-
Notifications
You must be signed in to change notification settings - Fork 2.3k
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
latest
is not supported as a valid version spec for dependencies in a package.json
file
#3945
Comments
In general we avoid "open" ranges like |
@rarkins Did we get the ability to bump lockfiles already? Or are we still waiting on something? |
Yes, we did |
This comment was marked as resolved.
This comment was marked as resolved.
Circling back around to this and I see my previous message was hidden. Message received, sorry for the small rant :). I hope this is on-topic enough, please let me know if there's a better place to ask. And if the docs address this question, please point me to them (I've looked extensively!) If renovate does not support "latest," what should I replace it with, while still maintaining the signal, in a single place, that some versions are pinned for a reason? Specifically: We use "latest" to indicate "upgrade these freely" and a set version to indicate "we know later versions are broken." That's usually still a range, e.g. "<14", because that semantically indicates "we don't support v14." We then keep docs on all set versions (non-latest) with either a ticket number or an explanation (e.g. "requires vue 3"). This strategy works very well with e.g. yarn upgrade: we get an upgrade for all packages we haven't set. If tests fail, we figure out why, file a ticket and mark the range in package.json, and return to it when we can. As this issue indicates, the same strategy does not work with renovate. We'd have to change all our "latest" indicators to at least a range, which drowns out the signal: if all versions are set in some way, then the ones that are important do not stick out. And the only place the "do not upgrade" signal is stored is in the fact that there's a closed PR. This is compounded by the fact that package.json doesn't support comments, so we couldn't indicate "this version pin actually matters." We could create a separate documentation page, but that's decoupled from the actual file and therefore is guaranteed to fall out of date. We could create a ticket in our issue management tool, but those inevitably get drowned out in noise. Or am I missing something else entirely? |
First of all in Renovate terminology, we should be able to support Back to your specific scenario, in general I'd say In my opinion what you describe as indicators is a kind of internal convention, not a standard. It might be a great idea, maybe even "mature", but that doesn't mean it's a standard or that Renovate should be able to guess what you are doing out of the box. I have no philosophical objection to anything you wrote though, or finding a way for Renovate to support it. Regarding your indicators, you can have several without them being More importantly though, what would you like Renovate to do with these indicators? e.g. you want certain ones to never be upgraded, and everything else upgraded? etc |
Ah, I just tried
This is indeed the heart of it. Renovate should update all packages with a "latest" indicator, and packages within a pin (e.g. I'd use "<13" and want all upgrades on the v12 release, such as security fixes). But the pins are there for a reason, and I wouldn't want them changed. Mentally model it this way: instead of closing a renovate PR, I pin the version in package.json. The package.json becomes the configuration that tells renovate which packages we want it to upgrade, and which not. |
You have created your own personal/company convention, and it sounds quite clever - but these are custom conventions and not part of the npm or semver standard. But that does not mean Renovate can guess and comply to your convention off the shelf. There's kind of two parts here:
|
Can you explain what you mean by this? What's "clever" about it? Did you mean the term as a compliment?
This sounds reasonable. What are next steps, and how can I help? |
Yes
Submit a PR affecting lib/modules/versioning/npm so that |
Hi there, Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible. Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. To get started, please read our guide on creating a minimal reproduction. We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment. Good luck, The Renovate team |
We need an example repo to test against where the package.json contains |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
This could be considered either a bug or feature request, so please feel free to re-categorize as you see fit!
What Renovate type are you using?
Renovate CLI
Describe the bug
If
latest
is specified as the version of a dependency in apackage.json
file, then that dependency is given askipReason
ofunknown-version
and is ignored byrenovate
, even thoughlockedVersion
is correctly detected.Did you see anything helpful in debug logs?
Example:
Please note I am not able to link directly to GitHub because the example in question comes from enterprise code, and is associated with a repo in a private registry.
To Reproduce
Steps to reproduce the behavior:
latest
renovate
CLI on the repo and observe that this dependency is ignored.Expected behavior
latest
is recognized and supported as a valid version specification in apackage.json
file. There is value in supportinglatest
spec in my opinion, for this reason: a dependency might have a new release, and a downstream project will not pick up that change until there would be an update to itspackage-lock.json
. Thus, if the "latest" version used by some downstream repo has a vulnerability, then we should be able to detect it and update the lockfile usingrenovate
.Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: