Dependabot ❤️s private dependencies

Image of Mike McDonald

Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant that internal libraries, shared design systems, and other non-public packages were out of Dependabot’s reach and more likely to become outdated and insecure over time.

With this release, you can give Dependabot version updates access to private package registries (including GitHub Packages, Artifactory, Azure Artifacts, and others) and private GitHub repositories. Dependabot can now keep your private and innersource dependencies as up-to-date as your public dependencies.

Updates from private registries

In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. You can now give Dependabot access to most well-known private registries—including npm, Artifactory, Nexus, and Azure Artifacts—by storing the registry’s access token or secret in your repository’s or organization’s secret store.

GIF showing how to give Dependabot access by adding your registry's secret to your repo's secret store

Updates from private GitHub repositories

In some ecosystems, like go modules and npm, it is also common to use dependencies directly from a private GitHub repository, rather than building a package and publishing it to a private registry, like npm or GitHub Packages. To enable this, grant Dependabot access to the required private repositories in your organization.

GIF showing how to grant Depndabot access to your private repo

Unblocking Dependabot Preview migrations

If you’re a Dependabot Preview user (your pull requests are authored by dependabot-preview, instead of dependabot), you might have tried to migrate to GitHub Dependabot and have been blocked by the lack of private registry or private GitHub repository access. To migrate, you can trigger a pull request from the Dependabot dashboard, move your secrets over, and be fully on GitHub Dependabot.

There is a lot more happening in Dependabot, from ecosystem updates to less noisy notifications. You can follow along with what we’re currently building on the public roadmap.

Learn more about Dependabot version updates.