Skip to content

Dependabot sometimes hoists optional dependencies to dependencies #3648

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Dependabot sometimes hoists optional dependencies to dependencies#3648
Labels
dependenciesPull requests that update a dependency filegithub_actionsPull requests that update GitHub Actions codesmall storytooling
@domoscargin

Description

@domoscargin
domoscargin
opened on Mar 11, 2024

What

For some packages/groups (especially @types/node), dependabot will hoist a devDependency or optionalDependency to a dependency.

This is likely due to a problem with overrides at the npm level, so not something that'll go away any time soon.
npm/cli#7018
npm/cli#7019

Why

The fix is simple: we just need to run npm install which removes the hoisted dependency, then commit that change. But it is an annoyance to have to do that manually each time!

Enough of an annoyance that we have a test to check when it happens:

govuk-design-system/package-lock.json.unit.test.mjs

Line 17 in 1399e23

it("should not hoist 'optionalDependencies' to 'dependencies'", () => {

It'd be good to automate this process, ie: have GitHub Actions run npm install if that particular test fails, and commit the changes, so we don't have to manually fix it.

Who needs to work on this

Developer

Who needs to review this

Developer

Done when

  • devDependencies and optionalDependencies are no longer hoisted to dependencies by Dependabot

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filegithub_actionsPull requests that update GitHub Actions codesmall storytooling

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions