New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PNPM lockfileVersion reverted back from 9.0 to 6.0 #9684
Comments
The logic in the conditional statement is not great, and falls back to a default version of |
Tbh I don't see how this condition could provoke such bug 🤔 sig { params(pnpm_lock: DependencyFile).returns(Integer) }
def self.pnpm_version_numeric(pnpm_lock)
if pnpm_lockfile_version(pnpm_lock).to_f >= 9.0
9
elsif pnpm_lockfile_version(pnpm_lock).to_f >= 6.0
8
elsif pnpm_lockfile_version(pnpm_lock).to_f >= 5.4
7
else
6
end
end If In my case because my lockfileVersion ends up at |
The existing logic is bizarre. If the sig defines it as returning an Integer, why call This code has never been mentally processed, merely changed over and over again, and passed a CI. This is really sad to see. |
Additionally, if the parser can't parse a v9 lock file in the first place, then we shouldn't expect it to work. Perhaps it returns If there is no fixture for a v9 lock file in the test suite, then it is impossible that a test written to pass returning v9 is properly testing the code. |
If we have a look we can see that the method used to get the lockfileVersion is: def self.pnpm_lockfile_version(pnpm_lock)
pnpm_lock.content.match(/^lockfileVersion: ['"]?(?<version>[\d.]+)/)[:version]
end Which results in the proper version float number
First of all, in the same PR that you linked we can see that a test has been added to test parsing a v9 file so there's a fare chance that parsing the file works. Even if that was the case it wouldn't be the problem. You're confusing the When the Chill out man |
Same issue happening for me: #9682 |
I hear you, but... Dependabot is GitHub, and GitHub is Microsoft. They also own NPM, a competitor project of pnpm. I'd rather hold Microsoft Github's feet to the fire so they fix their products than do it for them for free. Microsoft funnels millions to anti-human causes. They claim to have stopped funding election deniers (1, 2), but after they thought scrutiny had passed, they started again (3 (page 5)). They also fund climate-change-deniers in the US, while their AI chatbot preaches conspiracy and election denialism... so the suggestion to help them freely is absurd to me, as is the idea of being "chill" about their "mistakes", and slow response to fix issues which are actively harming their competition (pnpm in this case). Happy to help them help them help themselves though. Dependabot is the only reason I still use GitHub for any private repos. I'll be happy to discard it if they don't fix this. |
From the rebase logs:
pnpm v9 seems to be used… though I’m seeing the same behavior: lockfile re-generated to v6. |
From my logs, what's using PNPM 8 is:
|
Yes: #9687 should fix that. |
It still does not use pnpm v9, for me I am getting pnpm v8 still, and additionally the outdated packages are not parsed properly (which I expect is because the format is different from v9).
The two listed are correctly identified as out of date packages, but it fails to identify the version? |
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
PNPM v9
Language version
Node.js 20
dependabot.yml content
What you expected to see, versus what you actually saw
Since #9668 I assumed updating a package that relies on a 9.0 pnpm.lock.yaml file should just update the given file without issue.
Instead the lockfileVersion is reverted back to 6.0 which rewrites the whole lockfile from scratch
Images of the diff or a link to the PR, issue, or logs
wJoenn/vue-template#237
The text was updated successfully, but these errors were encountered: