In response to the recent dependabot-preview deprecation, I enabled GitHub-native dependabot in a private repository which depends on another repository. However, it resulted in the following error.
Dependabot failed to update your dependencies
The following git repository was unreachable and caused the update to fail: <a private repo>.
Dependabot can’t update bundler dependency files that reference private git repositories. Please consider using a [git registry](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#git).
[This page](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates) also says it doesn’t support private repositories for bundler (Ruby).
So the workaround here would be to configure a “git registry” as instructed. However, I have the following concern:
- At the moment, we cannot create a personal access token with read-only permission to private repositories. So the minimum required permission here is
repo(read/write permission to private repositories).
- As mentioned in [this page](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates), we would need to enable
insecure-external-code-executionwhen using bundler with private registries. As mentioned on the page, it “might allow a compromised package to steal credentials or gain access to configured registries”. So in this case, a malicious package author may sniff a PAT with
Isn’t it too insecure?
To decide my next action (to keep using dependabot-preview for now, switch to dependabot v2, or switch to something like Renovate), I would like to know whether there is a plan to support private repository dependencies for bundler (Ruby) before Aug 4, 2021.