Dependabot Scoped Private Registry (NPM) erroring on public packages

[broksonic21]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

9.4.2

Language version

18.14.0

Manifest location and content before the Dependabot update

package.json
package-lock.json
.github/dependabot.yml

dependabot.yml content

version: 2
registries:
  npm-github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{secrets.DEPENDABOT_TOKEN}}
updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-github
    versioning-strategy: increase
    ignore:
      - dependency-name: "react*"
        update-types: ["version-update:semver-minor","version-update:semver-major"]

Updated dependency

fails on multiple items. example is @sentry/react, but have this for any public registry with this setup

What you expected to see, versus what you actually saw

We only get dependabot alerts for items in the GitHub private registry

Public packages error with the following:

As you can see It correctly sees 7.37.2 is available by looking at registry.npmjs.org, but it then tries to do the update via to Github's servers, not npmjs, so it can't find it.

We see this for all of our public registry items. Is there a solve, or is this a bug?

updater | INFO <job_REDACTED> Checking if @sentry/react 7.37.1 needs updating
  proxy | 2023/02/14 03:02:44 [504] GET https://registry.npmjs.org:443/@sentry%2Freact
  proxy | 2023/02/14 03:02:44 [504] 200 https://registry.npmjs.org:443/@sentry%2Freact
  proxy | 2023/02/14 03:02:45 [506] GET https://registry.npmjs.org:443/@sentry%2Freact/7.37.2
  proxy | 2023/02/14 03:02:50 [506] 200 https://registry.npmjs.org:443/@sentry%2Freact/7.37.2
updater | INFO < job_REDACTED > Latest version is 7.37.2
  proxy | 2023/02/14 03:03:09 [508] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:09 [508] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:09 [508] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:09 [510] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:09 [510] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:09 [510] 404 https://npm.pkg.github.com:443/@sentry%2freact
updater | INFO < job_REDACTED > Requirements to unlock own
updater | INFO < job_REDACTED > Requirements update strategy bump_versions
updater | INFO < job_REDACTED > Updating @sentry/react from 7.37.1 to 7.37.2
  proxy | 2023/02/14 03:03:26 [512] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:26 [512] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:26 [512] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:26 [514] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:26 [514] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:26 [514] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [516] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [516] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:35 [516] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [518] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [518] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:36 [518] 404 https://npm.pkg.github.com:443/@sentry%2freact
updater | INFO < job_REDACTED > Handled error whilst updating @sentry/react: dependency_file_not_resolvable {:message=>"Error whilst updating @sentry/react in /package-lock.json:\nnpm WARN using --force Recommended protections disabled.\nnpm ERR! code E404\nnpm ERR! 404 Not Found - GET https://npm.pkg.github.com/@sentry%2freact - npm package \"react\" does not exist under owner \"sentry\"\nnpm ERR! 404 \nnpm ERR! 404  '@sentry/react@7.37.2' is not in this registry.\nnpm ERR! 404 \nnpm ERR! 404 Note that you can also install from a\nnpm ERR! 404 tarball, folder, http url, or git url.\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!    REDACTED_PATH.log"}

Native package manager behavior

Our npmrc is this:

@OUR_ORG:registry=https://npm.pkg.github.com/

This should only use GitHub for packages scoped to @OUR_ORG (obviously I redacted this) but otherwise use public npmjs.

This works fine locally, as it does the right thing, issue is only at Dependabot

Images of the diff or a link to the PR, issue, or logs

updater | INFO <job_REDACTED> Checking if @sentry/react 7.37.1 needs updating
  proxy | 2023/02/14 03:02:44 [504] GET https://registry.npmjs.org:443/@sentry%2Freact
  proxy | 2023/02/14 03:02:44 [504] 200 https://registry.npmjs.org:443/@sentry%2Freact
  proxy | 2023/02/14 03:02:45 [506] GET https://registry.npmjs.org:443/@sentry%2Freact/7.37.2
  proxy | 2023/02/14 03:02:50 [506] 200 https://registry.npmjs.org:443/@sentry%2Freact/7.37.2
updater | INFO < job_REDACTED > Latest version is 7.37.2
  proxy | 2023/02/14 03:03:09 [508] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:09 [508] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:09 [508] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:09 [510] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:09 [510] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:09 [510] 404 https://npm.pkg.github.com:443/@sentry%2freact
updater | INFO < job_REDACTED > Requirements to unlock own
updater | INFO < job_REDACTED > Requirements update strategy bump_versions
updater | INFO < job_REDACTED > Updating @sentry/react from 7.37.1 to 7.37.2
  proxy | 2023/02/14 03:03:26 [512] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:26 [512] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:26 [512] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:26 [514] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:26 [514] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:26 [514] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [516] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [516] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:35 [516] 404 https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [518] GET https://npm.pkg.github.com:443/@sentry%2freact
  proxy | 2023/02/14 03:03:35 [518] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2023/02/14 03:03:36 [518] 404 https://npm.pkg.github.com:443/@sentry%2freact
updater | INFO < job_REDACTED > Handled error whilst updating @sentry/react: dependency_file_not_resolvable {:message=>"Error whilst updating @sentry/react in /package-lock.json:\nnpm WARN using --force Recommended protections disabled.\nnpm ERR! code E404\nnpm ERR! 404 Not Found - GET https://npm.pkg.github.com/@sentry%2freact - npm package \"react\" does not exist under owner \"sentry\"\nnpm ERR! 404 \nnpm ERR! 404  '@sentry/react@7.37.2' is not in this registry.\nnpm ERR! 404 \nnpm ERR! 404 Note that you can also install from a\nnpm ERR! 404 tarball, folder, http url, or git url.\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!    REDACTED_PATH.log"}

Smallest manifest that reproduces the issue

No response

[broksonic21]

This is similar to #5288 , but also impacts (direct) non-transitive dependencies.

[thiagosanches]

Same here!

[deivid-rodriguez]

Hei! Sorry I don't yet have answers for you folks. I have observed that this seems like a somewhat frequent issue, hopefully I can set aside sometime to try to reproduce this an isolate the root cause.

[broksonic21]

Thank you @deivid-rodriguez, we are really looking forward to this working, so let us know if we can provide any additional logging or insight on our end.

[jussibility]

Having the same problem.

[bbeesley]

yep, still broken, just started getting this issue after setting up dependabot to use our google artifact registry.

[igrek8]

We are also having the exact same problem. Tried replaces-base=false, didn't help

[broksonic21]

@deivid-rodriguez

We were able to work around this by lowering our lock file to v2 (put this in our npmrc) and then rerunning npm install to get a new lock. v3 (npm 9+) seems to be the issue, but npm 9+ supports v2. That aligns with @jakecoffman 's fix above (#7175)

lockfile-version=2

#6507 (comment) was the hint.

[jakecoffman]

Yep it was v3 lockfiles. If you're still having the problem let me know.

[broksonic21]

@jakecoffman when will this be live on the GitHub hosted Dependabot?

[jakecoffman]

@broksonic21 it went live when I merged the PR so should be good now.