Run yarn dedupe entirely instead of specific package(s) #9388
Conversation
Signed-off-by: Sora Morimoto <sora@morimoto.io>
smorimoto
force-pushed
the
fix-yarn-dedupe
branch
from
5a2c84d
to
01ea596
Compare
|
We chose specifically to only dedupe the package being updated to keep the diff Dependabot generates as small as possible. This would result in Dependabot making changes unrelated to the dependency being updated and I am not sure that it's the right thing to do. There should be previous discussions about this in the issue tracker as well. See #5830 I'm curious to hear some more reasons about why you think this would be preferable, and why it's Dependabots responsibility to do this |
|
The existing dedupe definitely isn't covering all situations that result in duplicate dependencies being introduced specifically by the same Dependabot bumps. I still quite regularly have to manually run a full dedupe on Dependabot PRs to pass dedupe checks. Does the existing dedupe include all downstream dependencies of the package(s) being bumped? It doesn't seem like it does. I subscribed to this issue (and PR) initially without even realizing that it does apparently run that (restricted) dedupe because I thought it just didn't run dedupe at all, given how often I have to manually address these. An alternative approach that would be helpful is exposing a new optional setting to perform a full dedupe instead, thus still offering the current approach by default (assuming this is actually working as desired for most projects). |
|
Maybe Dependabot could try a dedupe before the update, and then do the following:
In any case, it'd be good to see a realworld example of Dependabot creating duplications, also to verify that the proposed approach fixes it. |
Here's an example: https://github.com/graphile/gatsby-source-pg-example/pull/34/files It upgraded |
Closes #5830