All version update PRs includes unrelated security fixes

[fflaten]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pnpm

Package manager version

10.32.1

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    groups:
      dev-dependencies:
        dependency-type: "development"
        exclude-patterns:
          - "@playwright*" # To avoid false errors due to playwright change
          - "vite" # to exclude major vite upgrades
          - "@types/node" # noisy and handled manually
      astro:
        patterns:
          - "astro"
          - "@astrojs/*"
      expressive-code:
        patterns:
          - "astro-expressive-code"
          - "@expressive-code/*"
      iconify-icons:
        patterns:
          - "@iconify-json/*"

Updated dependency

No response

What you expected to see, versus what you actually saw

Dependabot have started to include security update overrides for open alerts in every dependency version update pull requests, unexpected and without mentioning it.

E.g. Bump astro from 6.3.3 to 6.3.5 (via audit fix) in the astro group updates package.json from "astro": "6.3.3" to "astro": "6.3.5" as expected, but pnpm-lock.yaml includes the following which breaks my builds:

overrides:
  yaml@>=2.0.0 <2.8.3: '>=2.8.3'

The same occurs for other version upgrades like Bump @iconify-json/octicon from 1.2.23 to 1.2.24 (via audit fix) in the iconify-icons group across 1 directory.

The private repo has an open security alert for the yaml dependency, and Dependabot security updates is enabled, but I'm expecting the security updates in dedicated PRs.

The behavior started this week and all affected PRs includes (via audit fix) in the title and the feature flag "enable-audit-fix-fallback":true in dependabot workflow logs, pointing in the direction of #14589.

Native package manager behavior

Not applicable

Images of the diff or a link to the PR, issue, or logs

Dependabot action log doesn't mention updating yaml, but it runs the audit --fix

updater | 2026/05/19 02:36:51 INFO <job_1373406614> Process PID: 2037 completed with status: pid 2037 exit 0
updater | 2026/05/19 02:36:51 INFO <job_1373406614> Total execution time: 3.45 seconds
updater | 2026/05/19 02:36:51 INFO <job_1373406614> Started process PID: 2051 with command: {} corepack pnpm audit --fix {}
  proxy | 2026/05/19 02:36:52 [696] POST [https://registry.npmjs.org:443/-/npm/v1/security/audits/quick](https://registry.npmjs.org/-/npm/v1/security/audits/quick)
  proxy | 2026/05/19 02:36:52 [696] 200 [https://registry.npmjs.org:443/-/npm/v1/security/audits/quick](https://registry.npmjs.org/-/npm/v1/security/audits/quick)
updater | 2026/05/19 02:36:52 INFO <job_1373406614> Process PID: 2051 completed with status: pid 2051 exit 0
updater | 2026/05/19 02:36:52 INFO <job_1373406614> Total execution time: 0.95 seconds
updater | 2026/05/19 02:36:52 INFO <job_1373406614> Started process PID: 2064 with command: {} corepack pnpm install --lockfile-only {}
....

updater | 2026/05/19 02:37:25 INFO <job_1373406614> Finished job processing
updater | 2026/05/19 02:37:25 INFO Results:
+-----------------------------------------+
|   Changes to Dependabot Pull Requests   |
+---------+-------------------------------+
| created | astro ( from 6.3.3 to 6.3.5 ) |
+---------+-------------------------------+
Cleaned up container 9efa4a17e5869a7f4ffa630ecd0457af29ab2500343c2f88a0a7a6a197697569
  proxy | 2026/05/19 02:37:25 223/937 calls cached (23%)
2026/05/19 02:37:25 Posting metrics to remote API endpoint
  proxy | 2026/05/19 02:37:25 Successfully posted metrics data via api client

Smallest manifest that reproduces the issue

No response

[fflaten]

On a side note, it generates a broken lockfile as well. CI log:

Run pnpm install --frozen-lockfile
  pnpm install --frozen-lockfile
  shell: /usr/bin/bash -e {0}
 ERR_PNPM_LOCKFILE_CONFIG_MISMATCH  Cannot proceed with the frozen installation. The current "overrides" configuration doesn't match the value found in the lockfile

Update your lockfile using "pnpm install --no-frozen-lockfile"

This occurs because pnpm audit --fix adds overrides to pnpm-workspace.yaml which is not commited with the matching lockfile, causing an error during pnpm install --frozen-lockfile.

[tervay]

Also getting this. Example -- tervay/recalc2#624 (commit 46c882b03953691d78a745421e8d7d5e9b6b104f in case it auto-rebases and resolves)

[jreidgreer]

Yep, on every single Dependabot PR now we're getting unrelated audit fixes which result in failures from the lockfile mismatch. Surprised there aren't more reports about this.

[ivnnv]

Possibly related but distinct symptom: I filed #15104 / #15105 for a different bug in the same fallback codepath. That one is pnpm update <dep> --depth Infinity --lockfile-only (the run_pnpm_deep_update_command helper, no --no-save) rewriting specifier: lines in pnpm-lock.yaml and caret ranges in package.json for unrelated direct deps during transitive security updates. #15051 wouldn't address it because affected PRs are themselves security updates. Linking in case it's useful context.

[eliasdawson-addepar]

We are also experiencing this issue. Calling npm/pnpm fix is not suitable behavior for Dependabot as it is almost guaranteed to produce unexpected or desirable results.

The feature should be disabled immediately and either removed entirely or opt-in via configuration. Also there is a bug with the feature at least with pnpm where only the lockfile is updated which produces out of sync errors because overrides must be added to either the package.json or pnpm-workspace.yaml files.

Example (one of many): Addepar/ember-json-viewer@636aa7c

To further clarify why running audit fix is a bad idea:

• It updates multiple dependencies when the PR is supposed to only be for one
• It only uses overrides which introduce technical debt and are rarely the correct solution
• The PRs only update the lockfile which results in errors because it's out of sync

[fflaten]

Looks like the feature flag enable-audit-fix-fallback is removed today.

PRs back to normal. Thanks 🙏