Issues with aliased npm packages

[swissspidy]

We're currently facing issues where Dependabot is updating an unrelated dependency in the package-lock.json file and breaking its version number in the process. Thus, CI files because npm install / npm ci doesn't work anymore as it can't find that version.

Example commit from Dependabot: https://github.com/google/web-stories-wp/pull/318/files#diff-32607347f8126e6534ebc7ebaec4853dL19202-R19204

Current master branch with correct lock file: https://github.com/google/web-stories-wp/tree/0b8acb85ddbc3d5c90dba71cc9aac5ce1e34ae95

[feelepxyz]

@swissspidy 👋 this is a known issue and I've been sitting on this work in progress fix for quite a while: #1115

Would love to fix it but going to be a little while before we get to it. We're focused on integrating Dependabot Preview functionality natively within GitHub so we've had to pause on package manager improvements while we do this.

We're always open to contributions to dependabot-core: https://github.com/dependabot/dependabot-core

[swissspidy]

Heya, @feelepxyz thanks for shedding some light on this! That's good to know.

Do you perhaps have a recommended workaround? Just avoiding aliases wherever possible?

[feelepxyz]

Do you perhaps have a recommended workaround? Just avoiding aliases wherever possible?

Yep basically avoid where possible :(

[github-actions]

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.