profile
viewpoint

Ask questionsSupport setting default NPM repo when no npmrc is present

It appears that dependabot-core keeps the public NPM registry as the default in the case that there is no npmrc present in the repository in question, even when additional repos are specified via credentials. This is causing dependabot-core to fail with a 404 when attempting to detect upgrades for internal libraries in our projects, which make the assumption that the default registry has been set to our internal one by the user/build environment. I note that for python registries there is an option replaces-base to allow for setting the default registry, is there an equivalent for NPM registries? If not would you accept a PR for this functionality?

dependabot/dependabot-core

Answer questions keirlawson

I've been using the dependabot-core docker image, pulled 7 days ago and invoked via dependabot-script with our NPM repo added to the credentials block. The error is:

  - Updating debug (from )…Traceback (most recent call last):
	23: from ./generic-update-script.rb:126:in `<main>'
	22: from ./generic-update-script.rb:126:in `each'
	21: from ./generic-update-script.rb:164:in `block in <main>'
	20: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:39:in `updated_dependency_files'
	19: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `updated_lockfiles'
	18: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `each'
	17: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:149:in `block in updated_lockfiles'
	16: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:120:in `package_lock_changed?'
	15: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:187:in `updated_package_lock_content'
	14: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:30:in `updated_lockfile_content'
	13: from /workspace/vendor/ruby/2.6.0/gems/dependabot-common-0.108.15/lib/dependabot/shared_helpers.rb:34:in `in_a_temporary_directory'
	12: from /usr/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
	11: from /workspace/vendor/ruby/2.6.0/gems/dependabot-common-0.108.15/lib/dependabot/shared_helpers.rb:37:in `block in in_a_temporary_directory'
	10: from /workspace/vendor/ruby/2.6.0/gems/dependabot-common-0.108.15/lib/dependabot/shared_helpers.rb:37:in `chdir'
	 9: from /workspace/vendor/ruby/2.6.0/gems/dependabot-common-0.108.15/lib/dependabot/shared_helpers.rb:37:in `block (2 levels) in in_a_temporary_directory'
	 8: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:34:in `block in updated_lockfile_content'
	 7: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:34:in `chdir'
	 6: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:35:in `block (2 levels) in updated_lockfile_content'
	 5: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:115:in `run_current_npm_update'
	 4: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:137:in `run_npm_updater'
	 3: from /workspace/vendor/ruby/2.6.0/gems/dependabot-common-0.108.15/lib/dependabot/shared_helpers.rb:141:in `with_git_configured'
	 2: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:139:in `block in run_npm_updater'
	 1: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:151:in `run_npm_top_level_updater'
/workspace/vendor/ruby/2.6.0/gems/dependabot-common-0.108.15/lib/dependabot/shared_helpers.rb:112:in `run_helper_subprocess': 404 Not Found - GET https://registry.npmjs.org/mshell-node-metrics - Not found (Dependabot::SharedHelpers::HelperSubprocessFailed)
	12: from ./generic-update-script.rb:126:in `<main>'
	11: from ./generic-update-script.rb:126:in `each'
	10: from ./generic-update-script.rb:164:in `block in <main>'
	 9: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:39:in `updated_dependency_files'
	 8: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `updated_lockfiles'
	 7: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `each'
	 6: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:149:in `block in updated_lockfiles'
	 5: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:120:in `package_lock_changed?'
	 4: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater.rb:187:in `updated_package_lock_content'
	 3: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:24:in `updated_lockfile_content'
	 2: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:41:in `rescue in updated_lockfile_content'
	 1: from /workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:181:in `handle_npm_updater_error'
/workspace/vendor/ruby/2.6.0/gems/dependabot-npm_and_yarn-0.108.15/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:320:in `handle_missing_package': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): artifactory.skyscannertools.net/artifactory/api/npm/npm/ (Dependabot::PrivateSourceAuthenticationFailure)

The exact same setup correctly raises PRs when I add an npmrc to the repo in question specifying the default registry.

useful!
source:https://uonfu.com/
Github User Rank List