devabhishekpal commented on PR #5538: URL: https://github.com/apache/ozone/pull/5538#issuecomment-1792265549
@errose28 Thanks for asking [this](https://github.com/apache/ozone/pull/5538#pullrequestreview-1711244238), it is actually a good question. So actually the main lockfile for Recon does not have this parameter. What is happening is when dependabot updates the pnpm-lock.yaml file, it is adding this param to the lockfile, and hence the clash. Now I am not sure why we had this not setup, but the dependabot sets it to true([ref](https://github.com/apache/ozone/blob/c50e28d356f96b2d254e515d18d7fc21e1b1eb4c/hadoop-ozone/recon/src/main/resources/webapps/recon/ozone-recon-web/pnpm-lock.yaml)). We do not want to auto-install peer dependencies as we might face version clash issues - it is better to resolve them manually. Now coming to the two questions: #### In the image you shared, why was the pnpm lock file updated as part of a change to pom.xml? This is because I had actually run out of dependabot dependency PRs, so dependabot won't raise further PRs once opens an upgrade PR. So in order to test the scenario, I had manually removed the `github.actor == 'dependabot[bot]'` so that it runs on any PR, and then verified that the lockfile was generated. This was a dummy PR where I randomly edited the pom.xml file to trigger the actions. #### Is there a way to configure dependabot to work correctly without needing a custom action? I don't totally understand the current error before this PR or if there is a config to fix this So the current dependabot.yml change will actually properly bump the versions on the package.json, but it will also generate the pnpm-lock.yaml file, we cannot change this behaviour, and the lockfile which is generated by dependabot often times have issues, like it sets the `lockfileVersion` incorrectly, and sometimes other options get set like we saw for autoInstallPeerDependencies. The action will instead use pnpm to generate the lockfile, ensuring that there is no such error and the proper file is generated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
