Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot will check public package against private source if defined registries in dependabot.yml #8554

Open
1 task done
lucemia opened this issue Dec 7, 2023 · 1 comment
Open
1 task done

Dependabot will check public package against private source if defined registries in dependabot.yml #8554

lucemia opened this issue Dec 7, 2023 · 1 comment
Labels
good first issue T: bug 🐞 Something isn't working

Comments

@lucemia
Copy link
Contributor

lucemia commented Dec 7, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

poetry

Package manager version

1.6

Language version

3.10

Manifest location and content before the Dependabot update

/

dependabot.yml content

registries:
  python-gcp:
    password: ${{secrets.ARTIFACT_REGISTRY_PASSWD}}
    replaces-base: true
    type: python-index
    url: https://my-private-pypi/repo/repo-pypi/simple/
    username: _json_key_base64
updates:
- allow:
  - dependency-type: all
  directory: /
  groups:
    development-dependencies:
      dependency-type: development
      update-types:
      - minor
      - patch
    production-dependencies:
      dependency-type: production
      update-types:
      - minor
      - patch
  insecure-external-code-execution: allow
  open-pull-requests-limit: 10
  package-ecosystem: pip
  registries:
  - python-gcp
  schedule:
    interval: daily
version: 2

Updated dependency

N/A

What you expected to see, versus what you actually saw

Actually:

  • At present, the Dependabot updater tries to update public packages with private sources during the process.
  • this bug looks like only happened when a registries section is defined in the dependabot.yml file.

Expected:

  • The expected behavior is that when updating public packages such as 'cached-property,' Dependabot should avoid accessing private sources.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Without defined registries in dependabot.yml

