Skip to content

Dependabot PRs cause recurring package.json merge conflicts #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Hasenpfote opened this issue Apr 8, 2025 · 4 comments
Closed

Dependabot PRs cause recurring package.json merge conflicts #382

Hasenpfote opened this issue Apr 8, 2025 · 4 comments
Labels
question Further information is requested

Comments

@Hasenpfote
Copy link
Contributor

After merging Dependabot PRs that update package.json and package-lock.json, open PRs often encounter merge conflicts in package.json.
These conflicts occur even when the changes seem unrelated, causing repeated manual conflict resolution and disrupting the workflow.

Any ideas or suggestions to reduce this friction?

#80, #161, #208, #272, #283, #294, #317, #324, #330, #351, #358, #376
@L4Ph
Copy link
Collaborator

L4Ph commented Apr 8, 2025
edited
Loading

It looks like there is no file called package-lock.json. I'm going to assume you mean pnpm-lock.yaml.(don't use npm and have disabled it.)

First of all, if there are no conflicts (= the lock file and the hash value of package.json have not changed), GitHub will automatically merge to follow the main branch.

Otherwise, if a conflict in main needs to be resolved, then the lock file and the package.json hash have changed, and some package change has occurred, which is beyond my control.

P.S.
pnpm and yarn have a feature that automatically corrects invalid lock files to a correct state when a conflict occurs.
This should be done by only modifying package.json after merging main and running pnpm install.

@L4Ph L4Ph added the question Further information is requested label Apr 8, 2025
@Hasenpfote
Copy link
Contributor Author

Here’s a rough outline of the steps I usually take to resolve these conflicts:

  1. Pull the updated main branch to my local environment after the Dependabot PR is merged.

  2. Merge main into the feature branch locally (conflicts occur).

  3. Run pnpm install to update pnpm-lock.yaml, then commit the changes.

  4. Push the updated feature branch to the remote repository.

This resolves the conflict for that particular update, but similar issues often arise again when Dependabot creates new PRs for different dependencies in package.json.

Do these conflicts eventually go away by repeating the above steps each time, or is there a better way to avoid them?

@L4Ph
Copy link
Collaborator

L4Ph commented Apr 8, 2025

No. there is no way around this.
The steps above must be done every time a commit is made to the main branch that causes a conflict in an open PR.

@Hasenpfote
Copy link
Contributor Author

Thanks for the clarification. I’ll continue applying the steps when conflicts occur.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Hasenpfote @L4Ph