Skip to content
Latchkey

Dependabot "The following dependencies could not be updated" in CI

Dependabot opened (or updated) a PR but a subset of dependencies stayed on their old versions. The PR body lists each one under "The following dependencies could not be updated" with the reason, usually a conflicting constraint from another package.

What this error means

A Dependabot PR body contains a "The following dependencies could not be updated" section naming packages and a short reason such as "the update is not possible without a conflicting requirement change".

Dependabot
The following dependencies could not be updated:
- axios (from 0.27.2 to 1.6.0): the resolved version conflicts with a requirement of @vendor/sdk.

Common causes

Another package caps the dependency

A sibling dependency requires a lower range of the shared package, so Dependabot cannot bump it without also changing that constraint.

A version bump would break the lockfile solution

The requested version has no solution that keeps the rest of the graph valid, so Dependabot leaves it in place and reports it.

How to fix it

Upgrade the capping package together

  1. Identify the package named in the reason that holds the lower bound.
  2. Bump that package (or use a group) so the target version becomes resolvable.
  3. Let Dependabot recreate the PR, or use grouped updates.
.github/dependabot.yml
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      http-stack:
        patterns:
          - "axios"
          - "@vendor/sdk"

Relax an over-tight pin

If your own manifest hard-pins the capping package, widen it to a range that overlaps the target so the graph has a solution.

How to prevent it

  • Group related packages so interdependent bumps land together.
  • Prefer ranges over hard pins in your own manifest.
  • Upgrade SDKs and their transitive deps in the same cycle.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →