Flatten/de-dupe npm lockfile #2079
Labels
F: language-support
Issues specific to a particular language or ecosystem; may be paired with an L: label.
L: javascript:npm
npm packages via npm
T: feature-request
Requests for new features
Comments
|
@XhmikosR Thanks for submitting! I've attempted to fix this in the past but didn't even get the npm dedupe command working properly as it sometimes ended up breaking the lockfile. I think this should be solved in npm itself because it probably requires some internal changes. We're super stretched at the moment so don't have much spare capacity to work on wider improvements for the next few months. |
|
@feelepxyz NP, I understand. :) Like I said, I don't even know how you could fix it on your side either. I will try to raise an issue with npm |
|
@feelepxyz which command does dependabot run? |
|
@XhmikosR yes pretty much but Dependabot doesn't call the CLI directly, instead it uses the library functions to avoid downloading |
|
I wonder if the same issue happens when running |
|
This is starting to be very annoying :/ https://github.com/twbs/bootstrap/pull/30951/files I have to redo the lock file every couple of weeks. |
infin8x
added
F: language-support
|
Any updates on this? I received a dependabot PR with a patch release update breaking the CI (yudai-nkt/jupyterlab_city-lights-theme#103), and it turned out to be caused by duplicated packages thanks to jupyterlab/jupyterlab#9699. |
jcscottiii
added a commit
to web-platform-tests/wpt.fyi
that referenced
this issue
Aug 26, 2022
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
jcscottiii
added a commit
to web-platform-tests/wpt.fyi
that referenced
this issue
Aug 26, 2022
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
jcscottiii
added a commit
to web-platform-tests/wpt.fyi
that referenced
this issue
Aug 26, 2022
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
jcscottiii
added a commit
to web-platform-tests/wpt.fyi
that referenced
this issue
Aug 26, 2022
Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that.
jcscottiii
added a commit
to web-platform-tests/wpt.fyi
that referenced
this issue
Nov 23, 2022
* Move all dependency updates to dependabot Remove renovate and use dependabot for go, python and node This is to serve as research Proposal: There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest. 1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge. 2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments - Need to verify that it can be limited at the per bot level More notes down below --- Warnings There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do: 1. Run npm dedupe to keep the lock files pretty clean. [Notes](dependabot/dependabot-core#2079) 2. Group updates together github/roadmap#148 Extra work needed specifically for dependabot 1. Auto merging is possible but extra work needs to be done. [Notes](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request) - I don't think auto merging is a good idea. 2. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more. Misc notes - For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) [Notes](https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/) - Dependabot has a docker updater too. We should use that. * add commented docker section * disable deployment for dependabot PRs * add quotes
|
👋 Sorry for the slow response, we're finally getting a chance to look at some of our backlog. This is a really old issue... is it still happening or can this be closed? Dependabot generally tries to shell out to |
|
Maybe this is now fixed assuming you are using newer npm, it's been some time since I last noticed it. |
|
Sounds good, thanks for letting us know! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
So, this situation has bit me numerous times :)
Basically, after a while using dependabot, one ends up with many duplicate packages. A recent example is twbs/bootstrap#29730
I'm not sure how dependabot could mitigate this issue.
npm dedupedoes not seem to solve the issue. On the other hand, regenerating the lock file shouldn't be done by default since it can break many things.I know there is dependabot/feedback#313, but it seems that was focused mostly on yarn.
The text was updated successfully, but these errors were encountered: