Renovate downgraded npm lockfile version from v2 to v1

[rimas-kudelis]

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us what version of Renovate you run.

31.89.12

Please select which platform you are using if self-hosting.

Bitbucket Cloud (bitbucket.org)

If you're self-hosting Renovate, tell us what version of the platform you run.

It's a cloud service, there's no versioning.

Was this something which used to work for you, and then stopped?

Not applicable, because this is a fairly new installation.

Describe the bug

I enabled Renovate for a frontend project yesterday, which uses NPM, and at least one of Renovate's first pull requests contained an update of axios:

-    "axios": "^0.24.0",
+    "axios": "^0.26.0",

However, the diff in package-lock.json was so huge that Bitbucket refuses to display it, and a really unexpected change in that diff was a downgrade of file version from v2 to v1 and removal of the whole packages structure from the file:

---
 package-lock.json | 12972 +-------------------------------------------
 package.json      |     2 +-
 2 files changed, 80 insertions(+), 12894 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index b2d0718..dfa7d56 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12460 +1,8 @@
 {
   "name": "frontend-next",
   "version": "0.1.0",
-  "lockfileVersion": 2,
+  "lockfileVersion": 1,
   "requires": true,
-  "packages": {
-    "": {
-      "name": "frontend-next",
-      "version": "0.1.0",
-      "dependencies": {
-        "@headlessui/react": "^1.4.2",
-        "@hookform/error-message": "^2.0.0",
...

This appears to be exactly the opposite of what was reported in #14062.
Is there any way for us to prevent such lockfile downgrades in the future? Or any explanation why it would happen in the first place?

Relevant debug logs

No response

Have you created a minimal reproduction repository?

No reproduction repository

[github-actions[bot]]

Hi there,

We have found that there's a problem with the logs. Depending on which situation applies follow one, some or all of these instructions.

No logs at all

If there's no log posted yet, we need you to find and copy/paste the log into the issue template.

Finding logs on hosted app

Click me to read instructions

If you use the Renovate app (GitHub):

1. Go to the affected PR, and search for "View repository job log here"
2. Click on the link to go to the "WhiteSource Renovate Dashboard" and log in
3. You are now in the correct repository log overview screen
4. Copy/paste the correct log
5. Follow the steps in the formatting your logs section

Finding logs when self-hosting

Click me to read instructions

If you're running self-hosted, run with LOG_LEVEL=debug in your environment variables and search for whatever dependency/branch/PR that is causing the problem.

Insufficient logs

Click me to read instructions

If you already provided logs, and the Renovate team said they are not enough, follow the instructions from the No logs at all section.

Formatting your logs

Click me to read instructions

Please put your logs in a <details> and <summary> element like this:

<details><summary>Click me to see logs</summary>

```
Copy/paste any log here, between the starting and ending backticks
```

</details>

[rimas-kudelis]

I could enable debug logging and attach the logs if necessary, but is it really necessary?

[rarkins]

I wouldn’t have asked if not

[rimas-kudelis]

Here's the log for the same repo, but different update: renovate.log

[rarkins]

Thanks, this log confirms that npm v6 is being run:

"npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
npm WARN notsup Unsupported engine for msw@0.39.0: wanted: {"node":">=16.x"} (current: {"node":"14.19.0","npm":"6.14.16"})
npm WARN notsup Not compatible with your version of node/npm: msw@0.39.0
npm WARN notsup Unsupported engine for @mswjs/interceptors@0.14.0: wanted: {"node":">=16.x"} (current: {"node":"14.19.0","npm":"6.14.16"})
npm WARN notsup Not compatible with your version of node/npm: @mswjs/interceptors@0.14.0

I recommend binarySource=install

[viceice]

I assume you are using the full renovate docker image?

You need to set binarySource to install or docker. Please read the docs about that.

[viceice]

You probably don't run renovate via default docker entrypoint, so the BUILDPACK=true environment isn't properly set. You can manually export it or use the official run methods.

[viceice]

Please describe in detail how you run / start renovate ( the pipeline)

[konrad-ohms]

Ah, that's an interesting point 🙂

I am using a setup inspired by your comment here: renovatebot/config-help#674 (comment)
I am using the scripted Pipeline approach in order to dynamically generate parallel job executions, but the high level concepts are basically equal.

