-
Notifications
You must be signed in to change notification settings - Fork 990
-
Notifications
You must be signed in to change notification settings - Fork 990
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flatten/de-dupe npm lockfile #2079
Comments
@XhmikosR Thanks for submitting! I've attempted to fix this in the past but didn't even get the npm dedupe command working properly as it sometimes ended up breaking the lockfile. I think this should be solved in npm itself because it probably requires some internal changes. We're super stretched at the moment so don't have much spare capacity to work on wider improvements for the next few months. |
@feelepxyz NP, I understand. :) Like I said, I don't even know how you could fix it on your side either. I will try to raise an issue with npm |
@feelepxyz which command does dependabot run? |
@XhmikosR yes pretty much but Dependabot doesn't call the CLI directly, instead it uses the library functions to avoid downloading |
I wonder if the same issue happens when running |
This is starting to be very annoying :/ https://github.com/twbs/bootstrap/pull/30951/files I have to redo the lock file every couple of weeks. |
Any updates on this? I received a dependabot PR with a patch release update breaking the CI (yudai-nkt/jupyterlab_city-lights-theme#103), and it turned out to be caused by duplicated packages thanks to jupyterlab/jupyterlab#9699. |
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
* Move all dependency updates to dependabot Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that. * add commented docker section * disable deployment for dependabot PRs * add quotes
👋 Sorry for the slow response, we're finally getting a chance to look at some of our backlog. This is a really old issue... is it still happening or can this be closed? Dependabot generally tries to shell out to |
Maybe this is now fixed assuming you are using newer npm, it's been some time since I last noticed it. |
Sounds good, thanks for letting us know! |
So, this situation has bit me numerous times :)
Basically, after a while using dependabot, one ends up with many duplicate packages. A recent example is twbs/bootstrap#29730
I'm not sure how dependabot could mitigate this issue.
npm dedupe
does not seem to solve the issue. On the other hand, regenerating the lock file shouldn't be done by default since it can break many things.I know there is dependabot/feedback#313, but it seems that was focused mostly on yarn.
The text was updated successfully, but these errors were encountered: