Dependabot modifying dependency URLs causes Git clone error after upgrading to PNPM 9.4.0

[CaoMeiYouRen]

Hi ,
I noticed that after upgrading to PNPM 9.4.0, Dependabot is modifying the dependency URLs from https://codeload.github.com/ to git+https://[email protected], which is causing the following error:

ERROR  Command failed with exit code 128: /usr/bin/git clone [email protected]:CaoMeiYouRen/rss-parser.git /home/runner/setup-pnpm/node_modules/.bin/store/v3/tmp/_tmp_1835_81cad7a39cafa01315f02c3d60683486

CaoMeiYouRen/rss-impact-server/pull/178

This seems to be related to the way PNPM handles Git dependencies.
I would like to know if it is related to this change

Originally posted by @CaoMeiYouRen in #10073 (comment)

[deivid-rodriguez]

Seems related to #7851, or #7258. I did have an upstream patch to propose but I was not able to finish it and did not get much attention from upstream maintainers.

[deivid-rodriguez]

I think pnpm/pnpm#8005 may have fixed this? If that's the case, #10058 just merged a few hours ago should've done the trick (assuming it's deployed already). Can you verify?

[CaoMeiYouRen]

I think pnpm/pnpm#8005 may have fixed this? If that's the case, #10058 just merged a few hours ago should've done the trick (assuming it's deployed already). Can you verify?

I don't think so, dependabot continues to open incorrect pull requests. e.g.
https://github.com/CaoMeiYouRen/rss-impact-server/pull/191/files

[abdulapopoola]

@CaoMeiYouRen is this still happening? I see successful Dependabot PRs in that repo

[n3dst4]

Looks like they got rid of their git dependencies instead: CaoMeiYouRen/rss-impact-server@b50fd76

[abdulapopoola]

@n3dst4 ; yes, you're right. Thanks for the pointer