It's not the first iteration, I tweaked the setup multiple times (big fan of your tooling and its flexibility by the way 😉 ).

Current setup

• A Jenkins job with a parameter which can contain a comma separated list of repositories (run on all repositories if an emtpy string is passed). This allows me to invoke the renovate job from other pipelines, once they publish artifacts which are required in downstream projects.
• Have a GitHub app setup installed on my repositories (I used to have personal access tokens, but I like the ease of use of GitHub apps for consumers and also higher rate limits if you are running against multiple organizations): I have a custom Node.js script which basically uses the private key of the GitHub App to sign a JWT and obtain access tokens per installations via GitHub's APIs. Afterwards, I crawl all repositories which the app has access to and generate a file for each individual repository and its belonging access token (this is important to work with multiple organizations as the tokens between installations are not equal).
• Once I have those files written to disk, I parse the list of repositories via Jenkins and schedule parallel jobs for all repositories concurrently. To ensure that only one instance of renovate is targeting the same repository, I use Jenkins locks in a fashion which ensures uniqueness per repository, e.g.: lock("renovate-${repo}") { /* steps to update */ }. To ensure to not overload APIs and to increase the availability of the solution, I host multiple VMs (all using the same node label in Jenkins) in different regions and every worker VM has a few executors (1 per core).
• I have a cleanup parameter in the Jenkins job which will retrieve a list of worker vms and will ensure to cleanup all images which are currently not used on master and which will remove all cache volumes. I run that once a day, to ensure nothing runs out of disk.
• The important part is now the renovate execution step, it is spawning a new container on the worker VMs, inject certain secrets (e.g. .npmrc files and registry tokens), checks out the GitHub repository containing my renovate configuration, validates the configuration and to start renovate via the cli inside the container. On feature branches, it adds the --dry-run=true flag so that I can validate new renovate builds before merging them to the main branch, this is especially useful on breaking changes to see if my authentication configuration is still working.
  From https://github.com/renovatebot/docker-renovate-full/blob/dd9b2c0660d8cd93b898293dfd9f05388d348281/Dockerfile#L6 it looks lie it is based on https://github.com/renovatebot/docker-buildpack/blob/f6b4f69c2e11663be95aa6d6adacf41c0f4b7768/Dockerfile#L10 which is based on https://github.com/containerbase/buildpack/blob/83fd2200eed740119fc2afef4770a5a60c8200cc/Dockerfile which defines the entrypoint script in https://github.com/containerbase/buildpack/blob/83fd2200eed740119fc2afef4770a5a60c8200cc/src/usr/local/bin/docker-entrypoint.sh.

It seem to source /usr/local/etc/env, so there are multiple variables to set before running.

This section was basically the invocation up until now:

def renovateImage = 'renovate/renovate:32.6.9@sha256:42de47b9c291bda39339c9348957e7789fa6a6dd12b0763ba6014efb1b0d3562'
def workerLabel = 'renovate-worker'

def getSanitizedRepoString(repo) {
    return repo.replaceAll('/','-').toLowerCase()
}

node(workerLabel) {
    def volume = getSanitizedRepoString(repo)
    docker.image(renovateImage).inside("-v ${volume}:/tmp/renovate") {
        stage(repo) {
            withCredentials([
                ...
                usernamePassword(credentialsId: 'xxx', passwordVariable: 'GITHUB_COM_TOKEN', usernameVariable: 'GITHUB_COM_USER')
            ]) {
                checkout scm
                unstash 'npmrc'
                // Note that npm will be dynamically installed if necessary, just display defaults
                sh label: 'Display versions', script: """
                    node --version
                    npm --version
                    renovate --version
                """
                sh label: 'Restore ~/.npmrc', script: 'cp -f .npmrc ~/.npmrc'
                // set dry run to true on non-master branches
                def dryRun = env.BRANCH_NAME != "master"
                sh label: 'Run Renovate', script: """
                    export LOG_LEVEL=debug
                    rm -f renovate.log
                    renovate --dry-run=${dryRun}
                """
                // upload logs via curl
            }
        }
    }
}

Fix Attempts

I tried to changed the invocation to include the entrypoint script now, but that did not change the behavior in renovate:

docker.image(renovateImage).inside("--entrypoint=/usr/local/bin/docker-entrypoint.sh -v ${volume}:/tmp/renovate") {...}

Next try was to directly add the entrypoint script to invoke the renovate cli:

sh label: 'Run Renovate', script: """
    export LOG_LEVEL=debug
    # ensure to delete renovate.log file as containers might get reused
    rm -f renovate.log
    # binarySource=install will fail otherwise, see https://github.com/renovatebot/renovate/discussions/14409#discussioncomment-2435792
    /usr/local/bin/docker-entrypoint.sh renovate --dry-run=${dryRun}
"""

That seem to have changed that behavior, the log now indicates that the install tool faces issues to access '/home/ubuntu/.npm':

DEBUG: Manual rebase requested via Dependency Dashboard (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Using reuseExistingBranch: false (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: manager.getUpdatedPackageFiles() reuseExistinbranch=false (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: No package files need updating (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Getting updated lock files (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Writing package.json files (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
       "packageFiles": ["package.json"]
DEBUG: Ensuring package-lock.json is removed (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Writing any updated package files (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: npmrc file found in repository (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Writing updated .npmrc file to /tmp/renovate/repos/github/myorg/myrepo/.npmrc (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Generating package-lock.json for . (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Spawning npm install to create /tmp/renovate/repos/github/myorg/myrepo/package-lock.json (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Updating lock file only (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Using node constraint "^16.14.2" from package.json (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Removing /tmp/renovate/repos/github/myorg/myrepo/package-lock.json first due to lock file maintenance upgrade (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: Using buildpack dynamic installs (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
 WARN: No matching tool versions found for constraint - using latest version (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
       "toolName": "npm",
       "constraint": "^8.5.0 <7",
       "latestVersion": "8.5.5"
DEBUG: Executing command (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
       "command": "install-tool npm 8.5.5"
DEBUG: rawExec err (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
       "err": {
         "killed": false,
         "code": 1,
         "signal": null,
         "cmd": "install-tool npm 8.5.5",
         "stdout": "Installing legacy tool npm v8.5.5\n/home/ubuntu/npm/8.5.5/bin/npm -> /home/ubuntu/npm/8.5.5/lib/node_modules/npm/bin/npm-cli.js\n/home/ubuntu/npm/8.5.5/bin/npx -> /home/ubuntu/npm/8.5.5/lib/node_modules/npm/bin/npx-cli.js\n+ npm@8.5.5\nadded 200 packages from 94 contributors in 7.34s\n",
         "stderr": "npm WARN using --force I sure hope you know what you are doing.\nnpm WARN using --force I sure hope you know what you are doing.\nchmod: cannot access '/home/ubuntu/.npm': No such file or directory\nln: failed to create symbolic link '/usr/local/bin/npm': Permission denied\n",
         "message": "Command failed: install-tool npm 8.5.5\nnpm WARN using --force I sure hope you know what you are doing.\nnpm WARN using --force I sure hope you know what you are doing.\nchmod: cannot access '/home/ubuntu/.npm': No such file or directory\nln: failed to create symbolic link '/usr/local/bin/npm': Permission denied\n",
         "stack": "Error: Command failed: install-tool npm 8.5.5\nnpm WARN using --force I sure hope you know what you are doing.\nnpm WARN using --force I sure hope you know what you are doing.\nchmod: cannot access '/home/ubuntu/.npm': No such file or directory\nln: failed to create symbolic link '/usr/local/bin/npm': Permission denied\n\n    at ChildProcess.exithandler (child_process.js:383:12)\n    at ChildProcess.emit (events.js:400:28)\n    at ChildProcess.emit (domain.js:475:12)\n    at maybeClose (internal/child_process.js:1058:16)\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:293:5)"
       }
DEBUG: lock file error (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
       "err": {
         "killed": false,
         "code": 1,
         "signal": null,
         "cmd": "install-tool npm 8.5.5",
         "stdout": "Installing legacy tool npm v8.5.5\n/home/ubuntu/npm/8.5.5/bin/npm -> /home/ubuntu/npm/8.5.5/lib/node_modules/npm/bin/npm-cli.js\n/home/ubuntu/npm/8.5.5/bin/npx -> /home/ubuntu/npm/8.5.5/lib/node_modules/npm/bin/npx-cli.js\n+ npm@8.5.5\nadded 200 packages from 94 contributors in 7.34s\n",
         "stderr": "npm WARN using --force I sure hope you know what you are doing.\nnpm WARN using --force I sure hope you know what you are doing.\nchmod: cannot access '/home/ubuntu/.npm': No such file or directory\nln: failed to create symbolic link '/usr/local/bin/npm': Permission denied\n",
         "message": "Command failed: install-tool npm 8.5.5\nnpm WARN using --force I sure hope you know what you are doing.\nnpm WARN using --force I sure hope you know what you are doing.\nchmod: cannot access '/home/ubuntu/.npm': No such file or directory\nln: failed to create symbolic link '/usr/local/bin/npm': Permission denied\n",
         "stack": "Error: Command failed: install-tool npm 8.5.5\nnpm WARN using --force I sure hope you know what you are doing.\nnpm WARN using --force I sure hope you know what you are doing.\nchmod: cannot access '/home/ubuntu/.npm': No such file or directory\nln: failed to create symbolic link '/usr/local/bin/npm': Permission denied\n\n    at ChildProcess.exithandler (child_process.js:383:12)\n    at ChildProcess.emit (events.js:400:28)\n    at ChildProcess.emit (domain.js:475:12)\n    at maybeClose (internal/child_process.js:1058:16)\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:293:5)"
       },
       "type": "npm"
DEBUG: No updated lock files in branch (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: PR has no releaseTimestamp (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: isBranchConflicted(master, renovate/master-lock-file-maintenance) (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)
DEBUG: No files to commit (repository=myorg/myrepo, branch=renovate/master-lock-file-maintenance)

