Renovate updates range in package-lock.json
even though it was not updated in package.json
#25847
Unanswered
pichlermarc
asked this question in
Request Help
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
How are you running Renovate?
Mend Renovate hosted app on github.com
If you're self-hosting Renovate, tell us what version of Renovate you run.
No response
If you're self-hosting Renovate, select which platform you are using.
None
Was this something which used to work for you, and then stopped?
I am trying to get this working for the first time
Describe the problem
Hi everyone,
thank you for working on this project!
Backstory
We're running forking-renovate on https://github.com/open-telemetry/opentelemetry-js-contrib, where we use
npm
workspaces. There, it can happen that we have multiple packages that depend on different ranges. As usual withnpm
workspaces, thepackage-lock.json
is shared across all packages.In open-telemetry/opentelemetry-js-contrib#1806 we've realized that for certain combinations, the range is updated in
package-lock.json
but not in the individual package'spackage.json
. An example for this is renovate creating PRs for updating the patch versions. If there's a range^1.0.0
it would not be updated in thepackage.json
as the latest version would already be pulled in via a changed resolve inpackage-lock.json
. This is as expected, renovate changes this resovle correctly, but what it also does is it updates the range in thepackage-lock.json
.This causes every
npm install --package-lock-only
after merging the renovate PR to modify thepackage-lock.json
where the range is being reset to what it was in thepackage.json
.Minimal Reproducer
I've created a minimal reproducer to illustrate this behvaior: https://github.com/pichlermarc-sample-organization/repro-1806
In this repository, we have two packges set up as follows:
pkg-a
depends on"@types/sinon": "10.0.11"
pkg-b
depends on"@types/sinon": "^10.0.11"
Both of these packages are referenced in the
workspaces
part of the top-levelpackage.json
Renovate opens a PR (pichlermarc-sample-organization/repro-1806#6) to update
@types/sinon
to10.0.20
.In doing so, it modifies
pkg-b
's dependency range of@types/sinon
in thepackage-lock.json
only from^10.0.11
to^10.0.20
. The resovled version is also updated to10.0.20
, but the original range inpackage.json
is not.When this PR is merged, and one runs
npm install --package-lock-only
, one is left with the following diff:It look to me like renovate may unintentionally bump the dependency range in the
package-lock.json
, even tough it is not necessary. Since the resolved version was already updated correctly the range could've been left as-is by renovate.Relevant debug logs
I'm not sure what the relevant parts are - however, here's the full link to the logs in case it is useful: https://gist.github.com/pichlermarc/f0cf5de4ae2e800349e1ef30b8ed7963
Logs
Have you created a minimal reproduction repository?
I have linked to a minimal reproduction in the description above
Beta Was this translation helpful? Give feedback.
All reactions