On September 27, 2023, we began blocking npm package publishes with differing name or version fields between the manifest and tarball package.json. This blocking protects against obfuscation. The different fields in the manifests have been assessed from a risk-based perspective. We will continue to analyze for other mismatches that can be blocked that won’t have adverse effects on the ecosystem. If a package is blocked, a user may receive an error message similar to “Package ‘version’ is “1.0.4”. It should match “1.0.3” from “package.json” in packaged tarball. Make all changes to package.json before packaging a tarball to publish.” In addition, a new tool, npm pkg fix, can help users fix any validation errors from the registry when they attempt to publish a package.
You can now now see the list of recent jobs that Dependabot has run to check for updates and create or rebase pull requests directly from the repository-level dependency graph section of the insights tab. This list will show whether a job was successful, any error messages, and provide links to both the full logs for the job and any pull request affected by the job. This will give you more visibility into the Dependabot process and help you debug.