cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon dependabot

Any way to skip private registries?

Open sblatnick opened this issue 1 year ago • 5 comments

When dependabot runs in GitHub Actions, it seems to work without access to private registries.

How can I get that functionality from dependabot/cli?

When it hits a private registry and fails to authenticate, the process exits with an error. I'd like to still get the results I would have from GitHub Actions.

sblatnick avatar Feb 28 '24 21:02 sblatnick

There isn't a way to skip private registries that I'm aware of.

  1. If your dependency tree includes private packages, then for many ecosystems :dependabot: needs to fetch those packages in order to know whether it can safely upgrade other packages in the tree--even if it's not upgrading the private registry ones.
  2. Also, for many ecosystems, :dependabot: doesn't even control the access/tree walking--it hands off to the native package manager process (pip, bundler, yarn, etc) and waits for answers. We intentionally want :dependabot: to be a wrapper around native package managers wherever possible, rather than us trying to replicate (poorly) their behavior.

jeffwidman avatar Jul 04 '24 16:07 jeffwidman

Thank you for the feedback, but I still am having trouble understanding the result discrepancies.

How does this work in Github Actions? Dependabot can't access private registries from there, but it can still return results? The problem I perceive is that Github Actions can still return at least partial results whereas the CLI client fails without any results.

sblatnick avatar Jul 05 '24 14:07 sblatnick

Hmm... you got me there. Re-opening.

Can you share logs of a GitHub Actions run vs a CLI run? Feel free to do so via a support ticket if needed, and mention that I requested you do so in this ticket and request that the ticket be assigned to me.

To set expectations, if there is a bug it'll have to go through our normal triage queue for prioritizing when to fix, but I'm happy to take a quick skim through the logs to see if anything immediately jumps out at me that might just be a misunderstanding... perhaps there's something about how Dependabot works that I'm ignorant of.

jeffwidman avatar Jul 06 '24 00:07 jeffwidman

Upon Brett's recommendation in the above ticket, I created a personal ticket #2876981 Leaving this one open in case you want to use it for tracking the CLI side of things.

sblatnick avatar Jul 09 '24 13:07 sblatnick

FYI, I have lumped in https://github.com/dependabot/cli/issues/282 with my request for logs, which was about dependabot performance.

virtual-care-manager finally finished scanning with dependabot/cli. It took 23.5 hours, and failed in an error causing 0 findings after all of that processing.

Please reopen that ticket if you prefer to track that separately. Otherwise we can combine those here.

sblatnick avatar Jul 09 '24 19:07 sblatnick