Giters

dependabot / feedback

The old feedback repository for Dependabot. Click below for the new repository.

Home Page:https://github.com/dependabot/dependabot-core

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Automatic PR merging with private npm packages

bennycode opened this issue · comments

commented

Hello Dependabot/GitHub Team,

I have a repository setup which uses npm private packages. I release these packages from a Lerna monorepo where I integrated Dependabot to make automatic dependency updates.

In my project I have a .yarnrc file which makes use of the NPM_TOKEN to fetch my private packages:

.yarnrc

always-auth=true
registry "https://registry.npmjs.org/:_authToken=${NPM_TOKEN}"
save-prefix ""

I defined a read-only NPM_TOKEN in my GitHub Secrets to make my GitHub Actions work with it. It's working fine.

Unfortunately I have not been able to get Dependabot to work with it. I put a value for "registry.npmjs.org" in my Dependabot config variables but I am still getting this error:

updater | ERROR <job_29417555> Failed to replace env in config: ${NPM_TOKEN}
updater | ERROR <job_29417555> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.117.5/lib/dependabot/shared_helpers.rb:111:in run_helper_subprocess'
updater | ERROR <job_29417555> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.117.5/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb:137:in run_yarn_top_level_updater'

Have I done something wrong or why does Dependabot fail to replace NPM_TOKEN?

commented

After some time I found the solution to my problem:

  1. Open config variables in Dependabot dashboard: https://app.dependabot.com/accounts/your-name/config-variables
  2. Add type "JavaScript Registry" with registry value "registry.npmjs.org" and your plain read-only auth token value (looks like a UUIDv4, i.e. "e0f9afba-b6c7-11ea-b3de-0242ac130004")
  3. Add a .yarnrc file to your repository (watched by Dependabot) which DOES NOT define a "registry" and DOES NOT define "always-auth"
  4. Add a .npmrc file to your repository which enforces authentication and defines the registry (including a placeholder for the "NPM_TOKEN"). Your yarn configuration will automatically make use of your .npmrc file.

.yarnrc

save-prefix ""

.npmrc

Note: The // in front of registry.npmjs.org is intentional.

always-auth=true
//registry.npmjs.org/:_authToken=${NPM_TOKEN}

Tested with:

  • npm v6.13.7 (node v13.10.1)
  • yarn v1.21.1