Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix dependabot npm version by updating lockfileVersion in package-lock.json #110

Merged
merged 2 commits into from
Jan 21, 2025
Merged

Fix dependabot npm version by updating lockfileVersion in package-lock.json #110

merged 2 commits into from
Jan 21, 2025

Conversation

bastian-src
Copy link
Contributor

@bastian-src bastian-src commented Jan 21, 2025
edited
Loading

Even when explicitly stating the npm/node version in package.json, dependabot uses npm v6 still.

It seems like dependabot relies on the package-lock.json's lockfileVersion to decide on its npm version (compare here). Therefore, updating to the latest lockfileVersion (3) which is used by npm v7+ (compare here) - Foreman uses on npm 10 at the time.

Revert previour try to fix the dependabot npm version #108.

@bastian-src
Update package-lock.json version to 3
e0e4d51 
Replace lockfileVersion 1 (npm v6) with lockfileVersion 3 to become compliant
with npm 7 and higher. The update was performed using the following command:

npm update --package-lock-only --legacy-peer-deps

Allowing --legacy-peer-deps due to the foreman-ignored dependency
'react-redux-test-utils'.
@bastian-src
Revert "Explicitly define npm and node version"
d4c9f06 
This reverts commit 984f699.

The commit was an educated guess to force a higher npm
version than 6 for dependabot. However, dependabot decides
which npm version to use based on the lockfileVersion
in package-lock.json. Compare:

https://github.com/dependabot/dependabot-core/blob/80315238145998ddfea4d3bfc0a5525973f231d5/npm_and_yarn/lib/dependabot/npm_and_yarn/helpers.rb#L47
@bastian-src bastian-src self-assigned this Jan 21, 2025
@bastian-src bastian-src requested a review from dosas January 21, 2025 15:32
@bastian-src
Copy link
Contributor Author

Printing the beginning of the diff here because github doesn't show:

diff --git a/package-lock.json b/package-lock.json
index 1430f0c..ad15706 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,114 +1,136 @@
 {
   "name": "foreman_resource_quota",
   "version": "1.0.0",
-  "lockfileVersion": 1,
+  "lockfileVersion": 3,

@bastian-src bastian-src merged commit 58280a8 into main Jan 21, 2025
16 checks passed
@bastian-src bastian-src deleted the fix/dependabot_npm_version_6_ignore branch January 21, 2025 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dosas dosas dosas approved these changes

Assignees

@bastian-src bastian-src

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bastian-src @dosas