Dependabot-core: Auto maintainance of package-lock.json

Created on 27 Apr 2018  路  8Comments  路  Source: dependabot/dependabot-core

_From @ybiquitous on March 29, 2018 7:49_

Hi.

Running the npm install command after merging several pull requests may cause package-lock.json to be updated.

For example , this is a diff in pull request to bump @types/react package.

package-lock.json:

       }
     },
     "@types/history": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/@types/history/-/history-3.2.2.tgz",
       "integrity": "sha512-DMvBzeA2dp1uZZftXkoqPC4TrdHlyuuTabCOxHY6EAKOJRMaPVu8b6lvX0QxEGKZq3cK/h3JCSxgfKmbDOYmRw=="
     },
     "@types/jest": {
       "version": "22.2.2",
       "resolved": "https://registry.npmjs.org/@types/jest/-/jest-22.2.2.tgz",
       "integrity": "sha512-Dt7aifQmvMPTLVimzvfQ99qUn4zeSDCQarFNV4otfDLYu0RFdSRBnqSLgksoAnsRL88xJ/UBKbd66iP2XIab0w=="
     },
     "@types/jquery": {
       "version": "2.0.49",
       "resolved": "https://registry.npmjs.org/@types/jquery/-/jquery-2.0.49.tgz",
       "integrity": "sha512-/9xLnYmohN/vD2gDnLS4cym8TUmrJu7DvZa/LELKzZjdPsvWVJiedsdu2SXNtb/DA7FGimqL2g0IoyhbNKLl8g=="
     },
     "@types/node": {
       "version": "9.4.0",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-9.4.0.tgz",
       "integrity": "sha512-zkYho6/4wZyX6o9UQ8rd0ReEaiEYNNCqYFIAACe2Tf9DrYlgzWW27OigYHnnztnnZQwVRpwWmZKegFmDpinIsA=="
     },
     "@types/react": {
-      "version": "15.6.14",
-      "resolved": "https://registry.npmjs.org/@types/react/-/react-15.6.14.tgz",
-      "integrity": "sha512-k6YJBmHfzkCtk3iT6aN2hclkPYL2fxlSc3dW//G2kENlmMJ/V+pKhqsHdJJeVluIi1bA296cCLLGATLm7WXToQ=="
+      "version": "15.6.15",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-15.6.15.tgz",
+      "integrity": "sha512-LOHbyeKRNYLEotniN3DlRGrpXorXupvFSbKrNzc9dZ87uL+IJDbGYVerxKaG1jbnhuc7RhEWxlNmUVtYm3mtNg=="
     },
     "@types/react-addons-css-transition-group": {
       "version": "15.0.4",
       "resolved": "https://registry.npmjs.org/@types/react-addons-css-transition-group/-/react-addons-css-transition-group-15.0.4.tgz",
       "integrity": "sha512-EuXs9guHCwGZ13LJrh4i+mXjFINhgw9c8zDS4GLOIUtSGl9YPnRSGW2Po7p0M8X1SUvfwJMcihTgDLyztoJZvA==",
       "requires": {
         "@types/react": "15.6.14",
         "@types/react-addons-transition-group": "15.0.2"
       }
     },
     "@types/react-addons-transition-group": {
       "version": "15.0.2",
       "resolved": "https://registry.npmjs.org/@types/react-addons-transition-group/-/react-addons-transition-group-15.0.2.tgz",
       "integrity": "sha512-dMYJX0sVHKrzb279jUZF5Xb3Aaw4eyC19LdB30TPVc6KaFz3dxBkKMy6VHB3MfhqlgHiHO6GWcr2B3JezEkcrw==",
       "requires": {
         "@types/react": "15.6.14"
       }
     },
     "@types/react-dom": {
       "version": "15.5.7",
       "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-15.5.7.tgz",
       "integrity": "sha512-XGLjgNtPnBuO1cITYWZAk4KbH0UEDqMg2kuG3xx0UgnrcSd6ijO57Fp9rimmrDKcBnx3b2vFQuEYRXu2GihRYQ==",
"requires": {

Then, npm install run:

