如何将 Dependabot 与私有包一起使用

Question

I need some help with Dependabot . I found out recently about this amazing package, but some of my repositories require dependencies that are private packages , created by me and used in my personal projects. Dependabot says that for any repositories using private packages, it is advised better to be configured from their website's dashboard .

In my repo , I have moved Dependabot's configuration into the .github/dependabot.yml file, from the dashboard that was located before. In the Insights tab of the repo, and in the Dependact Graph section, the error about not finding the private package is also being thrown there. Has anyone implemented something similar? I would really appreciate your support here.

Answer 1

There is now more documentation on this, considering since Dec. 2nd, 2020:

Dependabot: version updates from private GitHub repositories

Dependabot already updates your public dependencies, such as open source dependencies from a public GitHub repository, npm , Maven Central, or similar.

Now, you can also update dependencies from private GitHub repositories. This feature is available for most package managers supported by Dependabot version updates , except bundler , hex , and pip .

To get started, grant Dependabot access to some or all of your private repositories on your organization's security & analysis settings page:

 https://github.com/organizations/YOUR-ORGANIZATION/settings/security_analysis.

Learn more about Dependabot version updates .

---

March 2021:

Dependabot private registry support public beta

Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.

To enable this feature, add a registries section to your dependabot.yml, reference your new registries in the relevant updates, and add any secrets to Dependabot's secret store .

This complements your ability to give Dependabot version updates access to private repositories , which is common for ecosystems like go modules and npm.

Answer 2

Although, there is not much information and documentation for this particular topic, I managed to solve my issue. It is a combination of GitHub Secrets and configuration of the .npmrc & .yarnrc files. You can found the related issue, as well as my official answer, here .