package-lock files with version 3 are not handled correctly by Dependabot

[ferferga]

We recently upgraded to Node 16 and the lockfile version 3 of package-lock.json (the version without backwards-compatible features of the lockfile, see docs here, as we want to enforce always the most current features with the latest LTSs).

Lockfiles proposed by dependabot have massive changes, even when recreated or rebased

Package ecosystem
npm
Package manager version
npm 8.1.0
Language version

• Node 16

Relevant PRs

• chore(deps-dev): bump @nuxtjs/eslint-config-typescript from 6.0.1 to 7.0.2 jellyfin/jellyfin-vue#1585
• chore(deps-dev): bump stylelint-config-standard from 22.0.0 to 23.0.0 jellyfin/jellyfin-vue#1584
• fix(deps): bump swiper from 5.4.5 to 7.2.0 jellyfin/jellyfin-vue#1583
• chore(deps-dev): bump jest from 26.6.3 to 27.3.1 jellyfin/jellyfin-vue#1582
• chore(deps-dev): bump stylelint from 13.13.1 to 14.0.1 jellyfin/jellyfin-vue#1581
• chore(deps-dev): bump ts-jest from 26.5.6 to 27.0.7 jellyfin/jellyfin-vue#1580
• fix(deps): bump compare-versions from 3.6.0 to 4.0.1 jellyfin/jellyfin-vue#1579
• chore(deps-dev): bump @commitlint/cli from 13.2.1 to 14.1.0 jellyfin/jellyfin-vue#1578
• chore(deps-dev): bump @commitlint/config-conventional from 13.2.0 to 14.1.0 jellyfin/jellyfin-vue#1577

[cedric-anne]

I confirm the issue. Same problem on this PR: glpi-project/glpi#10035 .

[jeffwidman]

Closing, as I think this was fixed by the bump to NPM 8:

• Update to npm 8 #4763

Please comment if I'm misreading/misunderstanding something, and we can re-open.

[cedric-anne]

Indeed, it seems to be OK now.