Work correctly

  proxy | 2023/12/07 03:30:04 proxy starting, commit: 6cffd6fae1b2f713f2d837bc45fe916f855c821d
  proxy | 2023/12/07 03:30:04 Listening (:1080)
updater | 2023-12-07T03:30:05.965262007 [759417634:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-12-07T03:30:11Z" level=info msg="guest starting" commit=17df297b9449ef5936111b658329653bcfc0c9bc
updater | time="2023-12-07T03:30:11Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=759417634 updater_timeout=45m0s updater_version=3126ecb2189b09965814c7ac0c569480b18a65f0-pip
updater | 2023/12/07 03:30:20 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/07 03:30:28 INFO <job_759417634> Starting job processing
  proxy | 2023/12/07 03:30:29 [002] GET https://github.com:443/livingbio/dependabot-bug-1/info/refs?service=git-upload-pack
  proxy | 2023/12/07 03:30:29 [002] * authenticating git server request (host: github.com)
  proxy | 2023/12/07 03:30:29 [002] 200 https://github.com:443/livingbio/dependabot-bug-1/info/refs?service=git-upload-pack
  proxy | 2023/12/07 03:30:29 [003] POST https://github.com:443/livingbio/dependabot-bug-1/git-upload-pack
  proxy | 2023/12/07 03:30:29 [003] * authenticating git server request (host: github.com)
  proxy | 2023/12/07 03:30:29 [003] 200 https://github.com:443/livingbio/dependabot-bug-1/git-upload-pack
  proxy | 2023/12/07 03:30:29 [004] POST https://github.com:443/livingbio/dependabot-bug-1/git-upload-pack
  proxy | 2023/12/07 03:30:29 [004] * authenticating git server request (host: github.com)
  proxy | 2023/12/07 03:30:29 [004] 200 https://github.com:443/livingbio/dependabot-bug-1/git-upload-pack
updater | 2023/12/07 03:30:30 INFO <job_759417634> Finished job processing
updater | time="2023-12-07T03:30:30Z" level=info msg="task complete" container_id=job-759417634-file-fetcher exit_code=0 job_id=759417634 step=fetcher
updater | 2023/12/07 03:30:36 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/07 03:30:39 INFO <job_759417634> Starting job processing
updater | 2023/12/07 03:30:53 WARN <job_759417634> Please check your configuration as there are groups where no dependencies match:
updater | - development-dependencies
updater | 
updater | This can happen if:
updater | - the group's 'pattern' rules are mispelled
updater | - your configuration's 'allow' rules do not permit any of the dependencies that match the group
updater | - the dependencies that match the group rules have been removed from your project
updater | 
updater | 2023/12/07 03:30:54 INFO <job_759417634> Starting grouped update job for livingbio/dependabot-bug-1
updater | 2023/12/07 03:30:54 INFO <job_759417634> Found 2 group(s).
updater | 2023/12/07 03:30:54 WARN <job_759417634> Skipping update group for 'development-dependencies' as it does not match any allowed dependencies.
updater | 2023/12/07 03:30:54 INFO <job_759417634> Starting update group for 'production-dependencies'
updater | 2023/12/07 03:30:58 INFO <job_759417634> Checking if requests 2.31.0 needs updating
  proxy | 2023/12/07 03:30:58 [012] GET https://pypi.org:443/simple/requests/
  proxy | 2023/12/07 03:30:58 [012] 200 https://pypi.org:443/simple/requests/
updater | 2023/12/07 03:30:59 INFO <job_759417634> Latest version is 2.31.0
updater | 2023/12/07 03:31:04 INFO <job_759417634> Checking if certifi 2023.11.17 needs updating
  proxy | 2023/12/07 03:31:04 [014] GET https://pypi.org:443/simple/certifi/
  proxy | 2023/12/07 03:31:04 [014] 200 https://pypi.org:443/simple/certifi/
updater | 2023/12/07 03:31:04 INFO <job_759417634> Latest version is 2023.11.17
