Dependabot doesn't update to latest pre-release version

[jpaakko]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Yarn (npm)

Package manager version

Yarn 1.22.19 (npm 8.19.3)

Language version

Node.js 18.12.1

Manifest location and content before the Dependabot update

• /package.json
• /yarn.lock

dependabot.yml content

No response

Updated dependency

Dependency: @myorg/react-scripts (the actual organization has been replaced in this example)
Version from: 5.0.0-fork.1.0.3
Version to: 5.0.1-fork.1.0.3

What you expected to see, versus what you actually saw

Background:

We've forked the create-react-app repository and have built a custom version of the react-scripts library. Thus, we've versioned the fork using the following pre-release version format: <upstream-version>-fork.<fork-version>. The version format adheres to the Semantic Versioning 2.0.0 specification and based on the precedence rules 5.0.0-fork.1.0.3 < 5.0.1-fork.1.0.3.

Dependabot has previously updated successfully, e.g., from version 5.0.0-fork.1.0.2 to version 5.0.0-fork.1.0.3.

Here's a comment that seems to describe a similar problem: #2250 (comment)

Expected behavior:

Dependabot updates @myorg/react-scripts from version 5.0.0-fork.1.0.3 to version 5.0.1-fork.1.0.3.

Actual behavior:

Dependabot reports No update needed for @myorg/react-scripts 5.0.0-fork.1.0.3

Native package manager behavior

Running yarn upgrade-interactive --latest suggests to update @myorg/react-scripts from version 5.0.0-fork.1.0.3 to version 5.0.1-fork.1.0.3.

Images of the diff or a link to the PR, issue, or logs

Dependabot logs related to the dependency:

updater | INFO <job_613873872> Checking if @myorg/react-scripts 5.0.0-fork.1.0.3 needs updating
  proxy | 2023/02/26 04:21:47 [202] GET https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts
  proxy | 2023/02/26 04:21:47 [202] * authenticating npm registry request (host: my-private-registry.org, basic auth)
  proxy | 2023/02/26 04:21:48 [202] 200 https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts
  proxy | 2023/02/26 04:21:48 [204] GET https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts/5.0.0-fork.1.0.3
  proxy | 2023/02/26 04:21:48 [204] * authenticating npm registry request (host: my-private-registry.org, basic auth)
  proxy | 2023/02/26 04:21:48 [204] 400 https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts/5.0.0-fork.1.0.3
updater | INFO <job_613873872> Latest version is 5.0.0-fork.1.0.3
updater | INFO <job_613873872> No update needed for @myorg/react-scripts 5.0.0-fork.1.0.3

Smallest manifest that reproduces the issue

No response

[deivid-rodriguez]

Thanks for letting us know about this! Can you create a public repository that illustrates the problem?

[jpaakko]

Sure, I'll try to set up an example that reproduces the problem in a public repository.

[jeffwidman]

  proxy | 2023/02/26 04:21:48 [204] GET https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts/5.0.0-fork.1.0.3
  proxy | 2023/02/26 04:21:48 [204] * authenticating npm registry request (host: my-private-registry.org, basic auth)
  proxy | 2023/02/26 04:21:48 [204] 400 https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts/5.0.0-fork.1.0.3

If I'm reading this right, that is returning a 400, which seems a bit surprising... it didn't seem to affect realizing the updated version string, so not the 🚬 🔫 , but still surprising...

[jpaakko]

I set up an example package jpaakko/create-react-app-dependabot-test and a public repository jpaakko/dummy-dependabot-project that reproduce the problem.

The example package uses a similar versioning scheme as what we use in the private project where we originally stumbled upon the problem. To illustrate the problem, I published a couple of different versions of the example package to GitHub's package registry: https://github.com/jpaakko/create-react-app-dependabot-test/pkgs/npm/react-scripts.

As can be seen from this open Dependabot PR, Dependabot successfully managed to update from version 5.0.0-fork.1.0.0 to version 5.0.0-fork.1.0.1. I then published version 5.0.1-fork.1.0.1 which according to the semantic versioning specification is greater than 5.0.0-fork.1.0.1. Now, when I manually trigger Dependabot to check for updates, Dependabot logs the following:

updater | INFO <job_620229543> Checking if @jpaakko/react-scripts 5.0.0-fork.1.0.0 needs updating
  proxy | 2023/03/06 13:55:26 [028] GET https://npm.pkg.github.com:443/@jpaakko%2Freact-scripts
  proxy | 2023/03/06 13:55:26 [028] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/03/06 13:55:26 [028] 200 https://npm.pkg.github.com:443/@jpaakko%2Freact-scripts
  proxy | 2023/03/06 13:55:26 [030] GET https://npm.pkg.github.com:443/@jpaakko%2Freact-scripts/5.0.0-fork.1.0.1
  proxy | 2023/03/06 13:55:26 [030] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/03/06 13:55:26 [030] 405 https://npm.pkg.github.com:443/@jpaakko%2Freact-scripts/5.0.0-fork.1.0.1
updater | INFO <job_620229543> Latest version is 5.0.0-fork.1.0.1
updater | INFO <job_620229543> Pull request already exists for @jpaakko/react-scripts with latest version 5.0.0-fork.1.0.1

So, for some reason Dependabot concludes that the latest version is 5.0.0-fork.1.0.1. As a comparison, when I run yarn upgrade-interactive --latest @jpaakko/react-scripts on the command line for the dummy-dependabot-project repository, Yarn is correctly showing that @jpaakko/react-scripts can be updated and outputs:

yarn upgrade-interactive v1.22.19
info Color legend : 
 "<red>"    : Major Update backward-incompatible updates 
 "<yellow>" : Minor Update backward-compatible features 
 "<green>"  : Patch Update backward-compatible bug fixes
? Choose which packages to update. (Press <space> to select, <a> to toggle all, <i> to invert selection)
 devDependencies
   name                    range   from                 to                url
❯◯ @jpaakko/react-scripts  latest  5.0.0-fork.1.0.0  ❯  5.0.1-fork.1.0.1  https://github.com/jpaakko/create-react-app-dependabot-test.git

[jpaakko]

  proxy | 2023/02/26 04:21:48 [204] GET https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts/5.0.0-fork.1.0.3
  proxy | 2023/02/26 04:21:48 [204] * authenticating npm registry request (host: my-private-registry.org, basic auth)
  proxy | 2023/02/26 04:21:48 [204] 400 https://my-private-registry.org:443/repository/npm-hosted/@myorg%2Freact-scripts/5.0.0-fork.1.0.3

If I'm reading this right, that is returning a 400, which seems a bit surprising... it didn't seem to affect realizing the updated version string, so not the smoking gun , but still surprising...

Good observation! As you said, this isn't related to this problem but is odd indeed. We use Nexus as our private npm package registry. I wonder whether the response could be a cause of some kind of a misconfiguration on our instance. We'll have to look into this.

[dreamorosi]

We are seeing the same behavior with a different dependency, which is also a pre-release.

This is our Dependabot config:

version: 2
updates:
  - package-ecosystem: npm
    directories:
      - "/"
    labels: [ ]
    schedule:
      interval: daily
    versioning-strategy: increase
    ignore:
      - dependency-name: "@middy/core"
        update-types: [ "version-update:semver-major" ]
    groups:
      aws-sdk-v3:
        patterns:
        - "@aws-sdk/*"
        - "@smithy/*"
        - "aws-sdk-client-mock"
        - "aws-sdk-client-mock-jest"
      aws-cdk:
        patterns:
        - "@aws-cdk/cli-lib-alpha"
        - "aws-cdk-lib"
        - "aws-cdk"
      typedoc:
        patterns:
        - "typedoc"
        - "typedoc-plugin-*"

Which doesn't pick up the pre-release packages. Here are the Dependabot logs

In all cases the @aws-cdk/cli-lib-alpha package is always left behind.

I am not familiar with the codebase at all, but looking at the tests, there seems to be one that says that this should not be happening and that tests pre-release updates explicitly:

dependabot-core/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/requirements_updater_spec.rb

Lines 320 to 342 in ddb9722

	context "when one of them is a pre-release" do
	let(:package_json_req_string) { "0.4.5" }
	let(:other_requirement_string) { "1.1.0-alpha.1" }
	context "when the version is new pre-release version" do
	let(:latest_resolvable_version) do
	Dependabot::NpmAndYarn::Version.new("1.1.0-alpha.1")
	end
	it "updates the non-prerelease requirement" do
	expect(updater.updated_requirements).to contain_exactly({
	file: "package.json",
	requirement: "1.1.0-alpha.1",
	groups: [],
	source: nil
	}, {
	file: "another/package.json",
	requirement: "1.1.0-alpha.1",
	groups: [],
	source: nil
	})
	end
	end

Also, this seems to be related to #10458