Dependabot claims that it does not support PNPM v9.11.0

[yeikel]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pnpm

Package manager version

v9.11.0

Language version

18

Manifest location and content before the Dependabot update

https://github.com/yeikel/kafka-ui/blob/dcb5d6edf6c3e1cf47a404f6f67be573de82b97f/frontend/package.json

dependabot.yml content

- package-ecosystem: npm
  directory: "/frontend"
  schedule:
    interval: weekly
    time: "10:00"
    timezone: Europe/London
  reviewers:
    - "kafbat/frontend"
  open-pull-requests-limit: 10
  versioning-strategy: increase-if-necessary
  labels:
    - "type/dependencies"
    - "scope/frontend"

Updated dependency

No response

What you expected to see, versus what you actually saw

Dependabot should be able to support within the minor versions of 9.x as per the code and the docs

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb

Lines 155 to 161 in d1608d6

	PNPM_V9 = "9"
	SUPPORTED_VERSIONS = T.let([
	Version.new(PNPM_V7),
	Version.new(PNPM_V8),
	Version.new(PNPM_V9)
	].freeze, T::Array[Dependabot::Version])

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

updater | 2024/12/13 04:03:05 INFO <job_932155108> Updating @testing-library/react from 14.3.1 to 16.1.0
proxy | 2024/12/13 04:03:06 [783] POST /update_jobs/932155108/record_update_job_error
2024/12/13 04:03:06 [783] 204 /update_jobs/932155108/record_update_job_error
updater | 2024/12/13 04:03:06 INFO <job_932155108> Handled error whilst updating @testing-library/react: tool_version_not_supported {:"tool-name"=>"pnpm", :"detected-version"=>"v9.11.0", :"supported-versions"=>"9.15.0"}
proxy | 2024/12/13 04:03:06 [785] POST /update_jobs/932155108/record_ecosystem_meta

Smallest manifest that reproduces the issue

{
  "name": "simple-unblocker-server",
  "private": true,
  "version": "0.0.0",
  "dependencies": {
    "react": "18.3.0"
  },
  "engines": {
    "node": "18.17.1",
    "pnpm": "9.11.0"
  }
}

[yeikel]

After taking a closer look at the error, this seems to be because the engines field is invalid. It should not have the v

[yeikel]

Re-opening because after removing the v the issue still happens

updater | 2024/12/13 06:02:04 INFO <job_932200746> Handled error whilst updating react: tool_version_not_supported {:"tool-name"=>"pnpm", :"detected-version"=>"9.11.0", :"supported-versions"=>"9.15.0"}

[yeikel]

@jeffwidman What do you think of this one? The docs suggest that all versions within v9 should be supported

If you consider this a valid issue, I can take a look

[jeffwidman]

I honestly don't know... If we had all the time in the world, of course we'd want to support this, but there's many other things worth solving too so I'm not sure the value is there.

Is it common for people to pin their pnpm version within engines? Can that be pinned as a range?
Also, is this an "engines strict" sort of problem where it can be relaxed to say "prefer this version, but otherwise you can use any version"?

cc @JamieMagee who may know more...

[JamieMagee]

Taking a quick look, I think this might be an exception we're catching from pnpm

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

Lines 266 to 281 in 21cb492

	def raise_unsupported_platform_error(error_message, _pnpm_lock)
	unless error_message.match(PLATFORM_PACAKGE_DEP) &&
	error_message.match(PLATFORM_VERSION_REQUIREMENT)
	return
	end
	supported_version = error_message.match(PLATFORM_VERSION_REQUIREMENT)
	.named_captures["supported_ver"]
	.then { sanitize_message(_1) }
	detected_version = error_message.match(PLATFORM_VERSION_REQUIREMENT)
	.named_captures["detected_ver"]
	.then { sanitize_message(_1) }
	Dependabot.logger.warn(error_message)
	raise Dependabot::ToolVersionNotSupported.new(PLATFORM_PACAKGE_MANAGER, supported_version, detected_version)
	end

@yeikel could you try and set pnpm in engines to >=9.11.0 and see if that works?

[yeikel]

I honestly don't know... If we had all the time in the world, of course we'd want to support this, but there's many other things worth solving too so I'm not sure the value is there.

I think that the confusion can be explained in two parts :

• pnpm 9.x introduced package-manager-strict enforcement that is turned ON by default. They pushed a patch to allow disabling it but it does not seem to apply to the engine field yet. I filled Add option to ignore the pnpm version in the engine field pnpm/pnpm#8869

• We claim in the docs that the "Supported versions" of pnpm include v7, v8, v9, but that should not mean "Only a very specific version of pnpm 9 is supported". The error message does not help as it causes further confusion:

Is it common for people to pin their pnpm version within engines?

I don't know.

It seems that enforcement via packageManager is more common and that does not seem to make dependabot fail because we are not using corepack yet.

updater | 2024/12/13 21:45:38 INFO <job_932573219> Processing engine constraints for pnpm
2024/12/13 21:45:38 INFO <job_932573219> No version requirement found for pnpm

Also, is this an "engines strict" sort of problem where it can be relaxed to say "prefer this version, but otherwise you can use any version"?

No, It seems to be enforced strictly

Your pnpm version is incompatible with "D:\dev\dependabot-playground\pnpm".

Expected version: 9.11.0
Got: 9.15.0

This is happening because the package's manifest has an engines.pnpm field specified.
To fix this issue, install the required pnpm version globally.

For now, I think that we should leave this open and wait to see what we hear from pnpm/pnpm#8869

To me, when we say that we support v9, it should mean that we support any version of the range

[yeikel]

@yeikel could you try and set pnpm in engines to >=9.11.0 and see if that works?

Yes, it does. pnpm seems to work as expected locally and in dependabot

The Dependabot logs are confusing though so it may be working accidentally

updater | 2024/12/13 22:22:11 INFO <job_932585229> Fetching version for package manager: pnpm
updater | 2024/12/13 22:22:11 INFO <job_932585229> Installed version of pnpm: 9.15.0
2024/12/13 22:22:11 INFO <job_932585229> Installed version for pnpm: 9.15.0
updater | 2024/12/13 22:22:11 INFO <job_932585229> Processing engine constraints for pnpm
updater | 2024/12/13 22:22:11 WARN <job_932585229> Unrecognized constraint format for pnpm: >=9.11.0
updater | 2024/12/13 22:22:11 INFO <job_932585229> Parsed constraints for pnpm: >=9.11.0
updater | 2024/12/13 22:22:11 INFO <job_932585229> Version requirement for pnpm: >= 9.11.0

[JamieMagee]

Yeah, I agree it's hard to tell from the logs exactly what's happening. But from reading the code, it looks like Dependabot will only log the tool_version_not_supported when pnpm throws an error itself. I think it might be overly restrictive with the version defined under engines.

[yeikel]

Yeah, so ultimately, it seems that this is a hard enforcement at pnpm that there is little we can do about right now.

Let's please leave this open until we hear back from pnpm/pnpm#8869