Dependabot updater timeout on npm_and_yarn when running git stash show on github runner

[FreebeJan]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm and yarm

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      non-major-versions:
        update-types:
          - "minor"
          - "patch"

Updated dependency

No response

What you expected to see, versus what you actually saw

Expected

A pull request being created for the npm and yarn ecosystem.

What actually happened

After submitting the metrics, and creating a commit for workspace changes the updater hangs until timeout on git stash show - at least that is the last thing printed to the logs

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Run github/dependabot-action@main
🤖 ~ starting update ~
Fetching job details
Pulling updater images
Starting update process
Created proxy container: 3[8](https://github.com/***/***/actions/runs/12575445626/job/35050406975#step:3:9)9b9de506ce86da829fd052324dfb78ed5d872cfd743e[9](https://github.com/***/***/actions/runs/12575445626/job/35050406975#step:3:10)f467c4508b9d0a4fd
Created container: 805c2bd3f81fe6161c30a5be3c7b93c329e6ac799700c74286814a3642b3d877
  proxy | 2025/01/01 23:39:44 proxy starting, commit: 39f5c2fb29cacce3bbeea1bdf58a1d3430dd0f97
  proxy | 2025/01/01 23:39:44 Listening (:[10](https://github.com/***/***/actions/runs/12575445626/job/35050406975#step:3:11)80)
updater | Updating certificates in /etc/ssl/certs...
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2025/01/01 23:39:47 INFO <job_94[18](https://github.com/***/***/actions/runs/12575445626/job/35050406975#step:3:20)05363> Starting job processing
2025/01/01 23:39:47 INFO <job_941805363> Job definition: {"job":{"allowed-updates":[{"dependency-type":"direct","update-type":"all"}],"commit-message-options":{"prefix":null,"prefix-development":null,"include-scope":null},"credentials-metadata":[{"type":"git_source","host":"github.com"}],"debug":null,"dependencies":null,"dependency-groups":[{"name":"non-major-versions","rules":{"update-types":["minor","patch"]}}],"dependency-group-to-refresh":null,"existing-pull-requests":[],"existing-group-pull-requests":[],"experiments":{"record-ecosystem-versions":true,"record-update-job-unknown-error":true,"proxy-cached":true,"move-job-token":true,"dependency-change-validation":true,"nuget-native-analysis":true,"nuget-use-direct-discovery":true,"enable-file-parser-python-local":true,"npm-v6-deprecation-warning":true,"lead-security-dependency":true,"enable-record-ecosystem-meta":true,"enable-shared-helpers-command-timeout":true},"ignore-conditions":[],"lockfile-only":false,"max-updater-run-time":2700,"package-manager":"npm_and_yarn","proxy-log-response-body-on-auth-failure":true,"requirements-update-strategy":null,"reject-external-code":false,"security-advisories":[],"security-updates-only":false,"source":{"provider":"github","repo":"***/***","branch":null,"directory":"/.","api-endpoint":"https://api.github.com/","hostname":"github.com"},"updating-a-pull-request":false,"update-subdependencies":false,"vendor-dependencies":false,"repo-private":true}}

... omitting most of the logs since nothing is wrong there ...

  proxy | 2025/01/01 23:40:44 Posting metrics to remote API endpoint
  proxy | 2025/01/01 23:40:45 Successfully posted metrics data via api client
updater | 2025/01/01 23:40:53 INFO <job_941805363> Process PID: 1728 completed with status: pid 1728 exit 0
2025/01/01 23:40:53 INFO <job_941805363> Total execution time: 49.66 seconds
updater | 2025/01/01 23:40:53 INFO <job_941805363> Started process PID: 1755 with command: {} git status --untracked-files\=all --ignored\=matching --short . {}
updater | 2025/01/01 23:40:53 INFO <job_941805363> Process PID: 1755 completed with status: pid 1755 exit 0
2025/01/01 23:40:53 INFO <job_941805363> Total execution time: 0.03 seconds
updater | 2025/01/01 23:40:53 INFO <job_941805363> Started process PID: 1763 with command: {} git add --all --force . {}
updater | 2025/01/01 23:41:08 INFO <job_941805363> Process PID: 1763 completed with status: pid 1763 exit 0
2025/01/01 23:41:08 INFO <job_941805363> Total execution time: 15.21 seconds
updater | 2025/01/01 23:41:08 INFO <job_941805363> Started process PID: 1770 with command: {} git stash push --all -m "workspace change attempt" {}
updater | 2025/01/01 23:41:14 INFO <job_941805363> Process PID: 1770 completed with status: pid 1770 exit 0
2025/01/01 23:41:14 INFO <job_941805363> Total execution time: 5.77 seconds
updater | 2025/01/01 23:41:14 INFO <job_941805363> Started process PID: 1922 with command: {} git rev-parse refs/stash {}
updater | 2025/01/01 23:41:14 INFO <job_941805363> Process PID: 1922 completed with status: pid 1922 exit 0
2025/01/01 23:41:14 INFO <job_941805363> Total execution time: 0.01 seconds
updater | 2025/01/01 23:41:14 INFO <job_941805363> Started process PID: 1929 with command: {} git stash show --patch 32eb305451414c064cf70af0fa93a1e83f128317 {}
Error: The operation was canceled.

Smallest manifest that reproduces the issue

No response

[FreebeJan]

Also, this seems to have nothing to do with the package manager itself.

I investigated running dependabot locally.
LOCAL_GITHUB_ACCESS_TOKEN=*** bin/dry-run.rb npm_and_yarn ***/***

That worked without issue.

[jkbmat]

Same thing is happening here. I've disabled groups as a temporary fix.

[quarian]

We have the same - though looking back at logs this happened the first time two weeks ago and happens constantly now in some repositories. A few more details from a repo where the daily update fails now:

• last successful run was on December 18th
• image versions read from the logs
  • failed run runner image version: ´20241215.1.0´
  • successful runner image version: ´20241211.1.0´
• minor difference in the job configuration json
  • failing runs have "enable-shared-helpers-command-timeout": true in the experiments field object
  • successful runs don't have it

I can dig up other information if need be, not sure what would be helpful. Above were the obvious differences.

[vintagesucks]

Our last successful run was also on December 18, but both the last successful run and the first failed run used version 20241215.1.0 of the runner image.

---

Here is a public reproduction repo with failing update runs if anyone wants to investigate why this is happening:

• https://github.com/vintagesucks/dependabot-11202/actions/workflows/dependabot/dependabot-updates

I've tried to keep the number of dependencies here to a minimum, but when I do, the update job just works at some point, indicating that I've either removed the culprit or it hasn't timed out – I'm not sure (and spent too much time on this 😅).

The workaround of disabling groups also works for us. This reproduction repo without groups has successful update runs:

• https://github.com/vintagesucks/dependabot-11202-without-groups/actions/workflows/dependabot/dependabot-updates

[lehmat]

👍

This is important for our company for compliance reasons (ISO27001). It is essential to have dependencies updated in timely manner in order to stay compliant.