Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: support the pnpm package manager #1736

Closed
Tracked by #56
jbergstroem opened this issue Mar 14, 2020 · 140 comments
Closed
Tracked by #56

Feature request: support the pnpm package manager #1736

jbergstroem opened this issue Mar 14, 2020 · 140 comments
Labels
core 🍏 Relates to the dependabot-core library itself L: javascript:pnpm npm packages via pnpm service 💁 Relates to Dependabot features GitHub provides T: feature-request Requests for new features T: new-ecosystem Requests for new ecosystems/languages

Comments

@jbergstroem
Copy link

jbergstroem commented Mar 14, 2020

pnpm is an alternative to npm and yarn that has been around a fairly long time. It has its own lockfile in yaml and should be relatively straightforward to support. Would PRs/other types of help be accepted or are adding more pr's a "can of worms"?


[Edit] April 2022 - since the thread is growing: there is still no update on when this will be implemented. If you need this now, your best bet is to use renovatebot: https://docs.renovatebot.com/javascript/

[Edit] November 2022 - for now, github staff suggests using a workaround using the dependency submission api

@brunoparga
Copy link

Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best.

@jbergstroem
Copy link
Author

Now that Microsoft own both GitHub and npm, the odds of them supporting pnpm are slim at best.

My interpretation is that this wouldn't necessarily be political with yarn being supported and all. It's likely due to the smaller adoption of pnpm vs npm and yarn.

@didinele
Copy link

Would absolutely love this, currently pretty awkward being forced into alternatives like renovate, which are defenitely fine, but nowhere near as satisfying.

@Jolg42
Copy link

Jolg42 commented Apr 30, 2020

Just found this 😢
So I guess I'm going for renovate because it supports pnpm then.

willsoto added a commit to willsoto/casbin-objection-adapter that referenced this issue May 19, 2020
@hacknug
Copy link

hacknug commented Jul 13, 2020

pnpm became a first class citizen with the last public VSCode release (changelog & PR). Any chance this can be revisit?

@GiriB
Copy link
Contributor

GiriB commented Jul 20, 2020

@feelepxyz Are contributions welcome for this? I see the following work items for this

  • Update FileFetcher to fetch the pnpm lockfiles
  • Update FileParser to fetch dependencies from the lockfile (Not fully sure how this works. Still need to deep dive. Why do we parse lock files? Just to get the list of dependencies? Or is there more to it?)
  • Update FileUpdater and helpers to run pnpm install to generate the updated lock file.

Let me know if I overlooked some work above. I can take this up if dependabot team thinks it's a good idea.

@feelepxyz
Copy link
Contributor

@GiriB we're actually thinking of splitting the npm and yarn package manager into separate ones for npm and yarn because handling multiple package managers in one has resulted in a lot of maintenance overhead making upgrades and testing harder.

We're also keen to re-think some of the architecture around package managers to make it easier to add new ones so keen to hold off on adding any new ones until we have some clarity around that 😕

@GiriB
Copy link
Contributor

GiriB commented Jul 23, 2020

@feelepxyz Thanks for the response! I agree that keeping all package managers together is not the best design. I was thinking of pnpm as a separate package manager - implementing parts that are pnpm specific but re-using most of the parts from NpmAndYarn (like parsing package.json, update checker, version resolver etc) because these parts would exactly be the same.

I haven't tried the idea above yet, and pulling it off may not be clean code at all. If I get it in a good shape, maybe I'll raise a PR. Otherwise, I'll wait for the refactor to happen where we split npm and yarn. (Are there any tentative timelines where we can expect this to happen?)

@feelepxyz
Copy link
Contributor

@GiriB nice one! No timeline yet, probably at least six months out unfortunately.

@Anoesj
Copy link

Anoesj commented Oct 9, 2020

This would be great! pnpm has become a serious contender, and dependabot is very useful. Is anyone working on this by any chance?

@Nick-Mazuk
Copy link

+1. Though you can use dependabot to update pnpm, the lock file isn't updated—only the package.json. This is not ideal and full pnpm support would be excellent!

@jcayzac
Copy link

jcayzac commented Jul 29, 2021

Please add support for pnpm. Dependabot is useless because all the PRs just fail to build:

ERROR  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up-to-date with package.json

@Purpzie
Copy link

Purpzie commented Sep 14, 2021

Node's 16.9.0 release comes with corepack, which supports pnpm.

With pnpm becoming more popular, I hope dependabot supports it soon too.

@raulfdm
Copy link

raulfdm commented Oct 25, 2021

Not ideal but while we don't have a support from dependabot, renovate seems supporting pnpm already: https://docs.renovatebot.com/javascript/

@jurre jurre added T: feature-request Requests for new features T: new-ecosystem Requests for new ecosystems/languages core 🍏 Relates to the dependabot-core library itself service 💁 Relates to Dependabot features GitHub provides labels Nov 26, 2021
@markbrikl
Copy link

Hey everyone! Sorry for the current frustration with the rollout, we're in a company-wide change freeze so we were unfortunately halted on enabling this when we wanted to originally. Due to the freeze, we can't enable it for any additional repos at this time. We are ready to go to GA immediately when it lifts, and we'll let you know here when that happens. I can't really give you a date because the target date keeps shifting and I don't want to accidentally lie to you 😅 As a rough estimate, I expect more than a week but less than a month.

We are also investigating the problem with lockfiles!

Pls let me know when freeze is uplifted we would like to trial some private repo's

@carogalvin
Copy link
Contributor

Hey everyone! pnpm support is officially available everywhere - you can refer to our documentation on getting this configured: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems

If you encounter any problems with this, please feel free to open a new issue in this repo.

@AndrewCraswell
Copy link

HUGE milestone! Thank you so much for all the effort on this across the board!

One question, is there a pathway to enabling this in Azure DevOps? Or perhaps support planned sometime in the future? Today out team uses a 3rd party Azure DevOps plugin to enable Dependabot, but we're not sure when this feature will propagate to their build.
https://github.com/tinglesoftware/dependabot-azure-devops

@rollingmoai
Copy link

rollingmoai commented Jun 13, 2023

Note: To those who are getting the "pnpm-lock.yaml not parseable error", make sure to revert the lockfile version back to 6.0 as per the latest release note:

@alexef
Copy link

alexef commented Jun 13, 2023

@carogalvin amazing news, thank you!

from the docs:

pnpm is supported for Dependabot version updates only. Dependabot security updates are not currently supported.

what is the blocker for security updates? this is our use case of renovate, so we still cannot switch to dependabot. is there a timeline or a different issue we can track to understand when support for pnpm security updates will be available?

@deivid-rodriguez
Copy link
Contributor

Thanks everyone for your patience!

Since basic support has now landed, let me close this issue and let's track bug reports and additional feature requests in separate tickets.

@AndrewCraswell I don't think additional changes are needed, but best to ask at https://github.com/tinglesoftware/dependabot-azure-devops.

@alexef I will open a new issue to track security update support. There's some changes needed in this library to support that, but also some changes internal to GitHub.

@abdulapopoola
Copy link
Member

@alexef we are hoping to have security updates ready for PNPM within a quarter or so. Please track the issue that @deivid-rodriguez creates for updates.

@deivid-rodriguez
Copy link
Contributor

I opened a ticket for security update support here: #7434.

@blowsie
Copy link

blowsie commented Jun 20, 2023

@deivid-rodriguez when will this be available or enterprise, please?

@deivid-rodriguez
Copy link
Contributor

It will be available in GHES version 3.10.

@KidkArolis
Copy link

As I understand at this time pnpm is supported for version updates but not security updates. Are Dependabot alerts supported in pnpm?

@vluoto
Copy link

vluoto commented Jul 17, 2023

As I understand at this time pnpm is supported for version updates but not security updates. Are Dependabot alerts supported in pnpm?

See #1736 (comment)

@carogalvin
Copy link
Contributor

@KidkArolis we are on track to have support for alerts and security updates at the end of July (on track for July 31).

@KidkArolis
Copy link

Thanks for clarifying!

See #1736 (comment)

For what it's worth. I did see that comment, but reading through the issues and through the docs it was not clear if what you call Security updates is the same as Dependabot alerts. In particular, we're not using and not necessarily interested in version updates or security updates (e.g. renovate is more configurable). But we are interested in Security alerts specifically. But I couldn't work out the relationship between all those, only the Version updates has the table in the docs, and it wasn't if security updates == security alerts in this case. In any case, good to hear it's coming soon!

@vluoto
Copy link

vluoto commented Apr 17, 2024

Pnpm introduced a new lockfile format in v9. The lockfile version was bumped from v6 to v9.

Dependabot runs now give

updater | 2024/04/17 09:49:59 ERROR <job_816005975> /pnpm-lock.yaml not parseable

for projects that use pnpm@v9, as v9 adopts the new lockfile format.

@abdulapopoola
Copy link
Member

Thanks @vluoto ; can you please file a new issue?

@case
Copy link

case commented Apr 18, 2024

I filed an issue here: #9522

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core 🍏 Relates to the dependabot-core library itself L: javascript:pnpm npm packages via pnpm service 💁 Relates to Dependabot features GitHub provides T: feature-request Requests for new features T: new-ecosystem Requests for new ecosystems/languages
Projects
Archived in project
Development

No branches or pull requests