Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle Misconfigured Dependabot for PNPM Workspaces #11487

Merged
merged 6 commits into from
Feb 5, 2025
Merged

Handle Misconfigured Dependabot for PNPM Workspaces #11487

merged 6 commits into from
Feb 5, 2025
+83 −17

Conversation

kbukum1
Copy link
Contributor

@kbukum1 kbukum1 commented Feb 5, 2025
edited
Loading

What are you trying to accomplish?

This PR ensures Dependabot correctly detects and prevents updates from inside PNPM workspace subdirectories when a workspace root update is already configured.

Why?

  • In PNPM workspaces, all dependencies should be updated from the root directory, where pnpm-workspace.yaml and pnpm-lock.yaml exist.
  • Customers sometimes misconfigure Dependabot by adding both root and subdirectory updates, which causes no change errors since the lockfile update is already handled at the root.
  • This PR raises a MisconfiguredTooling error when:
    1. pnpm-workspace.yaml exists in a parent directory (../pnpm-workspace.yaml)
    2. pnpm-lock.yaml exists in a parent directory (../pnpm-lock.yaml)
    3. The update process is executed from a subdirectory instead of the workspace root

What issues does this affect or fix?

This resolves incorrect Dependabot behavior where updates are attempted from workspace subdirectories instead of the root, causing no change errors.

Anything you want to highlight for special attention from reviewers?

  • The logic ensures that only cases where both pnpm-workspace.yaml and pnpm-lock.yaml are in a parent directory trigger an error.
  • Valid configurations where the entire workspace is inside a subdirectory (e.g., /some-project instead of /) will not raise errors.
  • If only one of pnpm-workspace.yaml or pnpm-lock.yaml is found in the parent directory, the update proceeds normally.

Proper Configuration:

If you are using PNPM workspaces, you should only define the root directory (/) in dependabot.yml. Dependabot will automatically update dependencies across all workspaces from there.

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"

Misconfigured Dependabot:

If you define subdirectories (/client, /server, etc.) separately, Dependabot may attempt to run updates inside a workspace subdirectory, which is not supported and will trigger an error.

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"
  - package-ecosystem: "npm"
    directory: "/client"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"
  - package-ecosystem: "npm"
    directory: "/server"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"

How will you know you've accomplished your goal?

  • Test cases confirm that workspace subdirectory updates trigger MisconfiguredTooling when both pnpm-workspace.yaml and pnpm-lock.yaml are in a parent directory.
  • Manual validation ensures that valid PNPM workspace configurations continue working as expected.
  • Running Dependabot in a correctly configured workspace does not raise errors.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@kbukum1 kbukum1 requested a review from abdulapopoola February 5, 2025 03:36
@kbukum1 kbukum1 force-pushed the kamil/handle_miss_configured_dependabot_for_pnpm_workspaces branch from 34e340a to a2cdb5d Compare February 5, 2025 03:39
@kbukum1 kbukum1 marked this pull request as ready for review February 5, 2025 20:57
@kbukum1 kbukum1 requested a review from a team as a code owner February 5, 2025 20:57
@kbukum1 kbukum1 merged commit 1c98ed6 into main Feb 5, 2025
66 checks passed
@kbukum1 kbukum1 deleted the kamil/handle_miss_configured_dependabot_for_pnpm_workspaces branch February 5, 2025 22:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abdulapopoola abdulapopoola abdulapopoola approved these changes

@sachin-sandhu sachin-sandhu Awaiting requested review from sachin-sandhu

@amazimbe amazimbe Awaiting requested review from amazimbe

Assignees
No one assigned
Labels
L: javascript
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kbukum1 @abdulapopoola