Dependabot ❤️s private dependencies
Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant…
Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant that internal libraries, shared design systems, and other non-public packages were out of Dependabot’s reach and more likely to become outdated and insecure over time.
With this release, you can give Dependabot version updates access to private package registries (including GitHub Packages, Artifactory, Azure Artifacts, and others) and private GitHub repositories. Dependabot can now keep your private and innersource dependencies as up-to-date as your public dependencies.
Updates from private registries
In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. You can now give Dependabot access to most well-known private registries—including npm, Artifactory, Nexus, and Azure Artifacts—by storing the registry’s access token or secret in your repository’s or organization’s secret store.
Updates from private GitHub repositories
In some ecosystems, like go modules and npm, it is also common to use dependencies directly from a private GitHub repository, rather than building a package and publishing it to a private registry, like npm or GitHub Packages. To enable this, grant Dependabot access to the required private repositories in your organization.
Unblocking Dependabot Preview migrations
If you’re a Dependabot Preview user (your pull requests are authored by dependabot-preview
, instead of dependabot
), you might have tried to migrate to GitHub Dependabot and have been blocked by the lack of private registry or private GitHub repository access. To migrate, you can trigger a pull request from the Dependabot dashboard, move your secrets over, and be fully on GitHub Dependabot.
There is a lot more happening in Dependabot, from ecosystem updates to less noisy notifications. You can follow along with what we’re currently building on the public roadmap.
Learn more about Dependabot version updates.
Tags:
Written by
Related posts
Uncovering GStreamer secrets
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.
CodeQL zero to hero part 4: Gradio framework case study
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
Attacking browser extensions
Learn about browser extension security and secure your extensions with the help of CodeQL.