When trying to update dependencies of a frontend project in azure pipeline with dependabot, everythings works fine when I delete the package-lock.json file, but got an error when the file exist in the repository.
The repository uses a private registry feed (proget).
- I tried installing the packages with different npm versions
- delete the package-lock.json file, it is working fine in this case
Some additional info:
I'm using dependabot-azure-devops, where I Pull the docker image directly instead of compiling the dockerfile
myself.
The error that I got is this:
Requirements to unlock own
Requirements update strategy bump_versions
Updating @fortawesome/fontawesome-free from 6.1.1 to 6.5.1
Error working on updates for @fortawesome/fontawesome-free 6.1.1 (continuing)
/usr/local/lib/ruby/3.1.0/open3.rb:222:in `spawn': No such file or directory - npm (Errno::ENOENT)
from /usr/local/lib/ruby/3.1.0/open3.rb:222:in `popen_run'
from /usr/local/lib/ruby/3.1.0/open3.rb:210:in `popen2e'
from /usr/local/lib/ruby/3.1.0/open3.rb:399:in `capture2e'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.237.0/lib/dependabot/shared_helpers.rb:409:in `run_shell_command'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:153:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:153:in `validate_call_skip_block_type'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:95:in `block in create_validator_slow_skip_block_type'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:272:in `run_npm_install_lockfile_only'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:194:in `run_npm8_top_level_updater'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:161:in `run_npm_top_level_updater'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:150:in `block in run_npm_updater'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.237.0/lib/dependabot/shared_helpers.rb:264:in `with_git_configured'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:256:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:256:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:177:in `block in create_validator_slow'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:147:in `run_npm_updater'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:116:in `run_current_npm_update'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:61:in `block (2 levels) in updated_lockfile_content'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:61:in `chdir'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:61:in `block in updated_lockfile_content'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.237.0/lib/dependabot/shared_helpers.rb:80:in `block in in_a_temporary_directory'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.237.0/lib/dependabot/shared_helpers.rb:80:in `chdir'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.237.0/lib/dependabot/shared_helpers.rb:80:in `in_a_temporary_directory'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:256:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:256:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11141/lib/types/private/methods/call_validation.rb:177:in `block in create_validator_slow'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:59:in `updated_lockfile_content'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:30:in `updated_lockfile'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater.rb:278:in `updated_lockfile_content'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater.rb:180:in `package_lock_changed?'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater.rb:218:in `block in updated_lockfiles'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater.rb:217:in `each'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater.rb:217:in `updated_lockfiles'
from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-npm_and_yarn-0.237.0/lib/dependabot/npm_and_yarn/file_updater.rb:44:in `updated_dependency_files'
from bin/update_script.rb:661:in `block in <main>'
from bin/update_script.rb:539:in `each'
from bin/update_script.rb:539:in `<main>'
Update: I switched to the public npm registry and still get the same error, for info, here is the package.json I use in one of the tests:
{
"name": "frontend",
"version": "0.1.0",
"private": true,
"scripts": {
"dev": "vite",
"build": "vite build",
"preview": "vite preview --port 5050",
"lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs --fix --ignore-path .gitignore"
},
"dependencies": {
"@fortawesome/fontawesome-free": "^6.0.0",
"@microsoft/signalr": "^6.0.3",
"axios": "^0.26.0",
"bootstrap": "^5.1.3",
"core-js": "^3.21.1",
"pinia": "^2.0.14",
"style-loader": "^3.3.1",
"vue": "^3.2.31",
"vue-router": "^4.0.12",
"vue3-treeview": "^0.3.8"
},
"devDependencies": {
"@babel/core": "^7.17.5",
"@babel/eslint-parser": "^7.17.0",
"@babel/preset-env": "^7.16.11",
"@vitejs/plugin-vue": "^2.2.2",
"eslint": "^8.9.0",
"eslint-plugin-import": "^2.25.4",
"eslint-plugin-node": "^11.1.0",
"eslint-plugin-promise": "^6.0.0",
"eslint-plugin-standard": "^5.0.0",
"eslint-plugin-vue": "^8.2.0",
"sass": "^1.49.8",
"sass-loader": "^12.6.0",
"vite": "^2.8.4"
}
}
I'm not the one who created the frontend apps nor am I an expert in frontend development, but the application is working fine.
This is correct behavior. The error could occur when discrepancies exist between the dependencies listed in package.json and package-lock.json.
package-lock.json
stores an exact, versioned dependency tree, ensuring that all developers working on a project install exactly thesame dependencies
, even if intermediate dependency updates occur.Hence, if there's are some dependencies update, you need to make sure that the package-lock.json file is up-to-date with the package.json file. You can run npm install locally to regenerate package-lock.json and commit the changes to the repository. Or simply delete
package-lock.json
during install to fix the error.