releases.shpreview

.npmrc inference removed; scope property now authoritative

1 featureThis release1 featureNew capabilitiesAI-tallied from the release notes
From the original release noteView original ↗

Dependabot will no longer attempt to infer .npmrc configuration for npm private registries. Previously, Dependabot tried to reconstruct .npmrc contents from lockfile resolved URLs, but incorrect lockfile URLs, lockfile format differences across npm, Yarn v1, Yarn Berry, and pnpm, and other edge cases regularly caused registry authentication failures.

What’s changing

You can now define a scope property on registries in your dependabot.yml. Dependabot uses this to automatically generate the correct .npmrc. When scope is provided, it takes precedence over all other .npmrc sources, including any committed .npmrc file in your repository. This makes dependabot.yml the authoritative source for registry configuration.

If your repository already includes a checked-in .npmrc and you have not configured scope, Dependabot will continue to use it. The scope property is only needed when you don’t have a committed .npmrc and are relying on Dependabot’s inference.

Who can use this feature

This feature is available for all github.com users and will ship in GHES 3.23.

Get started

Review the Dependabot configuration docs and update your dependabot.yml to add scope to any npm registries that need it.

The post Dependabot no longer infers .npmrc appeared first on The GitHub Blog.

Fetched June 30, 2026

.npmrc inference removed; scope property now authoritative… — releases.sh