Dependabot private Composer repositories formatting

I realize this is sort of a beta feature, but I’m tinkering with private repositories in dependabot.yml and am having trouble with an endpoint that doesn’t require a username or password, and also has a URL format that doesn’t end in the TLD:

version: 2
    type: composer-repository
    url: "${{ secrets.BEAVER_BUILDER_KEY }}"
    username: ""
    password: ""
  - package-ecosystem: "composer"
    directory: "/"
      interval: "monthly"

Dependabot insisted I add username/password even though this endpoint doesn’t actually require them, and it doesn’t like the URL that doesn’t end in a TLD:

PHP registries must specify a url in a format like `` or ``.
Tokens should be stored as a GitHub secret.

Where’s the best place to drop feedback on this feature?

1 Like