Dependabot-core: Feature request: support the `pnpm` package manager

Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best.

Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best.

My interpretation is that this wouldn't necessarily be political with yarn being supported and all. It's likely due to the smaller adoption of pnpm vs npm and yarn.

Would absolutely love this, currently pretty awkward being forced into alternatives like renovate, which are defenitely fine, but nowhere near as satisfying.

Just found this 😢
So I guess I'm going for renovate because it supports pnpm then.

pnpm became a first class citizen with the last public VSCode release (changelog & PR). Any chance this can be revisit?

@feelepxyz Are contributions welcome for this? I see the following work items for this

• [ ] Update FileFetcher to fetch the pnpm lockfiles
• [ ] Update FileParser to fetch dependencies from the lockfile (Not fully sure how this works. Still need to deep dive. Why do we parse lock files? Just to get the list of dependencies? Or is there more to it?)
• [ ] Update FileUpdater and helpers to run pnpm install to generate the updated lock file.

Let me know if I overlooked some work above. I can take this up if dependabot team thinks it's a good idea.

@GiriB we're actually thinking of splitting the npm and yarn package manager into separate ones for npm and yarn because handling multiple package managers in one has resulted in a lot of maintenance overhead making upgrades and testing harder.

We're also keen to re-think some of the architecture around package managers to make it easier to add new ones so keen to hold off on adding any new ones until we have some clarity around that 😕

@feelepxyz Thanks for the response! I agree that keeping all package managers together is not the best design. I was thinking of pnpm as a separate package manager - implementing parts that are pnpm specific but re-using most of the parts from NpmAndYarn (like parsing package.json, update checker, version resolver etc) because these parts would exactly be the same.

I haven't tried the idea above yet, and pulling it off may not be clean code at all. If I get it in a good shape, maybe I'll raise a PR. Otherwise, I'll wait for the refactor to happen where we split npm and yarn. (Are there any tentative timelines where we can expect this to happen?)

@GiriB nice one! No timeline yet, probably at least six months out unfortunately.

This would be great! pnpm has become a serious contender, and dependabot is very useful. Is anyone working on this by any chance?