Dependabot "The following dependencies could not be updated" in CI
Dependabot opened (or updated) a PR but a subset of dependencies stayed on their old versions. The PR body lists each one under "The following dependencies could not be updated" with the reason, usually a conflicting constraint from another package.
What this error means
A Dependabot PR body contains a "The following dependencies could not be updated" section naming packages and a short reason such as "the update is not possible without a conflicting requirement change".
The following dependencies could not be updated:
- axios (from 0.27.2 to 1.6.0): the resolved version conflicts with a requirement of @vendor/sdk.Common causes
Another package caps the dependency
A sibling dependency requires a lower range of the shared package, so Dependabot cannot bump it without also changing that constraint.
A version bump would break the lockfile solution
The requested version has no solution that keeps the rest of the graph valid, so Dependabot leaves it in place and reports it.
How to fix it
Upgrade the capping package together
- Identify the package named in the reason that holds the lower bound.
- Bump that package (or use a group) so the target version becomes resolvable.
- Let Dependabot recreate the PR, or use grouped updates.
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
http-stack:
patterns:
- "axios"
- "@vendor/sdk"Relax an over-tight pin
If your own manifest hard-pins the capping package, widen it to a range that overlaps the target so the graph has a solution.
How to prevent it
- Group related packages so interdependent bumps land together.
- Prefer ranges over hard pins in your own manifest.
- Upgrade SDKs and their transitive deps in the same cycle.