search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.69k stars 1.02k forks source link

Dependabot doesn't support unauthenticated private NPM registries #7290

Open leifwalsh opened 1 year ago

leifwalsh commented 1 year ago

Is there an existing issue for this?

Feature description

See https://github.com/dependabot/dependabot-core/issues/6829#issuecomment-1489515149

We have a private npm registry (Artifactory) behind a firewall. We don't require authentication to this registry.

Dependabot cannot update npm projects with this registry, because if we don't specify a token in the dependabot.yml, it complains that the config is malformed, but if we do provide a token our registry gets confused and rejects requests.

I think the dependabot.yml should allow a configuration that uses a private registry but doesn't specify authentication.

manishapriya94 commented 1 year ago

Perhaps configuring via key can bypass this?

yeikel commented 11 months ago

What is the content of your .npmrc file?

I am running in a similar environment and I cannot reproduce this :

.npmrc registry=https://artifactory.example.com/api/npm/npm