dependabot does not update pnpm-workspace.yaml's catalog

[azu]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

pnpm 9.15.9 and pnpm 10.7.1

dependabot support pnpm catalog according to release.

• https://github.com/orgs/community/discussions/150782

Language version

Node.js v22.12.0

Manifest location and content before the Dependabot update

• pnpm-workspace.yaml

packages:
  - packages/*
catalog:
  lodash: 4.0.0

dependabot.yml content

• https://github.com/azu/pnpm-catalog-with-dependabot/blob/1d8d08132e18084a07b827731f3e58ba4baedced/.github/dependabot.yml

version: 2
updates:
  # Enable version updates for npm
  - package-ecosystem: "npm"
    # Look for `package.json` and `lock` files in the `root` directory
    directory: "/"
    # Check the npm registry for updates every day (weekdays)
    schedule:
      interval: "daily"

Updated dependency

• lodash: 4.0.0 -> 4.17.21

PR: azu/pnpm-catalog-with-dependabot#1

What you expected to see, versus what you actually saw

Expected

dependabot should update pnpm-workspace.yaml and pnpm-lock.yaml.

• Update pnpm-workspace.yaml's catalog to 4.17.0
• Update pnpm-lock.yaml to 4.17.0

Actual

dependabot only update pnpm-lock.yaml.

• pnpm-workspace.yaml's catalog is not updated
• pnpm-lock.yaml is updated to 4.17.0

It causes another issue:

• pnpm install --frozen-lockfile does not throw an error when the lockfile is out of sync with pnpm-workspace.yaml's catalog pnpm/pnpm#9369

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

• pnpm 10 Bump lodash from 4.0.0 to 4.17.21 azu/pnpm-catalog-with-dependabot#1
• pnpm 9 Bump lodash from 4.0.0 to 4.17.21 azu/pnpm9-catalog-with-dependabot#1

both has same issue. the behavior is same.

Smallest manifest that reproduces the issue

• https://github.com/azu/pnpm-catalog-with-dependabot

Context

It seems that the dependabot update pnpm catalogs is not working as expected. The last successful run was on 2025-03-28T17:54:36+09:00 in my private repo, and since then, it has not been able to update the pnpm catalogs.

[azu]

I have tried to use named catalog instead of default catalog.
But both did not update pnpm-workspace.yaml

• https://github.com/azu/pnpm-catalog-s-with-dependabot
• https://github.com/azu/pnpm-catalog-s-with-dependabot/blob/main/pnpm-workspace.yaml

packages:
  - packages/*
catalogs:
  default:
    lodash: 4.0.0

• Bump lodash from 4.0.0 to 4.17.21 azu/pnpm-catalog-s-with-dependabot#1

---

I've created official example copy, but it was same result.

• https://github.com/azu/pnpm-catlog-eaxmple-with-dependabot
• https://github.com/azu/pnpm-catlog-eaxmple-with-dependabot/blob/main/pnpm-workspace.yaml

packages:
  - packages/*

# Define a catalog of version ranges.
catalog:
  react: ^18.3.1
  redux: ^5.0.1

• Bump react from 18.3.1 to 19.1.0 azu/pnpm-catlog-eaxmple-with-dependabot#1

[azu]

