Dependabot ❤️s private dependencies
Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant…
Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant that internal libraries, shared design systems, and other non-public packages were out of Dependabot’s reach and more likely to become outdated and insecure over time.
With this release, you can give Dependabot version updates access to private package registries (including GitHub Packages, Artifactory, Azure Artifacts, and others) and private GitHub repositories. Dependabot can now keep your private and innersource dependencies as up-to-date as your public dependencies.
Updates from private registries
In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. You can now give Dependabot access to most well-known private registries—including npm, Artifactory, Nexus, and Azure Artifacts—by storing the registry’s access token or secret in your repository’s or organization’s secret store.
Updates from private GitHub repositories
In some ecosystems, like go modules and npm, it is also common to use dependencies directly from a private GitHub repository, rather than building a package and publishing it to a private registry, like npm or GitHub Packages. To enable this, grant Dependabot access to the required private repositories in your organization.
Unblocking Dependabot Preview migrations
If you’re a Dependabot Preview user (your pull requests are authored by dependabot-preview, instead of dependabot), you might have tried to migrate to GitHub Dependabot and have been blocked by the lack of private registry or private GitHub repository access. To migrate, you can trigger a pull request from the Dependabot dashboard, move your secrets over, and be fully on GitHub Dependabot.
There is a lot more happening in Dependabot, from ecosystem updates to less noisy notifications. You can follow along with what we’re currently building on the public roadmap.
Learn more about Dependabot version updates.
Tags:
Written by
Related posts
How GitHub uses CodeQL to secure GitHub
How GitHub’s Product Security Engineering team manages our CodeQL implementation at scale and how you can, too.
From finding to fixing: GitHub Advanced Security integrates Endor Labs SCA
The partnership between GitHub and Endor Labs enables application security engineers and developers to drastically reduce time spent on open source vulnerabilities, and gives them the tools to go from finding to fixing.
Cybersecurity researchers: Digital detectives in a connected world
Discover the exciting world of cybersecurity research: what researchers do, essential skills, and actionable steps to begin your journey toward protecting the digital world.