updater | 2023/12/07 03:31:09 INFO <job_759417634> Checking if charset-normalizer 3.3.2 needs updating
  proxy | 2023/12/07 03:31:09 [016] GET https://pypi.org:443/simple/charset-normalizer/
  proxy | 2023/12/07 03:31:09 [016] 200 https://pypi.org:443/simple/charset-normalizer/
updater | 2023/12/07 03:31:10 INFO <job_759417634> Latest version is 3.3.2
updater | 2023/12/07 03:31:15 INFO <job_759417634> Checking if idna 3.6 needs updating
  proxy | 2023/12/07 03:31:15 [018] GET https://pypi.org:443/simple/idna/
  proxy | 2023/12/07 03:31:15 [018] 200 https://pypi.org:443/simple/idna/
updater | 2023/12/07 03:31:15 INFO <job_759417634> Latest version is 3.6
updater | 2023/12/07 03:31:18 INFO <job_759417634> Checking if urllib3 2.1.0 needs updating
  proxy | 2023/12/07 03:31:18 [020] GET https://pypi.org:443/simple/urllib3/
  proxy | 2023/12/07 03:31:18 [020] 200 https://pypi.org:443/simple/urllib3/
updater | 2023/12/07 03:31:19 INFO <job_759417634> Latest version is 2.1.0
updater | 2023/12/07 03:31:19 INFO <job_759417634> Nothing to update for Dependency Group: 'production-dependencies'
updater | 2023/12/07 03:31:19 INFO <job_759417634> Starting update job for livingbio/dependabot-bug-1
updater | 2023/12/07 03:31:19 INFO <job_759417634> Checking all dependencies for version updates...
updater | 2023/12/07 03:31:19 INFO <job_759417634> Checking if urllib3 2.1.0 needs updating
  proxy | 2023/12/07 03:31:19 [022] GET https://pypi.org:443/simple/urllib3/
  proxy | 2023/12/07 03:31:19 [022] 200 https://pypi.org:443/simple/urllib3/
updater | 2023/12/07 03:31:19 INFO <job_759417634> Latest version is 2.1.0
updater | 2023/12/07 03:31:19 INFO <job_759417634> No update needed for urllib3 2.1.0
updater | 2023/12/07 03:31:19 INFO <job_759417634> Checking if requests 2.31.0 needs updating
  proxy | 2023/12/07 03:31:19 [024] GET https://pypi.org:443/simple/requests/
  proxy | 2023/12/07 03:31:19 [024] 200 https://pypi.org:443/simple/requests/
updater | 2023/12/07 03:31:20 INFO <job_759417634> Latest version is 2.31.0
updater | 2023/12/07 03:31:20 INFO <job_759417634> No update needed for requests 2.31.0
updater | 2023/12/07 03:31:20 INFO <job_759417634> Checking if idna 3.6 needs updating
  proxy | 2023/12/07 03:31:20 [026] GET https://pypi.org:443/simple/idna/
  proxy | 2023/12/07 03:31:20 [026] 200 https://pypi.org:443/simple/idna/
updater | 2023/12/07 03:31:20 INFO <job_759417634> Latest version is 3.6
updater | 2023/12/07 03:31:20 INFO <job_759417634> No update needed for idna 3.6
updater | 2023/12/07 03:31:20 INFO <job_759417634> Checking if certifi 2023.11.17 needs updating
  proxy | 2023/12/07 03:31:20 [028] GET https://pypi.org:443/simple/certifi/
  proxy | 2023/12/07 03:31:20 [028] 200 https://pypi.org:443/simple/certifi/
updater | 2023/12/07 03:31:20 INFO <job_759417634> Latest version is 2023.11.17
updater | 2023/12/07 03:31:20 INFO <job_759417634> No update needed for certifi 2023.11.17
updater | 2023/12/07 03:31:20 INFO <job_759417634> Checking if charset-normalizer 3.3.2 needs updating
  proxy | 2023/12/07 03:31:20 [030] GET https://pypi.org:443/simple/charset-normalizer/
  proxy | 2023/12/07 03:31:20 [030] 200 https://pypi.org:443/simple/charset-normalizer/
updater | 2023/12/07 03:31:22 INFO <job_759417634> Latest version is 3.3.2
updater | 2023/12/07 03:31:22 INFO <job_759417634> No update needed for charset-normalizer 3.3.2
updater | 2023/12/07 03:31:22 INFO <job_759417634> Finished job processing
updater | time="2023-12-07T03:31:22Z" level=info msg="task complete" container_id=job-759417634-updater exit_code=0 job_id=759417634 step=updater