Debug log: https://github.com/azu/pnpm-catalog-with-dependabot

$ dependabot update npm_and_yarn azu/pnpm-catalog-with-dependabot
    cli | 2025/04/14 06:13:08 image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest is already up to date
    cli | 2025/04/14 06:13:08 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:a0ca2f0e39ffba60c1837fc494f5f7540c6ff728c233f407fe01d18bfa028532
    cli | 2025/04/14 06:13:09 image ghcr.io/dependabot/dependabot-updater-npm is already up to date
    cli | 2025/04/14 06:13:09 using image ghcr.io/dependabot/dependabot-updater-npm at sha256:02871679e23aa84c7c1564878ac85872f6e35b4c1a5319273abec022ddecd490
  proxy | WARNING: Skipping duplicate certificate in file ca-cert-orbstack-root.pem
updater | Updating certificates in /etc/ssl/certs...
  proxy | 2025/04/14 06:13:10 proxy starting, commit: 0460fa31a2e2abea6b590de770e705dea33dabf6
  proxy | 2025/04/14 06:13:10 GitHubAPIHandler has no app access tokens
  proxy | 2025/04/14 06:13:10 Listening (:1080)
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | rehash: warning: skipping duplicate certificate in orbstack-root.pem
updater | 2 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2025/04/14 06:13:20 INFO Starting job processing
updater | 2025/04/14 06:13:20 INFO Job definition: {"job":{"package-manager":"npm_and_yarn","allowed-updates":[{"update-type":"all"}],"debug":false,"dependency-groups":[],"dependencies":null,"dependency-group-to-refresh":null,"existing-pull-requests":[],"existing-group-pull-requests":[],"experiments":null,"ignore-conditions":[],"lockfile-only":false,"requirements-update-strategy":null,"security-advisories":[],"security-updates-only":false,"source":{"provider":"github","repo":"azu/pnpm-catalog-with-dependabot","directory":"/","hostname":null,"api-endpoint":null},"update-subdependencies":false,"updating-a-pull-request":false,"vendor-dependencies":false,"reject-external-code":false,"repo-private":false,"commit-message-options":null,"credentials-metadata":[],"max-updater-run-time":0}}
  proxy | 2025/04/14 06:13:21 [002] GET https://github.com:443/azu/pnpm-catalog-with-dependabot/info/refs?service=git-upload-pack
  proxy | 2025/04/14 06:13:21 [002] 200 https://github.com:443/azu/pnpm-catalog-with-dependabot/info/refs?service=git-upload-pack
  proxy | 2025/04/14 06:13:21 [004] POST https://github.com:443/azu/pnpm-catalog-with-dependabot/git-upload-pack
  proxy | 2025/04/14 06:13:22 [004] 200 https://github.com:443/azu/pnpm-catalog-with-dependabot/git-upload-pack
  proxy | 2025/04/14 06:13:22 [006] POST https://github.com:443/azu/pnpm-catalog-with-dependabot/git-upload-pack
  proxy | 2025/04/14 06:13:22 [006] 200 https://github.com:443/azu/pnpm-catalog-with-dependabot/git-upload-pack
updater | 2025/04/14 06:13:24 INFO Detected package manager: pnpm
updater | 2025/04/14 06:13:24 INFO Resolving package manager for: pnpm
updater | 2025/04/14 06:13:24 INFO Fetching version for package manager: pnpm
updater | 2025/04/14 06:13:24 INFO Installed version of pnpm: 9.15.5
updater | 2025/04/14 06:13:24 INFO Installed version for pnpm: 9.15.5
updater | 2025/04/14 06:13:24 INFO Processing engine constraints for pnpm
updater | 2025/04/14 06:13:24 INFO No version requirement found for pnpm
updater | 2025/04/14 06:13:24 INFO Detected package manager: pnpm
updater | 2025/04/14 06:13:24 INFO Resolving package manager for: pnpm
updater | 2025/04/14 06:13:24 INFO Installed version for pnpm: 9.15.5
updater | 2025/04/14 06:13:24 INFO Processing engine constraints for pnpm
updater | 2025/04/14 06:13:24 INFO No version requirement found for pnpm
updater | 2025/04/14 06:13:24 INFO Found "packageManager" : "pnpm@10.7.1+sha512.2d92c86b7928dc8284f53494fb4201f983da65f0fb4f0d40baafa5cf628fa31dae3e5968f12466f17df7e97310e30f343a648baea1b9b350685dafafffdf5808". Skipped checking "engines".
updater | 2025/04/14 06:13:24 INFO Requested version 10.7.1
updater | 2025/04/14 06:13:24 INFO Installing "pnpm@10.7.1"
  proxy | 2025/04/14 06:13:27 [008] GET https://registry.npmjs.org:443/pnpm/-/pnpm-10.7.1.tgz
  proxy | 2025/04/14 06:13:27 [008] 200 https://registry.npmjs.org:443/pnpm/-/pnpm-10.7.1.tgz
  proxy | 2025/04/14 06:13:27 [010] GET https://registry.npmjs.org:443/pnpm/10.7.1
  proxy | 2025/04/14 06:13:28 [010] 200 https://registry.npmjs.org:443/pnpm/10.7.1
updater | 2025/04/14 06:13:28 INFO Base commit SHA: fec965303b89378364d0f9f6079a0c9524afd3fe
updater | 2025/04/14 06:13:28 INFO Finished job processing
updater | 2025/04/14 06:13:29 INFO Starting job processing
updater | 2025/04/14 06:13:29 INFO Detected package manager: pnpm
updater | 2025/04/14 06:13:29 INFO Resolving package manager for: pnpm
updater | 2025/04/14 06:13:29 INFO Fetching version for package manager: pnpm
updater | 2025/04/14 06:13:30 INFO Installed version of pnpm: 9.15.5
updater | 2025/04/14 06:13:30 INFO Installed version for pnpm: 9.15.5
updater | 2025/04/14 06:13:30 INFO Processing engine constraints for pnpm
updater | 2025/04/14 06:13:30 INFO No version requirement found for pnpm
updater | 2025/04/14 06:13:30 INFO Running node command: node -v
updater | 2025/04/14 06:13:30 INFO Command executed successfully: node -v
updater | 2025/04/14 06:13:30 INFO Processing engine constraints for node
  proxy | 2025/04/14 06:13:30 [011] POST http://host.docker.internal:53390/update_jobs/cli/update_dependency_list
{"data":{"dependencies":[{"name":"lodash","requirements":[{"file":"pnpm-workspace.yaml","groups":["dependencies"],"requirement":"4.0.0","source":null}],"version":"4.0.0"}],"dependency_files":["/package.json","/pnpm-lock.yaml","/packages/a/package.json"]},"type":"update_dependency_list"}
  proxy | 2025/04/14 06:13:30 [011] 200 http://host.docker.internal:53390/update_jobs/cli/update_dependency_list
  proxy | 2025/04/14 06:13:30 [012] POST http://host.docker.internal:53390/update_jobs/cli/increment_metric
{"data":{"metric":"updater.started","tags":{"operation":"group_update_all_versions"}},"type":"increment_metric"}
  proxy | 2025/04/14 06:13:30 [012] 200 http://host.docker.internal:53390/update_jobs/cli/increment_metric
updater | 2025/04/14 06:13:30 INFO Starting update job for azu/pnpm-catalog-with-dependabot
updater | 2025/04/14 06:13:30 INFO Checking all dependencies for version updates...
updater | 2025/04/14 06:13:30 INFO Checking if lodash 4.0.0 needs updating
  proxy | 2025/04/14 06:13:30 [014] GET https://registry.npmjs.org:443/lodash
  proxy | 2025/04/14 06:13:31 [014] 200 https://registry.npmjs.org:443/lodash
  proxy | 2025/04/14 06:13:31 [016] HEAD https://registry.npmjs.org:443/lodash/-/lodash-4.17.21.tgz
  proxy | 2025/04/14 06:13:31 [016] 200 https://registry.npmjs.org:443/lodash/-/lodash-4.17.21.tgz
updater | 2025/04/14 06:13:31 INFO Latest version is 4.17.21
  proxy | 2025/04/14 06:13:31 [018] GET https://registry.npmjs.org:443/pnpm--frozen-lockfile-bug
  proxy | 2025/04/14 06:13:31 [018] 404 https://registry.npmjs.org:443/pnpm--frozen-lockfile-bug
  proxy | 2025/04/14 06:13:33 [020] GET https://registry.npmjs.org:443/lodash
  proxy | 2025/04/14 06:13:33 [020] 200 https://registry.npmjs.org:443/lodash
  proxy | 2025/04/14 06:13:33 [022] GET https://registry.npmjs.org:443/lodash/-/lodash-4.17.21.tgz
  proxy | 2025/04/14 06:13:33 [022] 200 https://registry.npmjs.org:443/lodash/-/lodash-4.17.21.tgz
  proxy | 2025/04/14 06:13:33 [024] GET https://registry.npmjs.org:443/pnpm--frozen-lockfile-bug
  proxy | 2025/04/14 06:13:33 [024] 404 https://registry.npmjs.org:443/pnpm--frozen-lockfile-bug
updater | 2025/04/14 06:13:33 INFO Requirements to unlock own
  proxy | 2025/04/14 06:13:33 [026] GET https://registry.npmjs.org:443/pnpm--frozen-lockfile-bug
  proxy | 2025/04/14 06:13:33 [026] 404 https://registry.npmjs.org:443/pnpm--frozen-lockfile-bug
updater | 2025/04/14 06:13:33 INFO Requirements update strategy bump_versions
updater | 2025/04/14 06:13:33 INFO Updating lodash from 4.0.0 to 4.17.21
updater | 2025/04/14 06:13:35 INFO Submitting lodash pull request for creation
  proxy | 2025/04/14 06:13:36 [028] GET https://api.github.com:443/repos/azu/pnpm-catalog-with-dependabot/commits?per_page=100
  proxy | 2025/04/14 06:13:36 [028] 200 https://api.github.com:443/repos/azu/pnpm-catalog-with-dependabot/commits?per_page=100
  proxy | 2025/04/14 06:13:36 [030] GET https://registry.npmjs.org:443/lodash/latest
  proxy | 2025/04/14 06:13:36 [030] 200 https://registry.npmjs.org:443/lodash/latest
  proxy | 2025/04/14 06:13:36 [032] GET https://api.github.com:443/repos/lodash/lodash/releases?per_page=100
  proxy | 2025/04/14 06:13:37 [032] 200 https://api.github.com:443/repos/lodash/lodash/releases?per_page=100
  proxy | 2025/04/14 06:13:37 [034] GET https://api.github.com:443/repos/lodash/lodash/contents/
  proxy | 2025/04/14 06:13:37 [034] 200 https://api.github.com:443/repos/lodash/lodash/contents/
  proxy | 2025/04/14 06:13:37 [036] GET https://api.github.com:443/repos/lodash/lodash/contents/doc
  proxy | 2025/04/14 06:13:37 [036] 200 https://api.github.com:443/repos/lodash/lodash/contents/doc
  proxy | 2025/04/14 06:13:37 [038] GET https://github.com:443/lodash/lodash.git/info/refs?service=git-upload-pack
  proxy | 2025/04/14 06:13:38 [038] 200 https://github.com:443/lodash/lodash.git/info/refs?service=git-upload-pack
  proxy | 2025/04/14 06:13:38 [040] GET https://api.github.com:443/repos/lodash/lodash/contents/?ref=4.17.21
  proxy | 2025/04/14 06:13:38 [040] 200 https://api.github.com:443/repos/lodash/lodash/contents/?ref=4.17.21
  proxy | 2025/04/14 06:13:38 [042] GET https://api.github.com:443/repos/lodash/lodash/contents/doc?ref=4.17.21
  proxy | 2025/04/14 06:13:39 [042] 200 https://api.github.com:443/repos/lodash/lodash/contents/doc?ref=4.17.21
  proxy | 2025/04/14 06:13:39 [044] GET https://github.com:443/lodash/lodash.git/info/refs?service=git-upload-pack
  proxy | 2025/04/14 06:13:39 [044] 200 https://github.com:443/lodash/lodash.git/info/refs?service=git-upload-pack
  proxy | 2025/04/14 06:13:39 [046] GET https://api.github.com:443/repos/lodash/lodash/commits?sha=4.0.0
  proxy | 2025/04/14 06:13:39 [046] 200 https://api.github.com:443/repos/lodash/lodash/commits?sha=4.0.0
  proxy | 2025/04/14 06:13:39 [048] GET https://api.github.com:443/repos/lodash/lodash/commits?sha=4.17.21
  proxy | 2025/04/14 06:13:40 [048] 200 https://api.github.com:443/repos/lodash/lodash/commits?sha=4.17.21
  proxy | 2025/04/14 06:13:40 [050] GET https://api.github.com:443/repos/lodash/lodash/commits?sha=4.0.0
  proxy | 2025/04/14 06:13:40 [050] 200 https://api.github.com:443/repos/lodash/lodash/commits?sha=4.0.0
  proxy | 2025/04/14 06:13:40 [052] GET https://api.github.com:443/repos/lodash/lodash/commits?sha=4.17.21
  proxy | 2025/04/14 06:13:40 [052] 200 https://api.github.com:443/repos/lodash/lodash/commits?sha=4.17.21
  proxy | 2025/04/14 06:13:40 [054] GET https://api.github.com:443/repos/lodash/lodash/commits?sha=4.0.0
  proxy | 2025/04/14 06:13:40 [054] 200 https://api.github.com:443/repos/lodash/lodash/commits?sha=4.0.0
  proxy | 2025/04/14 06:13:40 [056] GET https://api.github.com:443/repos/lodash/lodash/commits?sha=4.17.21
  proxy | 2025/04/14 06:13:40 [056] 200 https://api.github.com:443/repos/lodash/lodash/commits?sha=4.17.21
  proxy | 2025/04/14 06:13:40 [058] GET https://registry.npmjs.org:443/lodash
  proxy | 2025/04/14 06:13:40 [058] 200 https://registry.npmjs.org:443/lodash
  proxy | 2025/04/14 06:13:40 [059] POST http://host.docker.internal:53390/update_jobs/cli/create_pull_request
{"data":{"base-commit-sha":"fec965303b89378364d0f9f6079a0c9524afd3fe","dependencies":[{"name":"lodash","previous-requirements":[{"file":"pnpm-workspace.yaml","groups":["dependencies"],"requirement":"4.0.0","source":null}],"previous-version":"4.0.0","requirements":[{"file":"pnpm-workspace.yaml","groups":["dependencies"],"requirement":"4.17.21","source":null}],"version":"4.17.21","directory":"/"}],"updated-dependency-files":[{"content":"lockfileVersion: '9.0'\n\nsettings:\n  autoInstallPeers: true\n  excludeLinksFromLockfile: false\n\ncatalogs:\n  default:\n    lodash:\n      specifier: 4.17.21\n      version: 4.17.21\n\nimporters:\n\n  .:\n    dependencies:\n      lodash:\n        specifier: 'catalog:'\n        version: 4.17.21\n\n  packages/a:\n    dependencies:\n      lodash:\n        specifier: 'catalog:'\n        version: 4.17.21\n\npackages:\n\n  lodash@4.17.21:\n    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}\n\nsnapshots:\n\n  lodash@4.17.21: {}\n","content_encoding":"utf-8","deleted":false,"directory":"/","name":"pnpm-lock.yaml","operation":"update","support_file":false,"type":"file","mode":""}],"pr-title":"Bump lodash from 4.0.0 to 4.17.21","pr-body":"Bumps [lodash](https://github.com/lodash/lodash) from 4.0.0 to 4.17.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/f299b52f39486275a9e6483b60a410e06520c538\"\u003e\u003ccode\u003ef299b52\u003c/code\u003e\u003c/a\u003e Bump to v4.17.21\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\"\u003e\u003ccode\u003ec4847eb\u003c/code\u003e\u003c/a\u003e Improve performance of \u003ccode\u003etoNumber\u003c/code\u003e, \u003ccode\u003etrim\u003c/code\u003e and \u003ccode\u003etrimEnd\u003c/code\u003e on large input strings\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\"\u003e\u003ccode\u003e3469357\u003c/code\u003e\u003c/a\u003e Prevent command injection through \u003ccode\u003e_.template\u003c/code\u003e's \u003ccode\u003evariable\u003c/code\u003e option\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/ded9bc66583ed0b4e3b7dc906206d40757b4a90a\"\u003e\u003ccode\u003eded9bc6\u003c/code\u003e\u003c/a\u003e Bump to v4.17.20.