       "integrity": "sha512-spu+IYTIxDaaRBP12eYCpFJNQwtANX1ZxxXLk8SaCVjZnNUaIPtY7ek6ATdn5GykIf/E7L2lWnC3gQUl5b8kpQ==",
       "requires": {
         "@types/cheerio": "0.22.7",
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/enzyme-adapter-react-15": {
@@ -123,7 +123,7 @@
       "resolved": "https://registry.npmjs.org/@types/react-addons-css-transition-group/-/react-addons-css-transition-group-15.0.4.tgz",
       "integrity": "sha512-EuXs9guHCwGZ13LJrh4i+mXjFINhgw9c8zDS4GLOIUtSGl9YPnRSGW2Po7p0M8X1SUvfwJMcihTgDLyztoJZvA==",
       "requires": {
-        "@types/react": "15.6.14",
+        "@types/react": "15.6.15",
         "@types/react-addons-transition-group": "15.0.2"
       }
     },
@@ -132,23 +132,23 @@
       "resolved": "https://registry.npmjs.org/@types/react-addons-transition-group/-/react-addons-transition-group-15.0.2.tgz",
       "integrity": "sha512-dMYJX0sVHKrzb279jUZF5Xb3Aaw4eyC19LdB30TPVc6KaFz3dxBkKMy6VHB3MfhqlgHiHO6GWcr2B3JezEkcrw==",
       "requires": {
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/react-dom": {
       "version": "15.5.7",
       "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-15.5.7.tgz",
       "integrity": "sha512-XGLjgNtPnBuO1cITYWZAk4KbH0UEDqMg2kuG3xx0UgnrcSd6ijO57Fp9rimmrDKcBnx3b2vFQuEYRXu2GihRYQ==",
       "requires": {
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/react-redux": {
       "version": "4.4.47",
       "resolved": "https://registry.npmjs.org/@types/react-redux/-/react-redux-4.4.47.tgz",
       "integrity": "sha512-wyFTmLtEymHCjOmVVvsbNqJaGM9Q0x6sZTQfz4XkDj06P8Xe+ys9wKSQHx2Jt9J5Mi7HZnGcJaMFktn60sXluw==",
       "requires": {
-        "@types/react": "15.6.14",
+        "@types/react": "15.6.15",
         "redux": "3.7.2"
       }
     },
@@ -158,7 +158,7 @@
       "integrity": "sha512-wEnsWwUL5fMWO3txfkh2Js3rIObaDdEcOu6hdVRYz7YXzIG9P89jG5R8PVTiH7lXSyo6+/OamNHWPHtgkB9mhg==",
       "requires": {
         "@types/history": "3.2.2",
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/react-router-redux": {
@@ -8061,7 +8061,8 @@
     "nan": {
       "version": "2.8.0",
       "resolved": "https://registry.npmjs.org/nan/-/nan-2.8.0.tgz",
-      "integrity": "sha1-7XFfP+neArV6XmJS2QqWZ14fCFo="
+      "integrity": "sha1-7XFfP+neArV6XmJS2QqWZ14fCFo=",
+      "optional": true
     },
     "nanomatch": {
       "version": "1.2.7",

Can you such package-lock.json updates automatically by dependabot?

For example, run npm install after merging always, then open a pull request if updates.

Thanks.

_Copied from original issue: dependabot/feedback#113_

picture greysteil

Most helpful comment

Is there a way to disable the "Update package-lock.json with dependabot" feature? Pull requests that only update the package-lock, like this: https://github.com/ccnmtl/astro-simulations/pull/649/files aren't useful to me.

picture nikolas on 26 Sep 2019
👍7

All 8 comments

Thanks for the heads up - I'll take a look. Which version of npm are you running?

greysteil picture greysteil on 27 Apr 2018

_From @ybiquitous on March 29, 2018 7:52_

Versions:

  • npm: 5.8.0
  • node: 9.10.0

Thanks a quick response!

greysteil picture greysteil on 27 Apr 2018

馃憤, and don't thank me until I've fixed it! 馃槈

greysteil picture greysteil on 27 Apr 2018

I think this should now be fixed 馃帀. Please let me know if you see it again, though.

greysteil picture greysteil on 27 Apr 2018

_From @ybiquitous on March 30, 2018 2:8_

Thank you very much! 馃槃 馃憤

greysteil picture greysteil on 27 Apr 2018

Howdy. I see that sometimes dependabot commits a lock file that changes when run locally or in CI. E.g. the addition of "optional" flags. Do you know where those come from / how we can keep our lock file moving less?

michaelglass picture michaelglass on 15 Oct 2018

@michaelglass - looks like this is the same issue as https://github.com/dependabot/feedback/issues/197, so let's move the discussion there.

The tl;dr, however, is that I think this is an npm bug, and I'm not sure there's much we can do about it in Dependabot 馃槩

greysteil picture greysteil on 15 Oct 2018

Is there a way to disable the "Update package-lock.json with dependabot" feature? Pull requests that only update the package-lock, like this: https://github.com/ccnmtl/astro-simulations/pull/649/files aren't useful to me.

nikolas picture nikolas on 26 Sep 2019
👍7
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Tapchicoma picture Tapchicoma  路  3Comments
LankyLou picture LankyLou  路  4Comments
cscherrer picture cscherrer  路  4Comments
jbreitbart picture jbreitbart  路  3Comments
artzag picture artzag  路  3Comments