamieMagee @Nishnha