Dependabot doesn't work with monorepos using pnpm

[jamescrowley]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm/pnpm

Package manager version

8.15.9

Language version

No response

Manifest location and content before the Dependabot update

package.json
pnpm-lock.yaml
pnpm-workspace.yaml
front/package.json

dependabot.yml content

https://github.com/boxwise/boxtribute/blob/master/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

When explicitly listing directories, such as

directories:

• /
• /front

Dependabot generates updates for packages in the root package.json and in /front. However, it does not update the pnpm-lock.yaml in PRs for packages in the subfolder (for instance: boxwise/boxtribute#1599)

When only listing the 'root' directory (suggested by #4993), dependabot ignores the package.json within /front entirely.

Possibly related to #6346 (npm, not pnpm)

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

boxwise/boxtribute#1599

Smallest manifest that reproduces the issue

No response

[Yurickh]

FWIW we also see the same behaviour with [email protected]

[scottquested]

Seeing the same with [email protected]
Folder structure

pnpm-lock.json
apps/fe/package.json

Only package.json updates

Tried versioning-strategy: increase as advised in #4993 (comment) but doesn't work

[Yurickh]

The issue is mainly that we don't have a tree crawl for pnpm workspaces package.json files, like we do for some other files in dependabot's codebase. I've tried to propose a fix in #10806, but haven't heard back from the maintainers so far.

[thavaahariharangit]

Need to deploy #10806 PR

[thavaahariharangit]

@jamescrowley

I have created a sample repo to recreate this problem

Note:
In above repo I have used below sample dependencies,

1. root level: [email protected]
2. project level: [email protected]

Current behaviour of dependabot

Scenario 1

When updates.directory is

directories:
      - /
      - /packages/*

then PRs generated

 +---------------------------------------------+
 |     Changes to Dependabot Pull Requests     |
 +---------+-----------------------------------+
 | created | express ( from 4.10.0 to 4.21.1 ) |
 | created | vue ( from 3.2.0 to 3.5.13 )      |
 +---------+-----------------------------------+

Scenario 2

When updates.directory is

directories:
      - /

then PRs generated

 +---------------------------------------------+
 |     Changes to Dependabot Pull Requests     |
 +---------+-----------------------------------+
 | created | express ( from 4.10.0 to 4.21.1 ) |
 +---------+-----------------------------------+

Scenario 3

When updates.directory is

directories:
      - /packages/*

then PRs generated

 +----------------------------------------+
 |  Changes to Dependabot Pull Requests   |
 +---------+------------------------------+
 | created | vue ( from 3.2.0 to 3.5.13 ) |
 +---------+------------------------------+

As far as I know things are working as per the dependabot documentation.

Could you please help me on recreating this issue..

Note:
updates.directory is dependabot.yml config. Ex : https://github.com/dsp-testing/pnpm-monorepo-sample/blob/main/.github/dependabot.yml#L4

FYI @landongrindheim

[MattIPv4]

I suspect the key to reproducing might be having it update both directories/package.json files in a single PR. In our alveusgg repository we are combining directories and groups which seems to cause that?