Dependabot is updating more dependencies than it should with npm lockfiles v2

[DeltaEvo]

Package manager/ecosystem
npm
Manifest contents prior to update
https://github.com/aresrpg/aresrpg/blob/65e7017339eeba555d904f7614665ffaecfd8029/package.json
Updated dependency
eslint-plugin-promise
What you expected to see, versus what you actually saw
I expected to see only the eslin-plugin-promise to be updated but instead inside the lockfile a lot of other dependencies where updated and the package.json was not updated
Images of the diff or a link to the PR, issue or logs
aresrpg/aresrpg#141

I also have this one for eslint-config-prettier aresrpg/aresrpg#145 where the package.json have been updated but a lot of other unrelated dependencies have been updated as well

[feelepxyz]

@DeltaEvo it looks like the lockfile was out of date with the package.json which has resulted in the unrelated changes. It looks like your package.json was requesting a newer version of eslint-plugin-promise than the one installed in the lockfile: https://github.com/aresrpg/aresrpg/blob/master/package.json#L44 but the lockfile had it set to 4.2.1, this was also the case for a bunch of other dependencies so when dependabot runs npm install eslint-plugin-promise@4.3.1 only the lockfile needed to change, and all the other dependenies needed to be updated to match what's in pakage.json: https://github.com/aresrpg/aresrpg/blob/master/package.json#L28-L48

I think merging one of the dependbabot PRs should fix this or manually delete the package-lock.json, run npm install and push the changes, and from there on out the changes should only be for the specific package.

[DeltaEvo]

Oh sorry for my mistake, thank you for the explaination