Conversation
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.8.2 to 4.8.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@3c4e3dc...05fe457) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 4.8.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
pr: dependencies
dependabot
bot
added
the
pr: dependencies
✅ [V2]
To edit notification comments on pull requests, go to your Netlify project configuration. |
⚡️ Lighthouse report for the deploy preview of this PR
|
|
Dependabot is incompatible with pnpm transitive dependencies. To solve this with pnpm |
slorber
deleted the
dependabot/github_actions/actions/dependency-review-action-4.8.3
branch
I don't know what you mean, sorry |
See here, for example: Those who use pnpm as the package manager cannot create PRs in the dependendabot UI because of transitive dependencies. The only way that I know to handle this is to use the pnpm I am grateful for Docusaurus and use it on a couple sites. I'm humbly suggesting that maintainer (you!) issue a patch release when there are a large number of dependabot issues. See also: https://pnpm.io/settings#overrides Thank you. |
|
This PR upgrades a GitHub action; this is something that only affects us, not anyone else If Dependabot can't do specific things for pnpm, that's outside the scope of Docusaurus, and we don't plan to "force upgrade" our users by releasing extra patch releases that upgrade our dependency requirements. Note that we can only enforce semver range requirements on our direct dependencies, not on transitive dependencies, so even if we did that, this wouldn't fully solve your problem and our transitive dependencies wouldn't get upgraded by magic, unless the whole dependency graph emits similar patches (very unlikely). If Dependanbot doesn't fulfill your need, you should report the problem to them or try a different tool to upgrade your lockfile |
|
Fair enough, thank you. |
2 participants
Bumps actions/dependency-review-action from 4.8.2 to 4.8.3.
Release notes
Sourced from actions/dependency-review-action's releases.
Commits
05fe457Merge pull request #1054 from actions/ahpook/release-4.8.33a8496cUpdate generated package files for v4.8.30f22a01Update CONTRIBUTING for new release process58be343Updating package versions for 4.8.39284e0cMerge pull request #931 from actions/dependabot/npm_and_yarn/spdx-licenses-20...8b76656Bump spdx-expression-parse in the spdx-licenses group across 1 directory43f5f02Merge pull request #1052 from actions/juxtin/fix-long-summariesf0033fcMerge pull request #1053 from actions/dependabot/npm_and_yarn/fast-xml-parser...b379e2eBump fast-xml-parser from 5.3.5 to 5.3.62e1cf54Properly truncate long summaries and catch errorsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)