Dependabot cannot update this dependency (Private Registry)

Using the .dependabot/config.yml file for configuring Dependabot on our projects that use private registries such as php.fury.io works fine, but when using the .github/dependabot.yml file instead, GitHub says:

“Dependabot doesn’t support updating dependency files that use private package registries.”

Do we know if there will be support for this in the future? Is there action I can take now to make it work in the mean time?

3 Likes

Hi @zachwright,
Welcome to the community! We’re working adding private registry support over the coming months. For now, I would recommend you keep using Dependabot Preview. You can migrate back by removing the new config file and adding the repository in https://app.dependabot.com/

3 Likes

Also waiting for this. Is this any time frame?

Would really like an update… I migrated from dependabot-preview to dependabot but now it won’t update the packages

1 Like
3 Likes

GitHub announced yesterday that Dependabot now supports private repositories. I tried this today with an npm package associated with a private repository with no luck. I suspect it works with private repositories (as in: a dependency which is a GitHub URL for a private repo) and not for packages in private repositories. I’ve filed a feedback hoping for some clarification, hopefully in the form of some update in the documentation.

2 Likes

Hi there,

Despite this blog post, the documentation still shows both private registries and private repositories not being supported. Plus, the public roadmap issue for this feature was closed with label shipped for only 4 days: it’s now reopened, the shipped label has been removed, but it’s still in the “Q4 2020” column of the public roadmap. Plus, and that’s the biggest one: old Dependabot app seems to have stopped supporting private repositories (at least in my case, for a Python/pip project requiring private Github repositories), which invalidates @andreagriffiths11’s answer.

Can we have some piece of information about:

  • The scope of this feature: Private registries? Private repositories? Both?
  • What happened? Was the feature deployed then rolled back?
  • What’s going to happen now on that matter?
3 Likes

However it seems like GitHub is distinguishing between private external registries and private GitHub repos: Dependabot version updates: support for private repositories (Cloud Beta) · Issue #155 · github/roadmap · GitHub

About that: Using dependabot with the private github registry isn’t generally working for me. However editing the content of the .npmrc file from:

registry=https://npm.pkg.github.com/komed-health

To:

@komed-health:registry=https://npm.pkg.github.com

As described here: Configuring npm for use with GitHub Packages - GitHub Docs

Will at least let dependabot check for the other packages not in the private registry

Bumping @david-guillot’s comment - this does not work yet, which is odd given the blog post is still up.