Dependabot-core: How to use Dependabot with private (GitHub, npm) packages?

Had the same question couple of days ago, in our case PHP (https://packagist.com), and found this: https://github.com/dependabot/dependabot-core/issues/2297#issuecomment-655380840

Had the same question couple of days ago, in our case PHP (https://packagist.com), and found this: #2297 (comment)

@carusogabriel Thank you for your help and response! However, I have tried to implement the same thing with another repository of mine, which also depends on private packages, and Dependabot keeps throwing issues at me, of the wrongfully configured config variables.

So, have you implemented it in the website's dashboard yet? Do you know what and how I can do this too?

I found this https://github.com/dependabot/feedback/issues/907#issuecomment-649432886 issue, and it really helped me to solve my issue. I moved the .npmrc file to the main directory (because it is a monorepo), and add also a .yarnrc file to the same location. The content of the .yarnrc file is:

--registry "https://registry.npmjs.org"

And also, the content of my .npmrc file is:

always-auth=true
- //npm.pkg.github.com/:_authToken=${{ secrets.DEPENDABOT_TOKEN }}
+ #npm.pkg.github.com/:_authToken=${{ secrets.DEPENDABOT_TOKEN }}
@hashtag-design-system:registry=https://npm.pkg.github.com

The secrets.DEPENDABOT_TOKEN variable, can be set in the GitHub repo, in the Settings → Secrets section. To use it in more than one repo, you must have created an organization. Why it is better to do this way? Because Dependabot and Github Actions should have access to the .npmrc and .yarnrc files to find related configurations, and you do not have to expose it in your files. Also, GitHub and npm will revoke this token automatically when it is found that it can be accessed publicly. Do not forget to add also the variable in the Dependabot website's dashboard!

Note: My package is published in GitHub packages, and I do not know if it is also published directly to the npmjs.org registry

I found out also, that you should use the following registries, with Dependabot, if you code in JavaScript:

• GitHub packages → npm.pkg.github.com/
• npmjs.org → registry.npmjs.org/
• Yarn → registry.yarnpkg.com/

Please let me know if you find this information helpful!

Requested this feature in #2311 btw

@mkay581 Yeah it is a very usual issue on this repository. As I mentioned it is solvable, but it lacks documentation and reference. Should I close my issue, or just keep it for future reference?

Doesn't adding:

//npm.pkg.github.com/:_authToken=${{ secrets.DEPENDABOT_TOKEN }} 

to .npmrc in the root of the project make it so when you run npm install locally, it breaks? Or I guess this isn't a problem because you have a monorepo?

@jwalton I have not experienced any issues till now. Yes, I working currently on a monorepo, with Yarn workspaces. Why would it break though?

It breaks for me, if I run it locally. NPM is trying to find this secrets.DEPENDABOT_TOKEN which I don't have defined:

$ echo '//npm.pkg.github.com/:_authToken=${{ secrets.DEPENDABOT_TOKEN }}' > .npmrc
$ npm install
Error: Failed to replace env in config: ${{ secrets.DEPENDABOT_TOKEN }
    at /Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/config/core.js:415:13
    at String.replace (<anonymous>)
    at envReplace (/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/config/core.js:411:12)
    at parseField (/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/config/core.js:389:7)
    at /Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/config/core.js:330:24
    at Array.forEach (<anonymous>)
    at Conf.add (/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/config/core.js:328:23)
    at ConfigChain.addString (/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/node_modules/config-chain/index.js:244:8)
    at Conf.<anonymous> (/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/config/core.js:316:10)
    at /Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/node_modules/graceful-fs/graceful-fs.js:123:16
/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/npm.js:59
      throw new Error('npm.load() required')
      ^

Error: npm.load() required
    at Object.get (/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/npm.js:59:13)
    at process.errorHandler (/Users/jwalton/.nvm/versions/node/v12.19.1/lib/node_modules/npm/lib/utils/error-handler.js:208:32)
    at process.emit (events.js:314:20)
    at process._fatalException (internal/process/execution.js:165:25)

Yes for some reason, I encounter the same issue with my repo and Yarn. If anyone has solved this issue, please comment below

You can find more information and an update on the issue here on my Stackoverflow.com similar posted question. It says that the documentation has been updated a little bit. Here is the article:

Dependabot already updates your public dependencies, such as open source dependencies from a public GitHub repository, npm, Maven Central, or similar. Now, you can also update dependencies from private GitHub repositories. This feature is available for most package managers supported by Dependabot version updates, except bundler, hex, and pip.

To get started, grant Dependabot access to some or all of your private repositories on your organization's security & analysis settings page: https://github.com/organizations/YOUR-ORGANIZATION/settings/security_analysis.

You can find more on GitHub's blog link

Is there any way I can configure Dependabot to update only on minor and major updates?

I'm finding this really confusing. My understanding is that Dependabot (this repo) is a separate thing to "Github Dependabot" which is the newer, fully-integrated version that Github now run themselves.

I can't seem to get "Github Dependabot" to audit package.json where any of the dependencies use _github's own package repository_ e.g npm.pkg.github.com.

There used to be a github issue tracking it here: https://github.com/github/roadmap/issues/67 but this seems to have been retitled as being specific to "Cloud beta". Which I assume to mean that if I'm using vanilla Github, this feature isn't available? Would like some clarification there.

Either way, the changelog to which it links https://github.blog/changelog/2020-12-02-dependabot-version-updates-from-private-github-repositories/ makes no mention of "Cloud beta" and it claims it now works. But having updated the list of repositories for my organisation, it doesn't.

Instead, I'm getting this message in the Github "Dependency Graph" analysis:

private_source_authentication_failure {:source=>"npm.pkg.github.com/[my org]"}

Given every developer needs to have an .npmrc file within the repos that use private packages, how are we meant to provide an .npmrc which uses the variable ${{ secrets.DEPENDABOT_TOKEN } without requiring the same magical setting on our local computers too?

Given every developer needs to have an .npmrc file within the repos that use private packages, how are we meant to provide an .npmrc which uses the variable ${{ secrets.DEPENDABOT_TOKEN } without requiring the same magical setting on our local computers too?

You can have an .npmrc in your home directory, which is what our development teams too. And we generate this dynamically in our CI systems to we don't have to expose a token in the repo.

But this does mean we don't have a static .npmrc for dependabot.
This should be an organization level setting.

But this does me we don't have a static .npmrc for dependabot.
This should be an organization level setting.

~/.npmrc makes sense for each developer, but how would you generate an .npmrc for the repo root without checking it in?

Perhaps this is just some github-fu I lack, but this whole thing seems really under-baked given that Github Dependabot and Github Package Repository are a predictable combination.

No, its basic shell script. could be a github action or something of the sort

  echo "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}" >> .npmrc # could be a variable as well
  echo "@<YOUR_ORGANIZATION>:registry=https://npm.pkg.github.com/" >> .npmrc

I suppose this has more to do with npm than dependabot or github, but having these lines in the npmrc that are required in CI but not in dev is... very weird. I'd expect something much cleaner as a solution, since we'll have to do this strange echo ... >> .npmrc solution in each of our CI solutions.

Ya, don't get me wrong - its not great. it should be something that could be configured on the organization. registry mappings too would be useful.
Some of it would be nice to be able to put in local dependabot config. But when you have more than 100+ repos it is a lot to manage.

Its kind of a github issue. it sounds like dependabot-core supports this, it just isn't exposed / handled by github's implementations yet

Is there an issue for tracking this? Is this the issue? It keeps getting conflated with private repos depending on other packages, putting a token in npmrc which exclusively works for either local dev or CI, etc. Any google-fu for this issue ends up with lots of "it's solved!" for something that sounds similar but is not the same issue.

