Since version 8.6.0 npm does not support lockfile-only versioning-strategy

[thomasturrell]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

8.6.0

Language version

Node 16

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm" # See documentation for possible values
    directory: "/" # Location of package manifests
    versioning-strategy: lockfile-only
    schedule:
      interval: "weekly"

Updated dependency

@angular/forms from 16.0.3 to 16.0.4

What you expected to see, versus what you actually saw

running npm ci fails with the following error:

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @angular/[email protected]
npm ERR! Found: @angular/[email protected]
npm ERR! node_modules/@angular/common
npm ERR!   @angular/common@"^16.0.0" from the root project
npm ERR!   peer @angular/common@"16.0.3" from @angular/[email protected]
npm ERR!   node_modules/@angular/platform-browser
npm ERR!     @angular/platform-browser@"^16.0.0" from the root project
npm ERR!     peer @angular/platform-browser@"16.0.3" from @angular/[email protected]
npm ERR!     node_modules/@angular/platform-browser-dynamic
npm ERR!       @angular/platform-browser-dynamic@"^16.0.0" from the root project
npm ERR!     1 more (@angular/router)
npm ERR!   2 more (@angular/platform-browser-dynamic, @angular/router)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @angular/common@"16.0.4" from @angular/[email protected]
npm ERR! node_modules/@angular/forms
npm ERR!   @angular/forms@"^16.0.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: @angular/[email protected]
npm ERR! node_modules/@angular/common
npm ERR!   peer @angular/common@"16.0.4" from @angular/[email protected]
npm ERR!   node_modules/@angular/forms
npm ERR!     @angular/forms@"^16.0.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 

I would not expect an error.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

BerryCloud/ngx-unsplash#180

⚠️ I believe the issue is caused by:
npm/cli#5113

Smallest manifest that reproduces the issue

No response

[thomasturrell]

I believe that the documentation should be updated.

[jurre]

@thomasturrell reading up on the npm/cli issue you linked to, iiuc does that mean that the package.json and package-lock.json in your project have become out of sync, and that's why dependabot is failing here, or has dependabot caused these two to have become out of sync by updating the lockfile and not the package.json?

[thomasturrell]

@jurre I believe that dependabot caused package.json and package-lock.json to become out of sync by updating the lockfile and not the package.json. But it might be that even updating both at the same time would not help.

However this project might be a corner case because multiple dependancies must be updated at the same time (It is an Angular library).

With NPM 6.14.18 (Node.js 14) it is possible to create an invalid trees, including trees with unresolvable peer dependencies. I did not notice this issue before because after merging all of the dependabot PR's the package.json and package-lock.json would be back in sync. I only noticed it now because my GitHub Actions now use NPM 8.6.0 (or greater) and therefore every pull request fails.

I believe #1296 is related. (On reflection, this issue is possibly a duplicate).

It is worth mentioning that Angular has its own cli for updating