5

Action to update pnpm-lock.yaml when Dependabot opens a PR. Be warned that this...

 1 year ago
source link: https://gist.github.com/Purpzie/8ed86ae38c73f440881bbee0523a324b
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Does this work or is this pending the feature request from dependabot/dependabot-core#1736 ?

Author

Purpzie commented on Jun 27

This works, it only exists because Dependabot doesn't support pnpm yet. Once it does this will likely break

armenr commented on Jul 11

Wow. @Purpzie - You deserve a gold medal for this. Thank you!

donferi commented 26 days ago

Thanks for this, the main issue I see is that dependabot also open PRs for transitive dependencies. This action can't do much about those right? It will only work for the ones that change package.json

Author

Purpzie commented 24 days ago

edited

@donferi Yes, currently that's a limitation of dependabot not having proper pnpm support yet.

I wonder... You could maybe force it to work by having a regular package-lock.json in your repository. Since dependabot would keep that up to date, this action would trigger for transitive dependencies, and you never need to stop using pnpm locally (except to generate package-lock.json the first time). Just make sure anyone working on the repo knows to use pnpm instead of npm.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK