Dependabot-core: npm - some dependencies are not updated

Created on 17 Jan 2020 · 2Comments · Source: dependabot/dependabot-core

Probably linked to #1171

In my project, Dependabot is not updating some dependencies for an unknown reason.

Here are the deps without updates by dependabot in my root folder (list provided by npm-check-updates):

commitizen: ^4.0.0 → ^4.0.3
cz-customizable: ^6.0.0 → ^6.2.0
prettier: ^1.16.1 → ^1.19.1
ng-packagr: ^5.3.0 → ^5.7.1
release-it: ^12.2.2 → ^12.4.3
stylelint-config-prettier: ^7.0.0 → ^8.0.1
tslint: ^5.11.0 → ^5.20.1
tslint-config-prettier: ^1.17.0 → ^1.18.0
tslint-sonarts: ^1.8.0 → ^1.9.0

My project is https://github.com/NationalBankBelgium/stark
My dependabot config is the following one:

---
update_configs:
- automerged_updates:
  - match:
      update_type: in_range
      dependency_type: all
  commit_message:
    :prefix: chore
    :include_scope: true
  directory: "/"
  ignored_updates:
  - match:
      dependency_name: "@angular/*"
      version_requirement: ">= 8"
  - match:
      dependency_name: "@angular-devkit/build-ng-packagr"
      version_requirement: ">= 0.800"
  - match:
      dependency_name: "@compodoc/compodoc"
      version_requirement: ">= 0"
  - match:
      dependency_name: typescript
      version_requirement: ">= 0"
  - match:
      dependency_name: "@types/node"
      version_requirement: ">= 11"
  package_manager: javascript
  update_schedule: live

I already clicked multiple times on the "bump" button but no PR is created those deps 😞

Thanks for your help 😊

Source

SuperITMan

👍1

Most helpful comment

Hey @feelepxyz!
Thanks for the explanation :blush:
I didn't notice there was an available log file. (that's really cool btw!)

About stylelint-config-prettier, I found the following log in dependabot:

updater | INFO <job_21160775> Checking if stylelint-config-prettier 7.0.0 needs updating
  proxy | 2020/01/22 05:07:30 GET https://registry.npmjs.org:443/stylelint-config-prettier
  proxy | 2020/01/22 05:07:30 200 https://registry.npmjs.org:443/stylelint-config-prettier
  proxy | 2020/01/22 05:07:30 GET https://registry.npmjs.org:443/stylelint-config-prettier
  proxy | 2020/01/22 05:07:30 200 https://registry.npmjs.org:443/stylelint-config-prettier
  proxy | 2020/01/22 05:07:31 GET https://registry.npmjs.org:443/stylelint-config-prettier/8.0.1
  proxy | 2020/01/22 05:07:31 200 https://registry.npmjs.org:443/stylelint-config-prettier/8.0.1
updater | INFO <job_21160775> Latest version is 8.0.1
updater | INFO <job_21160775> Requirements to unlock update_not_possible
updater | INFO <job_21160775> Requirements update strategy bump_versions
updater | INFO <job_21160775> No update possible for stylelint-config-prettier 7.0.0

Looking in the "package.json" of stylelint-config-prettier, I see the following peer dependency:

{
  "name: "stylelint-config-prettier",
  // ...
  "peerDependencies": {
    "stylelint": ">=11.0.0"
  },
}

I guess Dependabot does not propose an update for this because my project is still using stylelint 10.1.0 (see the open PR for this: https://github.com/NationalBankBelgium/stark/pull/1522)

This confirms what you think about npm-check-updates which only checks if an update is available without checking the compatibility.

PS: the README.md also confirms this:

Logic to check for the latest version of a dependency that's resolvable given a project's other dependencies

Thanks for your help, I understand now better this great application :blush:

SuperITMan on 22 Jan 2020

❤1 👍1

All 2 comments

@SuperITMan :wave: this usually happens because some other dependencies are constraining the allowed versions preventing Dependabot from updating the dependency. I think npm-check-updates won't check resolvability and only checks the latest published versions on npm.

You can check the update logs from the latest bump to see what the updater says about different dependencies, you can find it from the Dependabot dashboard by clicking on the the last updated time stamp, e.g. ‎last checked 4 hours ago

feelepxyz on 22 Jan 2020

👍1