Dependabot ❤️s private dependencies
Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant…
Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant that internal libraries, shared design systems, and other non-public packages were out of Dependabot’s reach and more likely to become outdated and insecure over time.
With this release, you can give Dependabot version updates access to private package registries (including GitHub Packages, Artifactory, Azure Artifacts, and others) and private GitHub repositories. Dependabot can now keep your private and innersource dependencies as up-to-date as your public dependencies.
Updates from private registries
In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. You can now give Dependabot access to most well-known private registries—including npm, Artifactory, Nexus, and Azure Artifacts—by storing the registry’s access token or secret in your repository’s or organization’s secret store.
Updates from private GitHub repositories
In some ecosystems, like go modules and npm, it is also common to use dependencies directly from a private GitHub repository, rather than building a package and publishing it to a private registry, like npm or GitHub Packages. To enable this, grant Dependabot access to the required private repositories in your organization.
Unblocking Dependabot Preview migrations
If you’re a Dependabot Preview user (your pull requests are authored by dependabot-preview, instead of dependabot), you might have tried to migrate to GitHub Dependabot and have been blocked by the lack of private registry or private GitHub repository access. To migrate, you can trigger a pull request from the Dependabot dashboard, move your secrets over, and be fully on GitHub Dependabot.
There is a lot more happening in Dependabot, from ecosystem updates to less noisy notifications. You can follow along with what we’re currently building on the public roadmap.
Learn more about Dependabot version updates.
Tags:
Written by
Related posts
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
10 years of the GitHub Security Bug Bounty Program
Let’s take a look at 10 key moments from the first decade of the GitHub Security Bug Bounty program.
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.