ERR_PNPM_NO_MATCHING_VERSION after adding private registry
hanseartic opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
npm
Package manager version
pnpm 9.1.4
Language version
Node.js 20.x
Manifest location and content before the Dependabot update
/package.json
/pnpm-lock.json
dependabot.yml content
version: 2
registries:
npm-npmjs:
type: npm-registry
url: https://registry.npmjs.org
token: ${{ secrets.NPM_TOKEN }}
npm-github:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{ secrets.NPM_GH_TOKEN }}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-npmjs
- npm-github
schedule:
interval: "weekly"
Updated dependency
@types/jest: @29.0.0
➡️ @29.5.12
fails with
ERR_PNPM_NO_MATCHING_VERSION No matching version found for @types/jest@29.0.0
after npm.pkg.github.com
is configured as (additional) registry for dependabot
What you expected to see, versus what you actually saw
The dependencies originally have been added to the project with npm from npmjs.org's registry. Hence the base-URLs point to npmjs.org
's registry.
Later in the project we switched to pnpm
and Dependabot was still able to update the versions.
After adding another dependency the is only available as a private package we needed to switch to private registry configuration.
As it turned out npm.pkg.github.com
does not have the latest version (that was fetched from registry.npmjs.org
) of @types/jest
.
Expected
As two registries are configured in the dependabot file I would expect that both of the registries are checked and the latest matching version is installed / created a PR for
What happened instead
Native package manager behavior
npm
can successfully create a PR but it seems to ignore the configured registry (npm.pkg.github.com
).
See
this job's
{
"job": {
"allowed-updates": [
{
"dependency-type": "direct",
"update-type": "all"
}
],
"commit-message-options": {
"include-scope": null,
"prefix": null,
"prefix-development": null
},
"credentials-metadata": [
{
"registry": "npm.pkg.github.com",
"type": "npm_registry"
},
{
"host": "github.com",
"type": "git_source"
}
],
"debug": null,
"dependencies": null,
"dependency-group-to-refresh": null,
"dependency-groups": [],
"existing-group-pull-requests": [],
"existing-pull-requests": [
[
{
"dependency-name": "aws-cdk-lib",
"dependency-version": "2.144.0"
}
]
],
"experiments": {
"dependency-change-validation": true,
"proxy-cached": true,
"record-ecosystem-versions": true,
"record-update-job-unknown-error": true
},
"ignore-conditions": [],
"lockfile-only": false,
"max-updater-run-time": 2700,
"package-manager": "npm_and_yarn",
"proxy-log-response-body-on-auth-failure": true,
"reject-external-code": false,
"repo-private": false,
"requirements-update-strategy": null,
"security-advisories": [],
"security-updates-only": false,
"source": {
"api-endpoint": "https://api.github.com/",
"branch": "gh",
"directory": "/npm",
"hostname": "github.com",
"provider": "github",
"repo": "hanseartic/dependabot_fails_on_additional_private_registry"
},
"update-subdependencies": false,
"updating-a-pull-request": false,
"vendor-dependencies": false
}
}
It seems the replaces-base
setting in dependabot.yml
is ignored and the base-URLs from package-lock.json
are used.
When invoking locally with --registry https://npm.pkg.github.com
flag the dependencies can't be updated either:
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @types/jest@^29.0.0.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.
Images of the diff or a link to the PR, issue, or logs
I created a demo-repo to showcase how the pnpm
command failed updating the dependencies. see the loges here: https://github.com/hanseartic/dependabot_fails_on_additional_private_registry/network/updates
Smallest manifest that reproduces the issue
{
"dependencies": {
"aws-cdk-lib": "^2.143.1"
},
"devDependencies": {
"@types/jest": "^29.0.0"
},
"packageManager": "pnpm@9.1.4+sha512.9df9cf27c91715646c7d675d1c9c8e41f6fce88246f1318c1aa6a1ed1aeb3c4f032fcdf4ba63cc69c4fe6d634279176b5358727d8f2cc1e65b65f43ce2f8bfb0"
}