Previously, if you specified your private registry configuration in the dependabot.yml file and also had a configuration block for that ecosystem using the target-branch key, Dependabot security updates wouldn’t utilize the private registry information as expected. Starting today, Dependabot now uses private registry configurations specified in the dependabot.yml file as expected, even if there is a configuration with target-branch. This ensures that security updates are applied correctly, regardless of your repository’s configuration settings. Note that security updates still does not support target-branch configuration.
Learn more about configuring private registries for Dependabot in the Dependabot documentation.
Previously, if Dependabot encountered 30 consecutive failures, it would stop running scheduled jobs until manual intervention via updating the dependency graph or manifest file. Dependabot will now pause scheduled jobs after 15 failures. This will give an earlier indication of potential issues while still ensuring that critical security updates will continue to be applied without interruption.
Read more in the Dependabot Docs.
Sponsors now supports Polar and Buy Me a Coffee as funding platform options. Check out our documentation to learn more about funding files.