dependabot only updates lock file

Question

We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was.

On the other hand, greenkeeper, was committing changes to both files.

What is going on? Is it normal or we missed something in the settings?

hey @Johnny, did you manage to find an adequate solution to this? — flaky, Mar 07 '21 at 12:40
@flaky yes. There's a configuration setting in the dependabot configuration file which forces all updates to be written to package.json also. You should have a look thorough GitHub's dependabot documentation. I might write an answer about it to better explain what to do. — Johnny, Mar 09 '21 at 21:13
I'd love a nice explanation :) The dependabot docs are hit and miss sometimes :) — flaky, Mar 10 '21 at 07:46

score 19 · Accepted Answer · answered Mar 26 '21 at 15:00

This is a very late reply. We had this working in production for a long time now, but I see there's still interest prompting me that maybe people need some help. So, here it is:

When using GitHub dependabot (not dependabot-preview, although the conf file might be the same, actually):

create a dependabot.yml file in your repo's .github directory.
specify a versioning-strategy of increase.

It will look something like this (e.g. npm):

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    # Always increase the version requirement
    # to match the new version.
    versioning-strategy: increase

That's it. Now, package.json and package-lock.json are both written to with a version increase.

Can you edit this answer to more clearly say why setting "versioning-strategy" causes the package.json file to update? What about this does that? The documentation from dependabot is not clear. — Andy Ray, Jan 12 '23 at 03:15

score -2 · Answer 2 · edited Apr 10 '20 at 03:57

-2

Something similar happened to me, it can be for two things:

In the dependendabot configurations you only have to accept updates for package-lock.json
(This was the one that worked for me) in the package.json in the key Name you may have written with incorrect symbols in my case I had web-app the symbol - caused me not to update it and now I have it as webapp.

edited Apr 10 '20 at 03:57

Nimantha

6,405
6
28
69

answered Apr 09 '20 at 15:27

Kevin Ariza

1

Let me understand, probably 99% of the packages on npm have a '-' sign in their name. If that's the problem, this is a big bug in dependabot (probably already found). – Johnny May 06 '20 at 13:14
It's not that, I'm talking about the name of the project in the package.json for example: ` { "name": "ProjectN", => This is what I'm talking about. "version": "1.0.0", "description": "Web App", "main": "index.js" } ` This would be the wrong way `"name" : "Project-N" ` – Kevin Ariza May 07 '20 at 15:32

Cláudio · Answer 3 · 2021-02-05T01:45:06.333

-2

The goal of the file package-lock.json is to keep track of the exact version of every package that is installed so that a product is 100% reproducible in the same way even if packages are updated by their maintainers. reference link is here

So package.json and package-lock.json have different purposes.

There is no error on dependabot trying to push just a modified package-lock.json.

edited Feb 05 '21 at 01:45

answered Feb 04 '21 at 21:59

Cláudio

484
1
4
18

he didn't ask about an explanation of the difference between `.lock` and manifest file... – flaky Mar 07 '21 at 12:39
This helps me understand a bit better about dependabot's upgrade approach. It would be nicer if there's also a suggestion for package.json, since just upgrading package-lock might break the app. – Luyang Du Oct 06 '22 at 14:54

dependabot only updates lock file

3 Answers3