Skip to content

pnpm transitive dependency updates support #13177

Open
Open
pnpm transitive dependency updates support#13177
Assignees
robaiken
Labels
L: javascriptT: feature-requestRequests for new features
@karlhorky

Description

@karlhorky
karlhorky
opened on Sep 25, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Feature description

Hi, first of all, thanks for your continued work and maintenance on Dependabot, incredibly helpful for the security of multiple ecosystems 🙌

Dependabot doesn't support transitive dependency updates for pnpm, a very popular package manager (31M downloads / week as of writing).

Reproduction

Install a vulnerable transitive dependency like [email protected] (vulnerable according to GHSA-vj76-c3g6-qr5v) via a dependent package like @puppeteer/[email protected]:

  1. Create a repo on GitHub and clone locally
  2. pnpm init
  3. Add the following to the top-level package.json object, for demo purposes (simulating a project already depending on [email protected] as a transitive dep) 
    "pnpm": {
  "overrides": {
    "tar-fs": "3.1.0"
  }
}
  4. pnpm add --save-dev @puppeteer/[email protected]
  5. Remove the pnpm.overrides objects from package.json again
  6. Run pnpm install again to also remove the overrides data from pnpm-lock.yaml
  7. Push to GitHub
  8. Observe the Dependabot alert about [email protected] on the "Security" tab (screenshot below)
  9. Dependabot fails to upgrade the pnpm transitive dependency [email protected] to [email protected] with the error message Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager 💥 (screenshot and logs below)

Reproduction repo: https://github.com/karlhorky/repro-dependabot-pnpm-unsupported-transitive-updates

Image Image

Updating message:

Creating a security update for tar-fs
Dependabot is creating a security update to fix 1 Dependabot alert on tar-fs in pnpm-lock.yaml.

Or, manually upgrade tar-fs to version 3.1.1 or later. For example:

"dependencies": {
  "tar-fs": ">=3.1.1"
}
"devDependencies": {
  "tar-fs": ">=3.1.1"
}
Image

Full error message:

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager

Dependabot attempted to update your dependencies but encountered an unsupported feature: 'updating transitive dependencies' for pnpm package_manager. Currently, this feature is not supported by Dependabot.
Image

Relevant extract at end of logs:

updater | 2025/09/25 09:58:45 INFO <job_1108640748> Handled error whilst updating tar-fs: tool_feature_not_supported {"tool-name": "pnpm", "tool-type": "package_manager", feature: "updating transitive dependencies"}
  proxy | 2025/09/25 09:58:45 [175] POST /update_jobs/1108640748/record_ecosystem_meta
  proxy | 2025/09/25 09:58:45 [175] 204 /update_jobs/1108640748/record_ecosystem_meta
  proxy | 2025/09/25 09:58:45 [177] PATCH /update_jobs/1108640748/mark_as_processed
  proxy | 2025/09/25 09:58:45 [177] 204 /update_jobs/1108640748/mark_as_processed
updater | 2025/09/25 09:58:45 INFO <job_1108640748> Finished job processing
updater | 2025/09/25 09:58:45 INFO Results:
Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+-------------------------------------------------------------------------------------------+
|                               Dependencies failed to update                               |
+------------+----------------------------+-------------------------------------------------+
| Dependency | Error Type                 | Error Details                                   |
+------------+----------------------------+-------------------------------------------------+
| tar-fs     | tool_feature_not_supported | {                                               |
|            |                            |   "tool-name": "pnpm",                          |
|            |                            |   "tool-type": "package_manager",               |
|            |                            |   "feature": "updating transitive dependencies" |
|            |                            | }                                               |
+------------+----------------------------+-------------------------------------------------+
Failure running container 2e97108a88edfc2f2bb3ff52b27bebddd52bc0dee59c6daa51c014abd2786001: Error: Command failed with exit code 1: /bin/sh -c $DEPENDABOT_HOME/dependabot-updater/bin/run update_files
Cleaned up container 2e97108a88edfc2f2bb3ff52b27bebddd52bc0dee59c6daa51c014abd2786001
  proxy | 2025/09/25 09:58:45 2/87 calls cached (2%)
  proxy | 2025/09/25 09:58:45 Posting metrics to remote API endpoint
Error: Dependabot encountered an error performing the update

Error: The updater encountered one or more errors.

Full logs (Gist): https://gist.github.com/karlhorky/130efcd77bd3527cc8d3ce3e4eb0eab1

Reproductions: Useless Dependabot PRs

Sometimes Dependabot opens useless PRs too (not upgrading the dependency that the PR says it does), when it thinks that it can update the transitive dependencies with pnpm:

  1. Bump vite transitive dependency from 5.4.8 to 7.1.11
  2. Bump @babel/helpers from 7.26.0 to 7.28.4 upleveled/portfolio-cms#194
  3. Bump brace-expansion from 1.1.11 to 1.1.12 upleveled/portfolio-cms#195
  4. Bump diff from 4.0.2 to 4.0.4 karlhorky/electron-app-patcher#180
  5. Bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 karlhorky/nederlands-lidwoord-spel#8
  6. Bump tar from 7.4.3 to 7.5.7 karlhorky/nederlands-lidwoord-spel#7

Workaround: trigger custom pnpm updates from Dependabot alerts

Until native pnpm transitive security updates are supported, I built a minimal bridge for Dependabot alerts to GitHub Actions workflows:

It forwards dependabot_alert webhooks to repository_dispatch, so a repository workflow can run custom pnpm commands using the alert payload, for example:

  • pnpm up --depth 100 <packages>
  • pnpm up -r --depth 100 <packages>

The UX is not great (multiple steps to install on every repo), but it's a side effect of it being kept minimal and not having a lot of permissions.

This is not a replacement for native Dependabot support, but it may help work around it for now.

Related issues

Metadata

Metadata

Assignees

Labels

L: javascriptT: feature-requestRequests for new features

Type

No type

Projects

Dependabot

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions