Dependabot will no longer attempt to infer .npmrc configuration for npm private registries. Previously, Dependabot tried to reconstruct .npmrc contents from lockfile resolved URLs, but incorrect lockfile URLs, lockfile format differences across npm, Yarn v1, Yarn Berry, and pnpm, and other edge cases regularly caused registry authentication failures.

What’s changing

You can now define a scope property on registries in your dependabot.yml. Dependabot uses this to automatically generate the correct .npmrc. When scope is provided, it takes precedence over all other .npmrc sources, including any committed .npmrc file in your repository. This makes dependabot.yml the authoritative source for registry configuration.

If your repository already includes a checked-in .npmrc and you have not configured scope, Dependabot will continue to use it. The scope property is only needed when you don’t have a committed .npmrc and are relying on Dependabot’s inference.

Who can use this feature

This feature is available for all github.com users and will ship in GHES 3.23.

Get started

Review the Dependabot configuration docs and update your dependabot.yml to add scope to any npm registries that need it.