On the PR that raises this message:

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm WARN using --force I sure hope you know what you are doing.
npm WARN using --force I sure hope you know what you are doing.
chmod: cannot access '/home/ubuntu/.npm': No such file or directory
ln: failed to create symbolic link '/usr/local/bin/npm': Permission denied

I could create the .npm directory:

sh label: 'Run Renovate', script: """
    export LOG_LEVEL=debug
    # ensure to delete renovate.log file as containers might get reused
    rm -f renovate.log
    # binarySource=install will fail otherwise, see https://github.com/renovatebot/renovate/discussions/14409#discussioncomment-2435792
    mkdir -p /home/ubuntu/.npm
    /usr/local/bin/docker-entrypoint.sh renovate --dry-run=${dryRun}
"""

But the /usr/local/bin/npm is nothing I can easily overwrite.
Would you recommend not to use docker.image Jenkins instructions to run renovate?

$ docker run --rm -it 65e3a8f747c5 bash
ubuntu@e92540f2e5b8:/usr/src/app$ ls
dist  node_modules  package.json
ubuntu@e92540f2e5b8:/usr/src/app$ which npm
/usr/local/bin/npm
ubuntu@e92540f2e5b8:/usr/src/app$ ls -lah /usr/local/bin/npm
lrwxrwxrwx 1 root root 31 Mar 23 18:29 /usr/local/bin/npm -> /usr/local/node/14.19.1/bin/npm
ubuntu@e92540f2e5b8:/usr/src/app$ chown 1000:0 /usr/local/bin/npm
chown: changing ownership of '/usr/local/bin/npm': Operation not permitted
ubuntu@e92540f2e5b8:/usr/src/app$ sudo chown 1000:0 /usr/local/bin/npm
bash: sudo: command not found

[viceice]

this is the cause:

• feat: replace symlink with simple shell wrapper containerbase/base#346

[konrad-ohms]

Thanks, I got it working in the meantime by invoking the container via the docker cli directly. Somehow the docker Jenkins plugin seem to handle internals differently... but using docker run + engines > npm ^8.5.0 on the target repo and binarySource=install in the bot config solved the problem for me 🙂