Skip to content
Latchkey

Dependabot "can't resolve your dependency files" in CI

Dependabot located the ecosystem you configured but could not parse a consistent dependency graph from the files in the target directory. Either the manifest is invalid, the lockfile is out of sync, or the directory in dependabot.yml points somewhere without a manifest.

What this error means

The Dependabot tab reports "Dependabot can't resolve your <ecosystem> dependency files" or "dependency file <path> not found", and the update run ends without opening PRs.

Dependabot
Dependabot can't resolve your JavaScript dependency files.
The dependency file "/frontend/package.json" was not found.

Common causes

The directory in dependabot.yml is wrong

The directory: value does not contain the manifest for the ecosystem, so Dependabot reports the file as not found.

A malformed manifest or an out-of-sync lockfile

Invalid JSON/TOML/YAML in the manifest, or a lockfile that does not match it, stops Dependabot from building a resolvable graph.

How to fix it

Point directory at the real manifest location

  1. Confirm where the manifest lives relative to the repo root.
  2. Set directory to that path (use directories for multiple roots).
  3. Re-run "Check for updates" from the Dependabot tab.
.github/dependabot.yml
updates:
  - package-ecosystem: "npm"
    directory: "/frontend"
    schedule:
      interval: "weekly"

Repair the manifest and relock

Validate the manifest locally and regenerate the lockfile so it matches, then commit both. Dependabot resolves against a consistent pair.

Terminal
npm install
git add package.json package-lock.json

How to prevent it

  • Keep directory (or directories) aligned with actual manifest paths.
  • Commit lockfiles that match their manifests.
  • Validate manifest syntax in CI before merging changes to it.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →