From 2924e4ffc846de874c36f1e0e98d95bc9538d2ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isaac=20Rold=C3=A1n?= Date: Wed, 29 Apr 2026 12:43:04 +0200 Subject: [PATCH] Fix dependabot pnpm-lock.yaml updates in workspaces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot was opening PRs that bumped a workspace package's package.json but left pnpm-lock.yaml untouched (e.g. #7166), forcing manual lockfile commits before merging. Root cause: `directories:` listed both `/` and `packages/*`. In a pnpm workspace the lockfile lives at the workspace root, so per-subdirectory update runs cannot rewrite it. dependabot-core treats this as a misconfiguration (see dependabot/dependabot-core#11135 and the fix in #11487 — "all dependencies should be updated from the root directory, where pnpm-workspace.yaml and pnpm-lock.yaml exist"). Dropping `packages/*` makes Dependabot run only from root. It still detects dependencies in every workspace package via pnpm-workspace.yaml and updates both the package.json and pnpm-lock.yaml in the same PR. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 175ffe93ae2..24b30bb182e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,7 +4,6 @@ updates: versioning-strategy: increase directories: - "/" - - "packages/*" schedule: interval: "weekly" labels: