Dependabot v2 bundler (Ruby): is there a plan to support private repositories?

In response to the recent dependabot-preview deprecation, I enabled GitHub-native dependabot in a private repository which depends on another repository. However, it resulted in the following error.

:warning: Dependabot failed to update your dependencies

The following git repository was unreachable and caused the update to fail: <a private repo>.

Dependabot can’t update bundler dependency files that reference private git repositories. Please consider using a [git registry](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#git).

[Learn more](h\ttps://docs.github.com/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)

[This page](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates) also says it doesn’t support private repositories for bundler (Ruby).

So the workaround here would be to configure a “git registry” as instructed. However, I have the following concern:

  • At the moment, we cannot create a personal access token with read-only permission to private repositories. So the minimum required permission here is repo (read/write permission to private repositories).
  • As mentioned in [this page](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates), we would need to enable insecure-external-code-execution when using bundler with private registries. As mentioned on the page, it “might allow a compromised package to steal credentials or gain access to configured registries”. So in this case, a malicious package author may sniff a PAT with repo permission.

Isn’t it too insecure?

To decide my next action (to keep using dependabot-preview for now, switch to dependabot v2, or switch to something like Renovate), I would like to know whether there is a plan to support private repository dependencies for bundler (Ruby) before Aug 4, 2021.

11 Likes

+1 to this. Github is pushing for switching to native Dependabot without having a solution to this. This breaks our repositories. I wonder how did Dependabot originally handle this, and why can’t the same behaviour be moved over.

1 Like

Running into this too – not sure what to do here. The git registry thing seems like a lot of additional overhead.

Any new news on this?

We really loved Dependabot and want to continue using it, but we mistakenly move to dependabot.yml and can’t move back to Dependabot classic, it seems.

In the meantime, I’m manually doing what dependabot did for us before. We miss it.

Any update on this? Without that we cannot use Dependabot Native for Ruby projects :slightly_frowning_face: