[Stimulus] Dependabot NPM no longer updates due to Stimulus/UX vendor file paths in package.json

[ToshY]

Symfony version(s) affected

7.0

Description

Dependabot no longer updates NPM packages in package.json when it depends on assets from bundles like Stimulus (or other UX packages). These have references to local file paths like file:vendor/symfony/stimulus-bundle/assets.

The error in logging that Dependabot shows is as follows:

2024-09-26T20:12:55.5383203Z updater | 2024/09/26 20:12:55 ERROR <job_891655384> Error during file fetching; aborting: The following path based dependencies could not be retrieved: @symfony/stimulus-bundle
2024-09-26T20:12:55.6591948Z   proxy | 2024/09/26 20:12:55 [008] POST /update_jobs/891655384/record_update_job_error
2024-09-26T20:12:55.7579478Z   proxy | 2024/09/26 20:12:55 [008] 204 /update_jobs/891655384/record_update_job_error
2024-09-26T20:12:55.8079080Z   proxy | 2024/09/26 20:12:55 [010] PATCH /update_jobs/891655384/mark_as_processed
2024-09-26T20:12:55.8718565Z   proxy | 2024/09/26 20:12:55 [010] 204 /update_jobs/891655384/mark_as_processed
2024-09-26T20:12:55.8748757Z updater | 2024/09/26 20:12:55 INFO <job_891655384> Finished job processing
2024-09-26T20:12:55.8774655Z updater | 2024/09/26 20:12:55 INFO Results:
2024-09-26T20:12:55.8779603Z Dependabot encountered '1' error(s) during execution, please check the logs for more details.
2024-09-26T20:12:55.8784340Z +---------------------------------+
2024-09-26T20:12:55.8787953Z |             Errors              |
2024-09-26T20:12:55.8790659Z +---------------------------------+
2024-09-26T20:12:55.8795300Z | path_dependencies_not_reachable |
2024-09-26T20:12:55.8796169Z +---------------------------------+
2024-09-26T20:12:56.0448570Z Failure running container f4dc4b7d8d61497057cd9e3c0ec13ac8464e6587d6a9745cd9c067bebef1e20d
2024-09-26T20:12:56.1228791Z Cleaned up container f4dc4b7d8d61497057cd9e3c0ec13ac8464e6587d6a9745cd9c067bebef1e20d
2024-09-26T20:12:56.1381106Z   proxy | 2024/09/26 20:12:56 0/5 calls cached (0%)
2024-09-26T20:12:56.1386530Z   proxy | 2024/09/26 20:12:56 Posting metrics to remote API endpoint
2024-09-26T20:12:56.5379023Z ##[error]Dependabot encountered an error performing the update

Error: The updater encountered one or more errors.

How to reproduce

/app/package.json

  "devDependencies": {
    "@symfony/stimulus-bridge": "^3.2.2",
    "@symfony/stimulus-bundle": "file:vendor/symfony/stimulus-bundle/assets",
    "@symfony/ux-autocomplete": "file:vendor/symfony/ux-autocomplete/assets",
    "@symfony/ux-lazy-image": "file:vendor/symfony/ux-lazy-image/assets",

/app/package-lock.json

    "node_modules/@symfony/stimulus-bundle": {
      "resolved": "vendor/symfony/stimulus-bundle/assets",
      "link": true
    },
    "node_modules/@symfony/ux-autocomplete": {
      "resolved": "vendor/symfony/ux-autocomplete/assets",
      "link": true
    },
    "node_modules/@symfony/ux-lazy-image": {
      "resolved": "vendor/symfony/ux-lazy-image/assets",
      "link": true
    },

/app/.github/dependabot.yml

version: 2
updates:
  - package-ecosystem: "composer"
    directory: "/"
    target-branch: "master"
    schedule:
      interval: "weekly"
      day: "sunday"

  - package-ecosystem: "npm"
    directory: "/"
    target-branch: "master"
    schedule:
      interval: "weekly"
      day: "sunday"

Possible Solution

Document recommended steps to workaround this problem.

Additional Context

#58405

[ToshY]

Is there missing information or is it not reproducable? Currently this is holding back dependabot from updating my NPM packages

If someone has a workaround/solution, it would be very much appreciated.

[ToshY]

🦗

[tomas-kulhanek]

@ToshY In my opinion, the only workaround is to commit the entire vendor. 🤯

[ToshY]

@ToshY In my opinion, the only workaround is to commit the entire vendor. 🤯

Thanks for your suggestion @tomas-kulhanek. I can see why that might work but I rather not sway from (my own) best practices by starting commiting all dependencies just because of a couple stimulus/ux bundles are causing this problem. 🙁

I'm still somewhat surprised I haven't seen many other Symfony users mention or experience this, but surely there must be a less drastic workaround to handle this problem, maybe in the dependabot config or in the package.json, but I'm just not sure how.

[tomas-kulhanek]

@ToshY In my opinion, the only workaround is to commit the entire vendor. 🤯

Thanks for your suggestion @tomas-kulhanek. I can see why that might work but I rather not sway from (my own) best practices by starting commiting all dependencies just because of a couple stimulus/ux bundles are causing this problem. 🙁

I'm still somewhat surprised I haven't seen many other Symfony users mention or experience this, but surely there must be a less drastic workaround to handle this problem, maybe in the dependabot config or in the package.json, but I'm just not sure how.

I agree with you. Committing all dependencies is not a good idea. I'm also surprised that I haven't found anyone else besides you who has the same problem. Does anyone use dependabot or does everyone commit dependencies? :(

[ToshY]

🦗

[tomas-kulhanek]

Same as dependabot/dependabot-core#8898

[tomas-kulhanek]

@ToshY you can use Renovate or you can use npm package :) https://www.npmjs.com/package/@symfony

[ToshY]

@ToshY you can use Renovate or you can use npm package :) https://www.npmjs.com/package/@symfony

Hey @tomas-kulhanek ,

Thanks for the suggestion, I'll try the NPM package 👍

[tomas-kulhanek]

@ToshY its worked for me "@symfony/ux-react": "^2.24.0",

[ToshY]

@ToshY its worked for me "@symfony/ux-react": "^2.24.0",

Nice that they started publishing the assets separately starting with 2.24.0. I think it works, as I can install them separately, but at the same time everytime I update a dependency with composer, like bumping/changing symfony/ux-autocomplete or symfony/ux-lazy-image, it changes back the dependency in the package.json to file:vendor/symfony/.... Have you encountered this behavior as well?

[Kocal]

like bumping/changing symfony/ux-autocomplete or symfony/ux-lazy-image, it changes back the dependency in the package.json to file:vendor/symfony/.... Have you encountered this behavior as well?

Yes, it is related to Symfony Flex and package.json auto-synchronization. Since Flex 1.22.0 and 2.5.0, it seems you can disable this behavior by configuring synchronize_package_json: false in your composer.json, see symfony/flex#1032.

[ToshY]

like bumping/changing symfony/ux-autocomplete or symfony/ux-lazy-image, it changes back the dependency in the package.json to file:vendor/symfony/.... Have you encountered this behavior as well?

Yes, it is related to Symfony Flex and package.json auto-synchronization. Since Flex 1.22.0 and 2.5.0, it seems you can disable this behavior by configuring synchronize_package_json: false in your composer.json, see symfony/flex#1032.

Awesome that works. Thanks for letting us know @Kocal !

[Kocal]

Glad it's working! I will update UX npm-packages README.md files to let other people knows