-
Notifications
You must be signed in to change notification settings - Fork 994
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot Scoped Private Registry (NPM) erroring on public packages #6661
Comments
This is similar to #5288 , but also impacts (direct) non-transitive dependencies. |
Same here! |
Hei! Sorry I don't yet have answers for you folks. I have observed that this seems like a somewhat frequent issue, hopefully I can set aside sometime to try to reproduce this an isolate the root cause. |
Thank you @deivid-rodriguez, we are really looking forward to this working, so let us know if we can provide any additional logging or insight on our end. |
Having the same problem. |
yep, still broken, just started getting this issue after setting up dependabot to use our google artifact registry. |
We are also having the exact same problem. Tried |
We were able to work around this by lowering our lock file to v2 (put this in our npmrc) and then rerunning npm install to get a new lock. v3 (npm 9+) seems to be the issue, but npm 9+ supports v2. That aligns with @jakecoffman 's fix above (#7175)
#6507 (comment) was the hint. |
Yep it was v3 lockfiles. If you're still having the problem let me know. |
@jakecoffman when will this be live on the GitHub hosted Dependabot? |
@broksonic21 it went live when I merged the PR so should be good now. |
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
9.4.2
Language version
18.14.0
Manifest location and content before the Dependabot update
package.json
package-lock.json
.github/dependabot.yml
dependabot.yml content
Updated dependency
fails on multiple items. example is @sentry/react, but have this for any public registry with this setup
What you expected to see, versus what you actually saw
We only get dependabot alerts for items in the GitHub private registry
Public packages error with the following:
As you can see It correctly sees 7.37.2 is available by looking at registry.npmjs.org, but it then tries to do the update via to Github's servers, not npmjs, so it can't find it.
We see this for all of our public registry items. Is there a solve, or is this a bug?
Native package manager behavior
Our npmrc is this:
This should only use GitHub for packages scoped to @OUR_ORG (obviously I redacted this) but otherwise use public npmjs.
This works fine locally, as it does the right thing, issue is only at Dependabot
Images of the diff or a link to the PR, issue, or logs
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: