Dependabot v2 bundler (Ruby): is there a plan to support private repositories?

In response to the recent dependabot-preview deprecation, I enabled GitHub-native dependabot in a private repository which depends on another repository. However, it resulted in the following error.

:warning: Dependabot failed to update your dependencies

The following git repository was unreachable and caused the update to fail: <a private repo>.

Dependabot can’t update bundler dependency files that reference private git repositories. Please consider using a [git registry](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#git).

[Learn more](h\ttps://docs.github.com/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)

[This page](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates) also says it doesn’t support private repositories for bundler (Ruby).

So the workaround here would be to configure a “git registry” as instructed. However, I have the following concern:

  • At the moment, we cannot create a personal access token with read-only permission to private repositories. So the minimum required permission here is repo (read/write permission to private repositories).
  • As mentioned in [this page](h\ttps://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates), we would need to enable insecure-external-code-execution when using bundler with private registries. As mentioned on the page, it “might allow a compromised package to steal credentials or gain access to configured registries”. So in this case, a malicious package author may sniff a PAT with repo permission.

Isn’t it too insecure?

To decide my next action (to keep using dependabot-preview for now, switch to dependabot v2, or switch to something like Renovate), I would like to know whether there is a plan to support private repository dependencies for bundler (Ruby) before Aug 4, 2021.