Open p-torq opened 1 year ago
Having a similar issue with security updates for Golang repositories with a registry configured.
Also encountering this issue with a private npm registry, again using jfrog.
Entry in dependabot.yml with example manifest for a project in our monorepo:
npm:
type: npm-registry
url: https:/xxxx.jfrog.io/xxxxx/api/npm/npm/
token: ${{secrets.SECRET_NAME}}
updates:
- package-ecosystem: "npm"
directory: ./<EXAMPLE_PATH>
open-pull-requests-limit: 0
schedule:
interval: weekly
day: friday
commit-message:
prefix: "build"
And the 401 error in logs for when auth fails.
updater | 2024/01/12 11:55:50 INFO <job_773593677> Starting security update job for xxxxxxx
updater | 2024/01/12 11:55:50 INFO <job_773593677> Checking if axios 0.27.2 needs updating
proxy | 2024/01/12 11:55:50 [015] GET https://xxxxxxx.jfrog.io:443/artifactory/api/npm/npm/axios
proxy | 2024/01/12 11:55:50 [015] 401 https://xxxxxxx.jfrog.io:443/artifactory/api/npm/npm/axios
proxy | 2024/01/12 11:55:50 [015] Remote response: {
proxy | "errors" : [ {
proxy | "status" : 401,
proxy | "message" : "Authentication is required"
proxy | } ]
proxy | }
updater | 2024/01/12 11:55:51 INFO <job_773593677> Handled error whilst updating axios: private_source_authentication_failure {:source=>"xxxxxxx.jfrog.io/artifactory/api/npm/npm"}
updater | 2024/01/12 11:55:51 INFO <job_773593677> Finished job processing
updater | 2024/01/12 11:55:51 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +-----------------------------------------------+
updater | | Dependencies failed to update |
updater | +-------+---------------------------------------+
updater | | axios | private_source_authentication_failure |
updater | +-------+---------------------------------------+
same issue with npm package management
Similar issue with GHES v3.13 and NuGet ecosystem: Private registry configured in dependabot.yml. Dependabot version updates do work but Dependabot security updates fail with _private_source_authenticationfailure
This used to work with previous versions of GHES.
Is there an existing issue for this?
Package ecosystem
pip
Package manager version
poetry
Language version
python = "~3.10.4"
Manifest location and content before the Dependabot update
/.../poerty.lock
dependabot.yml content
Updated dependency
starlette >= 0.13.5, < 0.27.0. to 0.27.0
What you expected to see, versus what you actually saw
We expect the dependabot to create a PR after security update
Images of the diff or a link to the PR, issue, or logs