Skip to content

Fix dependabot pnpm-lock.yaml updates in workspaces#7423

Merged
isaacroldan merged 1 commit into
mainfrom
04-29-fix_dependabot_pnpm-lock.yaml_updates_in_workspaces
Apr 29, 2026
Merged

Fix dependabot pnpm-lock.yaml updates in workspaces#7423
isaacroldan merged 1 commit into
mainfrom
04-29-fix_dependabot_pnpm-lock.yaml_updates_in_workspaces

Conversation

@isaacroldan

@isaacroldan isaacroldan commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

WHY are these changes introduced?

Recent Dependabot PRs (#7166, the prior liquidjs bump on the cli-kit/liquidjs branch, and others) bump a workspace package's package.json but leave pnpm-lock.yaml untouched, forcing maintainers to push a manual "update lock" commit before CI is happy and the PR can land.

Root cause is in our .github/dependabot.yml:

directories:
  - "/"
  - "packages/*"

This is a pnpm workspace — there is one pnpm-lock.yaml at the root and pnpm-workspace.yaml declares the member packages. When Dependabot runs the update from a subdirectory like /packages/cli-kit, pnpm needs the workspace root to resolve and rewrite the lockfile, but the lockfile is one level up, so the subdir job edits package.json and produces no lockfile diff.

This is a known dependabot-core limitation: see dependabot/dependabot-core#11135 and the follow-up #11487 (merged Feb 2025), where the team explicitly states "all dependencies should be updated from the root directory, where pnpm-workspace.yaml and pnpm-lock.yaml exist" and now raises a MisconfiguredTooling error for pure subdirectory pnpm runs.

WHAT is this pull request doing?

Drops "packages/*" from directories: so Dependabot only runs from the workspace root. From the root, it walks pnpm-workspace.yaml, picks up dependencies declared in any packages/*/package.json, and writes both package.json and pnpm-lock.yaml in the same PR.

Possible issues and tradeoffs

  • Reverses ba794ba ("Include the packages subdirectories", Nov 2024). That commit was added because root-only runs at the time weren't picking up dependencies declared inside packages/*/package.json. Dependabot's pnpm-workspace handling has improved since (notably #11487), so root-only should now cover sub-package deps via pnpm-workspace.yaml — but I cannot fully prove that without watching the next weekly run. Concrete risk: if root-only still misses sub-package deps, we'll silently stop getting bump PRs for those packages until someone notices.
  • PR title format changes. Today titles look like Bump lodash from X to Y in /packages/cli-kit. After this change they'll lose the in /packages/cli-kit qualifier when the dep lives in a workspace package. Cosmetic, but worth knowing if any tooling/automation parses the title.
  • Existing open Dependabot PRs may be re-created. Dependabot can supersede or rebase open PRs when the schedule's directory set changes. Expect some churn on the next run after this merges.
  • Existing duplicate PRs disappear. When the same dep is declared in /package.json and one of packages/*/package.json, the current config can produce two PRs (one per directories entry). After this we get one. That's an improvement, but if anyone was relying on per-package PRs landing independently, they won't anymore.
  • Verification gap. There's no unit test for Dependabot config; the only real signal is the next scheduled run. If sub-package deps stop being bumped, the rollback is to re-add packages/* and accept the manual-lockfile workaround until dependabot-core supports per-subdir lockfile rewrites — but that's the broken state we just left.

How to test your changes?

Wait for the next Dependabot weekly run after merge and confirm that:

  1. A bump PR that touches packages/*/package.json also updates pnpm-lock.yaml.
  2. PRs are still being opened for dependencies declared in workspace packages (i.e. coverage didn't regress).

If neither happens within ~a week, re-add "packages/*" and re-open the conversation.

Post-release steps

None.

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (patch for bug fixes · minor for new features · major for breaking changes) and added a changeset with pnpm changeset addN/A: CI/Dependabot config only, no shipped code change

Dependabot was opening PRs that bumped a workspace package's package.json
but left pnpm-lock.yaml untouched (e.g. #7166), forcing manual lockfile
commits before merging.

Root cause: `directories:` listed both `/` and `packages/*`. In a pnpm
workspace the lockfile lives at the workspace root, so per-subdirectory
update runs cannot rewrite it. dependabot-core treats this as a
misconfiguration (see dependabot/dependabot-core#11135 and the fix in
#11487 — "all dependencies should be updated from the root directory,
where pnpm-workspace.yaml and pnpm-lock.yaml exist").

Dropping `packages/*` makes Dependabot run only from root. It still
detects dependencies in every workspace package via pnpm-workspace.yaml
and updates both the package.json and pnpm-lock.yaml in the same PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Copy link
Copy Markdown
Contributor Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@github-actions github-actions Bot added the no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. label Apr 29, 2026
@isaacroldan isaacroldan marked this pull request as ready for review April 29, 2026 11:45
@isaacroldan isaacroldan requested a review from a team as a code owner April 29, 2026 11:45
Copilot AI review requested due to automatic review settings April 29, 2026 11:45

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Dependabot configuration for this pnpm workspace so dependency bumps are performed from the workspace root, enabling consistent pnpm-lock.yaml updates in Dependabot PRs.

Changes:

  • Remove packages/* from Dependabot directories so updates run only from / (workspace root).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@byrichardpowell byrichardpowell left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@isaacroldan isaacroldan added this pull request to the merge queue Apr 29, 2026
Merged via the queue into main with commit 6b26d5c Apr 29, 2026
32 checks passed
@isaacroldan isaacroldan deleted the 04-29-fix_dependabot_pnpm-lock.yaml_updates_in_workspaces branch April 29, 2026 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants