Dependabot is not updating package-lock when bumping dependencies in a monorepo

[Th3S4mur41]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

npm 8.19.3

Language version

node 16.19.0

Manifest location and content before the Dependabot update

package.json

{
	"name": "@atos-parallel/web",
	"private": "true",
	"engines": {
		"node": ">= 16.0.0",
		"npm": ">= 8.0.0"
	},
	"workspaces": [
		"packages/docs"
	],
	"scripts": {
	},
	"devDependencies": {
		"@atos-parallel/release-config": "^1.2.3",
		"@atos-parallel/stylelint-config": "^1.2.0",
		"@babel/core": "^7.20.5",
		"@commitlint/cli": "^17.3.0",
		"@commitlint/config-conventional": "^17.3.0",
		"@percy/cli": "^1.16.0",
		"@typescript-eslint/eslint-plugin": "^5.47.0",
		"@typescript-eslint/parser": "^5.47.0",
		"autoprefixer": "^10.4.13",
		"concurrently": "^7.6.0",
		"cssnano": "^5.1.14",
		"eslint": "^8.30.0",
		"hint": "^7.1.3",
		"husky": "^8.0.2",
		"lint-staged": "^13.1.0",
		"postcss": "^8.4.20",
		"postcss-nesting": "^10.2.0",
		"postcss-preset-env": "^7.8.3",
		"prettier": "^2.8.1",
		"pretty-quick": "^3.1.0",
		"rimraf": "^3.0.2",
		"typedoc": "^0.23.23",
		"typedoc-plugin-markdown": "^3.14.0"
	}
}

/packages/docs/package.json

{
	"name": "@atos-parallel/docs",
	"version": "1.4.0",
	"private": true,
	"scripts": {
	},
	"dependencies": {
		"@atos-parallel/icons": "^1.2.12",
		"lit": "^2.5.0"
	},
	"devDependencies": {
		"@babel/core": "^7.20.5",
		"@percy/storybook": "^4.3.4",
		"@storybook/addon-a11y": "^6.5.14",
		"@storybook/addon-actions": "6.5.14",
		"@storybook/addon-docs": "6.5.14",
		"@storybook/addon-essentials": "6.5.14",
		"@storybook/addon-links": "6.5.14",
		"@storybook/addon-postcss": "^2.0.0",
		"@storybook/addons": "6.5.14",
		"@storybook/builder-vite": "^0.2.6",
		"@storybook/theming": "6.5.14",
		"@storybook/web-components": "6.5.14",
		"babel-loader": "^9.1.0",
		"postcss": "^8.4.20",
		"storybook-addon-designs": "^6.3.1"
	},
	"peerDependencies": {
		"@atos-parallel/components": "1.1.1"
	}
}

dependabot.yml content

version: 2

registries:
  github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{secrets.DEPENDABOT_TOKEN}}

updates:
  - package-ecosystem: 'npm'
    directory: '/' # Location of package manifests
    registries: '*'
    schedule:
      interval: 'daily'
      time: '00:00'
      timezone: 'Europe/Berlin'

Updated dependency

@storybook/builder-vite from 0.2.5 to 0.2.6

What you expected to see, versus what you actually saw

Dependabot should update @storybook/builder-vite to version 0.2.6 in package.json in the 'docs' workspace and the package-lock.json in the root of the monorepo.
The package-lock.json is not updated though

Native package manager behavior

package-lock.json in the root of the monorepo is updated too.

Images of the diff or a link to the PR, issue, or logs

https://github.com/atos-parallel/web/pull/699

Smallest manifest that reproduces the issue

No response

[deivid-rodriguez]

@Th3S4mur41 Would it be possible for you to create an open source repo with this problem? That would make it easier to fix.

[Th3S4mur41]

@deivid-rodriguez I tried to reproduce the issue in another monorepo
Unfortunately, in this case it worked as expected.

Is there anything else I can provide to help you investigate what might have been a glitch?

[Th3S4mur41]

Facing the issue again in the same repo with the next update of same dependency 🤔

I tried dependabot recreate but the outcome is the same...

Running npm i on the dependabot branch in my codespaces makes the update to package-lock.json

Same update on the demo monorepo went through and updated both 😒

[deivid-rodriguez]

I have little experience with npm so my intuition in this ecosystem is low. But I guess I would try figuring out the differences between the demo monorepo. For example, it seems that your public demo does not use registries in dependabot configuration, could that be related?

[Th3S4mur41]

Good point, let me try to add that to the demo.
However, this is not a global issue... All other dependencies in the problem repo are updated by dependabot just fine.
So far this happend twice, each time only with the one dependency

[Th3S4mur41]

@deivid-rodriguez demo repo updated to reflect also this aspect:

[Th3S4mur41]

Even with the added dependencies from a different registry and dependabot also using GitHub package registries, the issue is still not reproducible.
bump @storybook/builder-vite from 0.2.7 to 0.3.0 worked fine in the demo repo, but still missed to update the package lock in the private repo 🤔

[deivid-rodriguez]

That's too bad 😢. There must be something different between those setups that's triggering the issue, we need to figure out what that is 🤔.

I ran into the same issue, here is my repository: https://github.com/azuwey/supreme-memory

A potential solution could be to specify the lock file location, because it is different than the package.json file's location, because I think the problem is that dependabot doesn't find the lock file in the project.

[Th3S4mur41]

Right, the jsdom PR looks very similar to what I'm seeing.
@deivid-rodriguez is there a way to pull logs or something that would be helpful?

[deivid-rodriguez]

Now that we have open source repositories reproducing this, it should be easier to figure out. In any case you should be able to see logs at the "Insights > Dependency Graph > Dependabot" page.

@deivid-rodriguez So I checked it, and it seems that, it doesn't detect the dependencies in the package-lock.json, Insights > Dependency Graph > Dependencies > package-lock.json says: package-lock.json has no dependencies or is too large to display, under the Dependabot tab I can see the package-lock.json by clicking on the three dot next to the package.json label (Monitored dependency files).

What should I look for in the logs?