Comments not respected in package.json

[A5rocks]

Package ecosystem
npm
Package manager version
yarn 1.22.10
Language version
N/A
Manifest location and content prior to update
/frontend/package.json:

{
  "name": "lilium",
  "scripts": {
    "dev": "nuxt",
    "build": "nuxt build",
    "generate": "nuxt generate --spa",
    "start": "nuxt start",
    "lint": "eslint --ext .ts,.js,.vue --fix ."
  },
  "dependencies": {
    "//": "TODO: figure out why these can't be dev deps.",
    "@nuxt/typescript-build": "^2.1.0",
    "@nuxtjs/tailwindcss": "^4.2.0",
    "nuxt": "^2.15.7"
  },
  "devDependencies": {
    "@nuxt/types": "^2.15.7",
    "@nuxtjs/eslint-config-typescript": "^6.0.1",
    "eslint": "^7.30.0"
  }
}

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/frontend"
    schedule:
      interval: "daily"

Updated dependency
not very applicable
What you expected to see, versus what you actually saw
in the logs, I see:

updater | INFO <job_168806843> Checking if //  needs updating
  proxy | 2021/07/04 04:02:31 [026] GET https://registry.npmjs.org:443/%2F%2F
  proxy | 2021/07/04 04:02:35 [026] 404 https://registry.npmjs.org:443/%2F%2F
updater | INFO <job_168806843> Latest version is 
updater | I, [2021-07-04T04:02:35.200020 #7]  INFO -- sentry: ** [Raven] Sending event 4c3905af167a44ee80770592d8404fa4 to Sentry
  proxy | 2021/07/04 04:02:35 [028] POST https://sentry.io:443/api/1451818/store/
  proxy | 2021/07/04 04:02:35 [028] 200 https://sentry.io:443/api/1451818/store/
updater | ERROR <job_168806843> Error processing // (Gem::Requirement::BadRequirementError)
updater | ERROR <job_168806843> Illformed requirement ["TODO: figure"]

basically, dependabot is checking the version of a json comment.

Native package manager behavior
as far as I can tell, yarn simply ignores the json comment

🕹 Bonus points: Smallest manifest that reproduces the issue
I think the error makes it pretty clear what reproduces this issue :^)

[asciimike]

It doesn't look like this is a comment so much as a dependency named // being used as a "comment" because package.json doesn't support comments, is that right? I assume when you run yarn, it will try to fetch // and ignore it when it cant find it.

In general, I don't think we're going to change the behavior of special casing package names to not check for them (e.g., we won't change dependabot to ignore all future packages named "//"); it feels like the right answer here is to track those comments elsewhere (e.g. in an issue) or get the npm/yarn teams to support jsonc in package.json so it can be an actual comment, not a package named //.

[asciimike]

I have been pointed to npm/feedback#56, which would allow for comments in package.json, where they discuss // as a workaround. I admit that I find it icky, but given that actual comments aren't coming for a while, I don't have other solutions beyond tracking it elsewhere (or doing something like a comments object).

I would need to think about how Dependabot should handle cases like this, since ideally we'd just hand it off to npm or yarn and they would handle this appropriately (likely just ignoring it if they know they can't update it), but since we do the file parsing ourselves, that's why we're running into this.

[A5rocks]

It might be that yarn tries fetching it and ignores it, I'm not sure (ctrl+f "//" in yarn install's --verbose mode didn't find anything, if I remember correctly). This isn't too important of a feature for me (as I can put the comment in another file) though, so I'd be fine even if this isn't fixed, just bringing this to your attention.

[feelepxyz]

@A5rocks you're right, looks like yarn v1 ignores dependencies with key // but npm raises a EINVALIDPACKAGENAME error. I don't think it makes sense to fix this in dependabot as it's only supported in yarn v1.