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/63150ef7645ac07961b63a86490f419f356429aa\"\u003e\u003ccode\u003e63150ef\u003c/code\u003e\u003c/a\u003e Documentation fixes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/00f0f62a979d2f5fa0287c06eae70cf9a62d8794\"\u003e\u003ccode\u003e00f0f62\u003c/code\u003e\u003c/a\u003e test.js: Remove trailing comma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/846e434c7a5b5692c55ebf5715ed677b70a32389\"\u003e\u003ccode\u003e846e434\u003c/code\u003e\u003c/a\u003e Temporarily use a custom fork of \u003ccode\u003elodash-cli\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/5d046f39cbd27f573914768e3b36eeefcc4f1229\"\u003e\u003ccode\u003e5d046f3\u003c/code\u003e\u003c/a\u003e Re-enable Travis tests on \u003ccode\u003e4.17\u003c/code\u003e branch.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/aa816b36d402a1ad9385142ce7188f17dae514fd\"\u003e\u003ccode\u003eaa816b3\u003c/code\u003e\u003c/a\u003e Remove \u003ccode\u003e/npm-package\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lodash/lodash/commit/d7fbc52ee0466a6d248f047b5d5c3e6d1e099056\"\u003e\u003ccode\u003ed7fbc52\u003c/code\u003e\u003c/a\u003e Bump to v4.17.19\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/lodash/lodash/compare/4.0.0...4.17.21\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eMaintainer changes\u003c/summary\u003e\n\u003cp\u003eThis version was pushed to npm by \u003ca href=\"https://www.npmjs.com/~bnjmnt4n\"\u003ebnjmnt4n\u003c/a\u003e, a new releaser for lodash since your current version.\u003c/p\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n","commit-message":"Bump lodash from 4.0.0 to 4.17.21\n\nBumps [lodash](https://github.com/lodash/lodash) from 4.0.0 to 4.17.21.\n- [Release notes](https://github.com/lodash/lodash/releases)\n- [Commits](https://github.com/lodash/lodash/compare/4.0.0...4.17.21)","dependency-group":null},"type":"create_pull_request"}
  proxy | 2025/04/14 06:13:40 [059] 200 http://host.docker.internal:53390/update_jobs/cli/create_pull_request
  proxy | 2025/04/14 06:13:40 [060] PATCH http://host.docker.internal:53390/update_jobs/cli/mark_as_processed
{"data":{"base-commit-sha":"fec965303b89378364d0f9f6079a0c9524afd3fe"},"type":"mark_as_processed"}
  proxy | 2025/04/14 06:13:40 [060] 200 http://host.docker.internal:53390/update_jobs/cli/mark_as_processed
updater | 2025/04/14 06:13:40 INFO Finished job processing
updater | 2025/04/14 06:13:40 INFO Results:
updater | +--------------------------------------------+
updater | |    Changes to Dependabot Pull Requests     |
updater | +---------+----------------------------------+
updater | | created | lodash ( from 4.0.0 to 4.17.21 ) |
updater | +---------+----------------------------------+
  proxy | 2025/04/14 06:13:41 Skipping sending metrics because api endpoint is empty
  proxy | 2025/04/14 06:13:41 8/28 calls cached (28%)

[lexmin0412]

Same problem.

[valpinkman]

Same issue here. Any idea if this is going to be taken care of ?

[robaiken]

Hi @azu @lexmin0412 @valpinkman @aricallen, Thanks for flagging this! Just got the pnpm catalog issue sorted out.
The problem was that dependabot was treating pnpm-workspace.yaml as a support file instead of a manifest file. When #11888 added filtering for support files during updates, it started excluding pnpm-workspace.yaml from updates.

I fixed it by removing the support file flag from pnpm-workspace.yaml files so they get processed as proper manifests again #12373.

Appreciate your patience on this one!