Dependabot uses Node.js v22.21.0 and NPM 10.9.4. Due to the engine-strict setting, the update will not succeed.

[fortypercenttitanium]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

10.x.x

Language version

>=20.19.x

Manifest location and content before the Dependabot update

./package.json

dependabot.yml content

# Find the full documentation on dependabot config files here:
# https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
  - package-ecosystem: "bundler"
    open-pull-requests-limit: 2
    directory: "/"
    schedule:
      interval: "daily"
      time: "06:00"
      timezone: "America/New_York"
    # Add labels
    labels:
      - "dependencies"
      - "ruby"

  - package-ecosystem: "npm"
    open-pull-requests-limit: 2
    directory: "/"
    schedule:
      interval: "daily"
      time: "06:00"
      timezone: "America/New_York"
    # Add labels
    labels:
      - "dependencies"
      - "javascript"

Updated dependency

No response

What you expected to see, versus what you actually saw

Dependabot will not open a security update PR due to the message Dependabot uses Node.js v22.21.0 and NPM 10.9.4. Due to the engine-strict setting, the update will not succeed.

Although we do use engine-strict, our engines field in package.json is:

  "engines": {
    "node": ">=20.19.x",
    "npm": "10.x.x"
  },

I would expect that dependabot would run the update because the version constrictions are within the range given. This is suggested by this post in a similar issue.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response