Giters

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

Home Page:https://docs.github.com/en/code-security/dependabot

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ERR_PNPM_NO_MATCHING_VERSION after adding private registry

hanseartic opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

npm

Package manager version

pnpm 9.1.4

Language version

Node.js 20.x

Manifest location and content before the Dependabot update

/package.json
/pnpm-lock.json

dependabot.yml content

version: 2
registries:
  npm-npmjs:
    type: npm-registry
    url: https://registry.npmjs.org
    token: ${{ secrets.NPM_TOKEN }}
  npm-github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.NPM_GH_TOKEN }}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-npmjs
      - npm-github
    schedule:
      interval: "weekly"

Updated dependency

@types/jest: @29.0.0 ➡️ @29.5.12

fails with

 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for @types/jest@29.0.0

after npm.pkg.github.com is configured as (additional) registry for dependabot

What you expected to see, versus what you actually saw

The dependencies originally have been added to the project with npm from npmjs.org's registry. Hence the base-URLs point to npmjs.org's registry.

Later in the project we switched to pnpm and Dependabot was still able to update the versions.

After adding another dependency the is only available as a private package we needed to switch to private registry configuration.

As it turned out npm.pkg.github.com does not have the latest version (that was fetched from registry.npmjs.org) of @types/jest.

Expected

As two registries are configured in the dependabot file I would expect that both of the registries are checked and the latest matching version is installed / created a PR for

What happened instead

Native package manager behavior

npm can successfully create a PR but it seems to ignore the configured registry (npm.pkg.github.com).

See

this job's 
{
  "job": {
    "allowed-updates": [
      {
        "dependency-type": "direct",
        "update-type": "all"
      }
    ],
    "commit-message-options": {
      "include-scope": null,
      "prefix": null,
      "prefix-development": null
    },
    "credentials-metadata": [
      {
        "registry": "npm.pkg.github.com",
        "type": "npm_registry"
      },
      {
        "host": "github.com",
        "type": "git_source"
      }
    ],
    "debug": null,
    "dependencies": null,
    "dependency-group-to-refresh": null,
    "dependency-groups": [],
    "existing-group-pull-requests": [],
    "existing-pull-requests": [
      [
        {
          "dependency-name": "aws-cdk-lib",
          "dependency-version": "2.144.0"
        }
      ]
    ],
    "experiments": {
      "dependency-change-validation": true,
      "proxy-cached": true,
      "record-ecosystem-versions": true,
      "record-update-job-unknown-error": true
    },
    "ignore-conditions": [],
    "lockfile-only": false,
    "max-updater-run-time": 2700,
    "package-manager": "npm_and_yarn",
    "proxy-log-response-body-on-auth-failure": true,
    "reject-external-code": false,
    "repo-private": false,
    "requirements-update-strategy": null,
    "security-advisories": [],
    "security-updates-only": false,
    "source": {
      "api-endpoint": "https://api.github.com/",
      "branch": "gh",
      "directory": "/npm",
      "hostname": "github.com",
      "provider": "github",
      "repo": "hanseartic/dependabot_fails_on_additional_private_registry"
    },
    "update-subdependencies": false,
    "updating-a-pull-request": false,
    "vendor-dependencies": false
  }
}

log

It seems the replaces-base setting in dependabot.yml is ignored and the base-URLs from package-lock.json are used.
When invoking locally with --registry https://npm.pkg.github.com flag the dependencies can't be updated either:

npm ERR! code ETARGET
npm ERR! notarget No matching version found for @types/jest@^29.0.0.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

Images of the diff or a link to the PR, issue, or logs

I created a demo-repo to showcase how the pnpm command failed updating the dependencies. see the loges here: https://github.com/hanseartic/dependabot_fails_on_additional_private_registry/network/updates

Smallest manifest that reproduces the issue

{
  "dependencies": {
    "aws-cdk-lib": "^2.143.1"
  },
  "devDependencies": {
    "@types/jest": "^29.0.0"
  },
  "packageManager": "pnpm@9.1.4+sha512.9df9cf27c91715646c7d675d1c9c8e41f6fce88246f1318c1aa6a1ed1aeb3c4f032fcdf4ba63cc69c4fe6d634279176b5358727d8f2cc1e65b65f43ce2f8bfb0"
}