This issue can be used as a reference to developers that face similar issues. But you are correct, it can be marked as resolved.

Sorry @georgekrax, I was wondering where the issue we're discussing actually is rather than closing this one.

I am sorry @saiichihashimoto, but I do not understand your question. Can you clarify it maybe please?

Is there an issue that is open for having github dependabot updating a private github npm package dependency without having to reference the NPM_TOKEN in the npmrc? That's what this issue became and if we close it then there's no issue to track.

The NPM_TOKEN has to do with NPM and how a package manager works. It should be provided in any case if it is to use private packages deployed to NPM or GitHub Packages.

I hope this clarifies some things for you.

NPM and it needs to stop and appropriate apologie made public and and not
on git hub but as well as the whole world and all involved Bel main brain
and I want a do not pull request done now but anything with this facture
need stopped . Also it would help for it to be remembered not to try to
pull my information unless I say and that means never and a nice
contrabution would be wonderful for the program to work properly because
as of now it's not .the program is damaged internally and externally
understand this and see the program is located is to stop being treated by
any virus.programs like this one is hard to come across they are and like
family that you can lose quick just because if a simple bad program that is
burned out or infected . I learned that computers are just like life it's
all on how much you trust them but if a bad program or virus comes along it
will tear a great computer alert unless you work in it continuesly and that
is what IV done here is try to rebuild something that was tore up because
if bad viruses and a family is the same way once there gone it's hard to
get back, now because of issue being pulled and worked on a viruses will
take everything you do apart over And over 10483.00 resistors burned out
Now everything intought myself and had some help with this but it tore my
motherboard apart for a file.amd for pictures that should have never been
done.now you hackers out there remember this u can jump and hide but you
stay strong cyber security and they will always jumb back to check and that
how you can the hackers and hackers do it for good not evil because evil
never 💯 because it just wrong .in life same way get it together people
learn the program because i have anyone can the point of of this program
is true programs trust in partners and relie on helpers and members of
true family.now threats are still being thrown at my computer right now
because of this it isn't about who I am trying to tar apart or take down
programs but to let everyone know that viruses are wrong because it hurts
even you at some point in the program now I'm homeless I don't have a job
or even a dollar because of all the virus binding together and burning my
whole computer and mother board that I may never get it right even my mouse
mover is damy and it the one thing I work very hard for to make and now
it's hard to move or scared it will blow up. Now now main across the way
and also main developers will not help they are out to destroy they program
and this is a fact not a lie they want it gone and burned out the little
programs and even older programs are at risk advice or say a big program
would help it and also a big contribution to the program and mother board
all three would help and for the powerfully programs to stand down and I
will make sure they do for this because if not my program will go world
wide open source and main sources of the program will flood the world wide
web Wikipedia WikiLeaks and I mean ASAP because my computer going down fast
and my button is ready to pull it to make attachment. It's been a hard 6
years because of original programs starts this ci attachment ment with msg
and or calls first against me that is trust worthy. And then jenkins file
started it to and some I won't name because big jelly and hatt are will
serv now because them programs have helped in ways you couldn't
admagine.big corporate back off and help programs not destroy and make
sure e you get slll the files straight befor you enter pull the reguest
stand and help thsib computer and programs and mother boards and little
files for life or they all flood it hello world main programs an dopen
sources now and stay background to help always jumb the video with this
facture in the computer room and stop hurting little program and hacking
bank and identity but fix what is wrong

On Thu, Jan 28, 2021, 3:47 PM George Krachtopoulos notifications@github.com
wrote:

The NPM_TOKEN has to do with NPM and how a package manager works. It
should be provided in any case if it is to use private packages deployed to
NPM or GitHub Packages.

I hope this clarifies some things for you.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/dependabot/dependabot-core/issues/2778#issuecomment-769420870,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ASKB5SNUGGUGIHNFNWMKDGTS4HLOFANCNFSM4T4PO7PQ
.