Skip to content

Dependabot Failure Message Versioning is Misleading #14961

Description

@pieterocp

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

npm

Package manager version

11.10.0

Language version

v24.15.0

Manifest location and content before the Dependabot update

This is a private repo, but I think a minimal repo set would be a setup with an .npmrc set to be engine-strict=true & an engine field in a package.json set to be greater than the one available at the moment, e.g. "engines": { "npm": ">=11.10.0" },.

dependabot.yml content

No clue lmao.

Updated dependency

Was an attempt at updating fast-uri from 3.1.0 to 3.1.2.

What you expected to see, versus what you actually saw

So this is what I saw:

+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|                                                                         Dependencies failed to update                                                                         |
+------------+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Dependency | Error Type                     | Error Details                                                                                                                   |
+------------+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| fast-uri   | dependency_file_not_resolvable | {                                                                                                                               |
|            |                                |   "message": "Dependabot uses Node.js v24.15.0 and NPM 11.12.1. Due to the engine-strict setting, the update will not succeed." |
|            |                                | }                                                                                                                               |
+------------+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------+

but then above, in the full trace, there's a more information:

2026/05/09 05:03:57 INFO <job_1357410265> Started process PID: 1670 with command: {} git clean -fx {}
updater | 2026/05/09 05:03:57 INFO <job_1357410265> Process PID: 1670 completed with status: pid 1670 exit 0
updater | 2026/05/09 05:03:57 INFO <job_1357410265> Total execution time: 0.06 seconds
updater | 2026/05/09 05:03:57 INFO <job_1357410265> Started process PID: 1750 with command: {} corepack npm update fast-uri --force --ignore-scripts --package-lock-only {}
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Process PID: 1750 completed with status: pid 1750 exit 1
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Total execution time: 0.64 seconds
updater | 2026/05/09 05:03:58 ERROR <job_1357410265> Error running package manager command: corepack npm update fast-uri --force --ignore-scripts --package-lock-only, Error: npm warn Unknown project config "min-release-age". This will stop working in the next major version of npm.
npm warn using --force Recommended protections disabled.
npm error code EBADENGINE
npm error engine Unsupported engine
npm error engine Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Not compatible with your version of node/npm: internal-project-nameinternal-project-name@1.0.0
npm error notsup Required: {"npm":">=11.10.0"}
npm error notsup Actual:   {"node":"v24.15.0","npm":"11.8.0"}
npm error A complete log of this run can be found in: /home/dependabot/.npm/_logs/2026-05-09T05_03_57_658Z-debug-0.log
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Requirements to unlock all
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Requirements update strategy bump_versions
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Updating fast-uri from 3.1.0 to 3.1.2
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Started process PID: 1839 with command: {} corepack npm update fast-uri --force --ignore-scripts --package-lock-only {}
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Process PID: 1839 completed with status: pid 1839 exit 1
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Total execution time: 0.63 seconds
2026/05/09 05:03:58 ERROR <job_1357410265> Error running package manager command: corepack npm update fast-uri --force --ignore-scripts --package-lock-only, Error: npm warn Unknown project config "min-release-age". This will stop working in the next major version of npm.
npm warn using --force Recommended protections disabled.
npm error code EBADENGINE
npm error engine Unsupported engine
npm error engine Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Required: {"npm":">=11.10.0"}
npm error notsup Actual:   {"node":"v24.15.0","npm":"11.8.0"}
npm error A complete log of this run can be found in: /home/dependabot/.npm/_logs/2026-05-09T05_03_58_403Z-debug-0.log
updater | 2026/05/09 05:03:58 WARN <job_1357410265> NPM : npm warn Unknown project config "min-release-age". This will stop working in the next major version of npm.
npm warn using --force Recommended protections disabled.
npm error code EBADENGINE
npm error engine Unsupported engine
npm error engine Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Required: {"npm":">=11.10.0"}
npm error notsup Actual:   {"node":"v24.15.0","npm":"11.8.0"}
npm error A complete log of this run can be found in: /home/dependabot/.npm/_logs/2026-05-09T05_03_58_403Z-debug-0.log
  proxy | 2026/05/09 05:03:59 [026] POST /update_jobs/1357410265/record_update_job_error
  proxy | 2026/05/09 05:03:59 [026] 204 /update_jobs/1357410265/record_update_job_error
updater | 2026/05/09 05:03:59 INFO <job_1357410265> Handled error whilst updating fast-uri: dependency_file_not_resolvable {message: "Dependabot uses Node.js v24.15.0 and NPM 11.12.1. Due to the engine-strict setting, the update will not succeed."}
  proxy | 2026/05/09 05:03:59 [028] POST /update_jobs/1357410265/record_ecosystem_meta
  proxy | 2026/05/09 05:03:59 [028] 204 /update_jobs/1357410265/record_ecosystem_meta
  proxy | 2026/05/09 05:03:59 [030] PATCH /update_jobs/1357410265/mark_as_processed
  proxy | 2026/05/09 05:03:59 [030] 204 /update_jobs/1357410265/mark_as_processed
updater | 2026/05/09 05:03:59 INFO <job_1357410265> Finished job processing
updater | 2026/05/09 05:03:59 INFO Results:

Of course, after a couple minutes of reading, I saw the two versions are clearly different, so it's likely that the error re-writing block inside is a little bit wonky with respect to the npm version it prints out:

          if error_message.include?("EBADENGINE")
            msg = "Dependabot uses Node.js #{`node --version`.strip} and NPM #{`npm --version`.strip}. " \
                  "Due to the engine-strict setting, the update will not succeed."
            raise Dependabot::DependencyFileNotResolvable, msg
          end

The reason for the restriction to this freshest version is the enforcement of the use of the new min-release-age, which came out in npm v11.10.0, to prevent 0-day package hijacking when running npm install on development setups.

Native package manager behavior

It would refuse to do anything, when this engine restriction is in place, as depdenabot cleanly replicates.

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

I have no clue what this is. Can read up on this if needed?

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions