Dependabot seems to have access to private repose in our organization without being granted access.
I added dependabot to one of our ruby on rails projects. As we keep our gems in vendor/cache, I configured dependabot with
updates.vendor = true. We also have some gem dependencies that are hosted in both private and public git repos inside our organization. These are not stored in the vendor/cache directory (I’m not sure why and am not sure if this intentional).
After merging the dependabot.yml into master, dependabot started submitting PRs (as excpected). All of these PRs include the Gemfile.lock changes for one gem and the updated gem itself in vendor/cache (as expeced). The vendor/cache directory in these PRs also contains all gems that are included via git and were not present in this directory before (this was unexpeced). Some of these gems come from private repos (in our organization), even though I have not granted dependabot access to any other repos.
dependabot only adds gems to vendor/cache that it is currently updating, and it also can not access private repos.
dependabot adds gems to vendor/cache that it is currently not updating, and it also seems to be able to access private repos without being granted access.
version: 2 updates: - package-ecosystem: bundler directory: / vendor: true schedule: interval: daily versioning-strategy: lockfile-only commit-message: prefix: "Gem update" include: "scope"