pnpm: support v9 lockfile format for dependabot alerts - and/or warn that it is unsupported

[jamescrowley]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

There is already an issue for this: #9522 that has been closed, but I've confirmed with GitHub support that in fact it is still not supported for security updates.

We are not seeing any security alerts since upgrading. This seems pretty dangerous given others may also have upgraded without realising they would no longer receive updates - dependabot doesn't seem to trigger any warning for this?

[jeasmith]

We are also no longer seeing security alerts, having upgraded recently. There has been very little, if no, warning provided.

[cseas]

Version updates don't seem to be working either in our case since we've migrated from yarn to pnpm v9.

[msudol]

Not seeing dependabot security alerts for projects using pnpm, found this issue searching for answers... hopefully will be fixed soon.

[vluoto]

ICYMI: https://github.com/orgs/community/discussions/134391

[jeasmith]

I can see dependabot alerts in our repo using the v9 lockfile again as of a few hours ago. I can't see any related notes in the change log. Hopefully this is working again for others as well.

[msudol]

I can see dependabot alerts in our repo using the v9 lockfile again as of a few hours ago. I can't see any related notes in the change log. Hopefully this is working again for others as well.

I don't see anything yet but maybe it will take a bit to propagate. Are you doing anything with your dependabot.yml to define that you are using PNPM or did dependabot just start picking it up natively?

[vluoto]

I can see dependabot alerts in our repo using the v9 lockfile again as of a few hours ago. I can't see any related notes in the change log. Hopefully this is working again for others as well.

We're seeing some alerts too, but I’m unclear on the reason why. The confusion stems from the fact that the dependency graph still doesn’t detect transitive dependencies from v9 lockfiles:

• v8: https://github.com/vluoto/dependency-graph-pnpm-v8/network/dependencies
• v9: https://github.com/vluoto/dependency-graph-pnpm-v9/network/dependencies

The reason I’m bringing up the dependency graph is because of this section in the README of the repository:

Don't file issues about Security Alerts or Dependency Graph

The issue-tracker is meant solely for issues related to Dependabot's updating logic. Issues about security alerts or Dependency Graph should instead be filed as a Code Security discussion.

A good rule of thumb is that if you have questions about the diff in a PR, it belongs here.

This is also why I opened the aforementioned discussion #10534 (comment).

[jeasmith]

Are you doing anything with your dependabot.yml to define that you are using PNPM or did dependabot just start picking it up natively?

We're not doing anything special beyond the following @msudol:

version: 2
updates:
  - package-ecosystem: "npm" # See documentation for possible values - npm is used for pnpm
    directories: # Location of package manifests
      - "/"
      - "/apps/*"
      - "/packages/*"
    schedule:
      interval: "weekly"

We're seeing some alerts too, but I’m unclear on the reason why. The confusion stems from the fact that the dependency graph still doesn’t detect transitive dependencies from v9 lockfiles

We're seeing transitive dependencies as part of our dependency graph now.

We've got a support ticket on this running in parallel, I've enquired to find out what change has been made for things to start working again.

Good spot on the readme @vluoto . Thanks for opening the discussion, I'll post an update there as well.

[vluoto]

We're seeing transitive dependencies as part of our dependency graph now.

Hmm, I just checked, and we’re also seeing transitive dependencies in our repository:

Interestingly, my v9 showcase repo still only shows direct dependencies:

• v9: https://github.com/vluoto/dependency-graph-pnpm-v9/network/dependencies

This could be due to a gradual rollout on GitHub's end. 🤷🏻‍♂️

I've enquired to find out what change has been made for things to start working again.

Thanks for this! I'm eager to learn what it was.

[SuperchupuDev]

It works for me, but I had to update dependencies first to trigger a re-scan

[jamescrowley]

Also working here now.

edit: though also seeing other problems like dependencies outside of the root of our mono repo get a package.json update but no lock file, and groups are not being applied correctly. Unsure if related.

[jeasmith]

Regarding the visibility of the change, I've had the following back from support:

This is not currently available in our public changelog. The change was classified as a rudimentary support to accompany support for previous versions. So this is a workaround pending when more granular change can be done.

[ArnoldZokas]

As of 20 Oct 2024, GitHub now successfully detects and reports vulnerabilities detected in pnpm v9 lockfiles.

This appears to be working even without configuring the packageManager field (proposed in some workarounds).