Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant that internal libraries, shared design systems, and other non-public packages were out of Dependabot’s reach and more likely to become outdated and insecure over time.
With this release, you can give Dependabot version updates access to private package registries (including GitHub Packages, Artifactory, Azure Artifacts, and others) and private GitHub repositories. Dependabot can now keep your private and innersource dependencies as up-to-date as your public dependencies.
In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. You can now give Dependabot access to most well-known private registries—including npm, Artifactory, Nexus, and Azure Artifacts—by storing the registry’s access token or secret in your repository’s or organization’s secret store.
In some ecosystems, like go modules and npm, it is also common to use dependencies directly from a private GitHub repository, rather than building a package and publishing it to a private registry, like npm or GitHub Packages. To enable this, grant Dependabot access to the required private repositories in your organization.
If you’re a Dependabot Preview user (your pull requests are authored by
dependabot-preview, instead of
dependabot), you might have tried to migrate to GitHub Dependabot and have been blocked by the lack of private registry or private GitHub repository access. To migrate, you can trigger a pull request from the Dependabot dashboard, move your secrets over, and be fully on GitHub Dependabot.