with defined registries in dependabot.yml

dependabot will check private source

  proxy | 2023/12/07 03:11:26 proxy starting, commit: 6cffd6fae1b2f713f2d837bc45fe916f855c821d
  proxy | 2023/12/07 03:11:26 Listening (:1080)
updater | 2023-12-07T03:11:26.867180700 [759412622:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-12-07T03:11:28Z" level=info msg="guest starting" commit=17df297b9449ef5936111b658329653bcfc0c9bc
updater | time="2023-12-07T03:11:28Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=759412622 updater_timeout=45m0s updater_version=3126ecb2189b09965814c7ac0c569480b18a65f0-pip
updater | 2023/12/07 03:11:30 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/07 03:11:31 INFO <job_759412622> Starting job processing
  proxy | 2023/12/07 03:11:31 [002] GET https://github.com:443/livingbio/Dependabot-bug/info/refs?service=git-upload-pack
  proxy | 2023/12/07 03:11:31 [002] * authenticating git server request (host: github.com)
  proxy | 2023/12/07 03:11:32 [002] 200 https://github.com:443/livingbio/Dependabot-bug/info/refs?service=git-upload-pack
  proxy | 2023/12/07 03:11:32 [003] POST https://github.com:443/livingbio/Dependabot-bug/git-upload-pack
  proxy | 2023/12/07 03:11:32 [003] * authenticating git server request (host: github.com)
  proxy | 2023/12/07 03:11:32 [003] 200 https://github.com:443/livingbio/Dependabot-bug/git-upload-pack
  proxy | 2023/12/07 03:11:32 [004] POST https://github.com:443/livingbio/Dependabot-bug/git-upload-pack
  proxy | 2023/12/07 03:11:32 [004] * authenticating git server request (host: github.com)
  proxy | 2023/12/07 03:11:32 [004] 200 https://github.com:443/livingbio/Dependabot-bug/git-upload-pack
updater | 2023/12/07 03:11:32 INFO <job_759412622> Finished job processing
updater | time="2023-12-07T03:11:32Z" level=info msg="task complete" container_id=job-759412622-file-fetcher exit_code=0 job_id=759412622 step=fetcher
updater | 2023/12/07 03:11:33 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/07 03:11:34 INFO <job_759412622> Starting job processing
updater | 2023/12/07 03:11:38 WARN <job_759412622> Please check your configuration as there are groups where no dependencies match:
updater | - development-dependencies
updater | 
updater | This can happen if:
updater | - the group's 'pattern' rules are mispelled
updater | - your configuration's 'allow' rules do not permit any of the dependencies that match the group
updater | - the dependencies that match the group rules have been removed from your project
updater | 
updater | 2023/12/07 03:11:38 INFO <job_759412622> Starting grouped update job for livingbio/Dependabot-bug
updater | 2023/12/07 03:11:38 INFO <job_759412622> Found 2 group(s).
updater | 2023/12/07 03:11:38 WARN <job_759412622> Skipping update group for 'development-dependencies' as it does not match any allowed dependencies.
updater | 2023/12/07 03:11:38 INFO <job_759412622> Starting update group for 'production-dependencies'
updater | 2023/12/07 03:11:39 INFO <job_759412622> Checking if requests 2.31.0 needs updating
  proxy | 2023/12/07 03:11:39 [012] GET https://my-private-pypi/repo/repo-pypi/simple/requests/
  proxy | 2023/12/07 03:11:39 [012] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:40 [012] 404 https://my-private-pypi/repo/repo-pypi/simple/requests/
updater | 2023/12/07 03:11:40 INFO <job_759412622> Latest version is 
updater | 2023/12/07 03:11:41 INFO <job_759412622> Checking if certifi 2023.11.17 needs updating
  proxy | 2023/12/07 03:11:42 [014] GET https://my-private-pypi/repo/repo-pypi/simple/certifi/
  proxy | 2023/12/07 03:11:42 [014] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:42 [014] 404 https://my-private-pypi/repo/repo-pypi/simple/certifi/
updater | 2023/12/07 03:11:42 INFO <job_759412622> Latest version is 
updater | 2023/12/07 03:11:43 INFO <job_759412622> Checking if charset-normalizer 3.3.2 needs updating
  proxy | 2023/12/07 03:11:43 [016] GET https://my-private-pypi/repo/repo-pypi/simple/charset-normalizer/
  proxy | 2023/12/07 03:11:43 [016] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:43 [016] 404 https://my-private-pypi/repo/repo-pypi/simple/charset-normalizer/
updater | 2023/12/07 03:11:43 INFO <job_759412622> Latest version is 
updater | 2023/12/07 03:11:44 INFO <job_759412622> Checking if idna 3.6 needs updating
  proxy | 2023/12/07 03:11:44 [018] GET https://my-private-pypi/repo/repo-pypi/simple/idna/
  proxy | 2023/12/07 03:11:44 [018] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:45 [018] 404 https://my-private-pypi/repo/repo-pypi/simple/idna/
updater | 2023/12/07 03:11:45 INFO <job_759412622> Latest version is 
updater | 2023/12/07 03:11:46 INFO <job_759412622> Checking if urllib3 2.1.0 needs updating
  proxy | 2023/12/07 03:11:46 [020] GET https://my-private-pypi/repo/repo-pypi/simple/urllib3/
  proxy | 2023/12/07 03:11:46 [020] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:46 [020] 404 https://my-private-pypi/repo/repo-pypi/simple/urllib3/
updater | 2023/12/07 03:11:46 INFO <job_759412622> Latest version is 
updater | 2023/12/07 03:11:46 INFO <job_759412622> Nothing to update for Dependency Group: 'production-dependencies'
updater | 2023/12/07 03:11:46 INFO <job_759412622> Starting update job for livingbio/Dependabot-bug
updater | 2023/12/07 03:11:46 INFO <job_759412622> Checking all dependencies for version updates...
updater | 2023/12/07 03:11:46 INFO <job_759412622> Checking if idna 3.6 needs updating
  proxy | 2023/12/07 03:11:46 [022] GET https://my-private-pypi/repo/repo-pypi/simple/idna/
  proxy | 2023/12/07 03:11:46 [022] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:47 [022] 404 https://my-private-pypi/repo/repo-pypi/simple/idna/
updater | 2023/12/07 03:11:47 INFO <job_759412622> Latest version is 
  proxy | 2023/12/07 03:11:49 [024] GET https://pypi.org:443/simple/idna/
  proxy | 2023/12/07 03:11:49 [024] 200 https://pypi.org:443/simple/idna/
  proxy | 2023/12/07 03:11:49 [025] GET https://pypi.org:443/pypi/idna/3.6/json
  proxy | 2023/12/07 03:11:49 [025] 200 https://pypi.org:443/pypi/idna/3.6/json
  proxy | 2023/12/07 03:11:49 [027] GET https://files.pythonhosted.org:443/packages/c2/e7/a82b05cf63a603df6e68d59ae6a68bf5064484a0718ea5033660af4b54a9/idna-3.6-py3-none-any.whl
  proxy | 2023/12/07 03:11:49 [027] 200 https://files.pythonhosted.org:443/packages/c2/e7/a82b05cf63a603df6e68d59ae6a68bf5064484a0718ea5033660af4b54a9/idna-3.6-py3-none-any.whl
  proxy | 2023/12/07 03:11:49 [028] GET https://pypi.org:443/pypi/requests/2.31.0/json
  proxy | 2023/12/07 03:11:49 [028] 200 https://pypi.org:443/pypi/requests/2.31.0/json
  proxy | 2023/12/07 03:11:50 [029] GET https://pypi.org:443/pypi/certifi/2023.11.17/json
  proxy | 2023/12/07 03:11:50 [029] 200 https://pypi.org:443/pypi/certifi/2023.11.17/json
  proxy | 2023/12/07 03:11:50 [030] GET https://files.pythonhosted.org:443/packages/64/62/428ef076be88fa93716b576e4a01f919d25968913e817077a386fcbe4f42/certifi-2023.11.17-py3-none-any.whl
  proxy | 2023/12/07 03:11:50 [030] 200 https://files.pythonhosted.org:443/packages/64/62/428ef076be88fa93716b576e4a01f919d25968913e817077a386fcbe4f42/certifi-2023.11.17-py3-none-any.whl
  proxy | 2023/12/07 03:11:50 [031] GET https://pypi.org:443/pypi/urllib3/2.1.0/json
  proxy | 2023/12/07 03:11:50 [031] 200 https://pypi.org:443/pypi/urllib3/2.1.0/json
  proxy | 2023/12/07 03:11:50 [032] GET https://pypi.org:443/pypi/charset-normalizer/3.3.2/json
  proxy | 2023/12/07 03:11:50 [032] 200 https://pypi.org:443/pypi/charset-normalizer/3.3.2/json
  proxy | 2023/12/07 03:11:50 [033] GET https://files.pythonhosted.org:443/packages/28/76/e6222113b83e3622caa4bb41032d0b1bf785250607392e1b778aca0b8a7d/charset_normalizer-3.3.2-py3-none-any.whl
  proxy | 2023/12/07 03:11:50 [033] 200 https://files.pythonhosted.org:443/packages/28/76/e6222113b83e3622caa4bb41032d0b1bf785250607392e1b778aca0b8a7d/charset_normalizer-3.3.2-py3-none-any.whl
updater | 2023/12/07 03:11:50 INFO <job_759412622> Requirements to unlock update_not_possible
updater | 2023/12/07 03:11:50 INFO <job_759412622> Requirements update strategy bump_versions
updater | 2023/12/07 03:11:50 INFO <job_759412622> No update possible for idna 3.6
updater | 2023/12/07 03:11:50 INFO <job_759412622> Checking if certifi 2023.11.17 needs updating
  proxy | 2023/12/07 03:11:50 [035] GET https://my-private-pypi/repo/repo-pypi/simple/certifi/
  proxy | 2023/12/07 03:11:50 [035] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:50 [035] 404 https://my-private-pypi/repo/repo-pypi/simple/certifi/
updater | 2023/12/07 03:11:50 INFO <job_759412622> Latest version is 
  proxy | 2023/12/07 03:11:52 [037] GET https://pypi.org:443/simple/certifi/
  proxy | 2023/12/07 03:11:52 [037] 200 https://pypi.org:443/simple/certifi/
updater | 2023/12/07 03:11:52 INFO <job_759412622> Requirements to unlock update_not_possible
updater | 2023/12/07 03:11:52 INFO <job_759412622> Requirements update strategy bump_versions
updater | 2023/12/07 03:11:52 INFO <job_759412622> No update possible for certifi 2023.11.17
updater | 2023/12/07 03:11:52 INFO <job_759412622> Checking if requests 2.31.0 needs updating
  proxy | 2023/12/07 03:11:52 [039] GET https://my-private-pypi/repo/repo-pypi/simple/requests/
  proxy | 2023/12/07 03:11:52 [039] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:53 [039] 404 https://my-private-pypi/repo/repo-pypi/simple/requests/
updater | 2023/12/07 03:11:53 INFO <job_759412622> Latest version is 
  proxy | 2023/12/07 03:11:53 [041] GET https://pypi.org:443/pypi/dependabot/json/
  proxy | 2023/12/07 03:11:53 [041] 301 https://pypi.org:443/pypi/dependabot/json/
  proxy | 2023/12/07 03:11:53 [043] GET https://pypi.org:443/pypi/dependabot/json
  proxy | 2023/12/07 03:11:53 [043] 404 https://pypi.org:443/pypi/dependabot/json
  proxy | 2023/12/07 03:11:55 [045] GET https://pypi.org:443/simple/requests/
  proxy | 2023/12/07 03:11:55 [045] 200 https://pypi.org:443/simple/requests/
updater | 2023/12/07 03:11:55 INFO <job_759412622> Requirements to unlock update_not_possible
  proxy | 2023/12/07 03:11:55 [047] GET https://pypi.org:443/pypi/dependabot/json/
  proxy | 2023/12/07 03:11:55 [047] 301 https://pypi.org:443/pypi/dependabot/json/
  proxy | 2023/12/07 03:11:55 [049] GET https://pypi.org:443/pypi/dependabot/json
  proxy | 2023/12/07 03:11:55 [049] 404 https://pypi.org:443/pypi/dependabot/json
updater | 2023/12/07 03:11:55 INFO <job_759412622> Requirements update strategy bump_versions
updater | 2023/12/07 03:11:55 INFO <job_759412622> No update possible for requests 2.31.0
updater | 2023/12/07 03:11:55 INFO <job_759412622> Checking if urllib3 2.1.0 needs updating
  proxy | 2023/12/07 03:11:55 [051] GET https://my-private-pypi/repo/repo-pypi/simple/urllib3/
  proxy | 2023/12/07 03:11:55 [051] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:55 [051] 404 https://my-private-pypi/repo/repo-pypi/simple/urllib3/
updater | 2023/12/07 03:11:55 INFO <job_759412622> Latest version is 
  proxy | 2023/12/07 03:11:57 [053] GET https://pypi.org:443/simple/urllib3/
  proxy | 2023/12/07 03:11:57 [053] 200 https://pypi.org:443/simple/urllib3/
updater | 2023/12/07 03:11:58 INFO <job_759412622> Requirements to unlock update_not_possible
updater | 2023/12/07 03:11:58 INFO <job_759412622> Requirements update strategy bump_versions
updater | 2023/12/07 03:11:58 INFO <job_759412622> No update possible for urllib3 2.1.0
updater | 2023/12/07 03:11:58 INFO <job_759412622> Checking if charset-normalizer 3.3.2 needs updating
  proxy | 2023/12/07 03:11:58 [055] GET https://my-private-pypi/repo/repo-pypi/simple/charset-normalizer/
  proxy | 2023/12/07 03:11:58 [055] * authenticating python index request (host: asia-east1-python.pkg.dev)
  proxy | 2023/12/07 03:11:58 [055] 404 https://my-private-pypi/repo/repo-pypi/simple/charset-normalizer/
updater | 2023/12/07 03:11:58 INFO <job_759412622> Latest version is 
  proxy | 2023/12/07 03:12:00 [057] GET https://pypi.org:443/simple/charset-normalizer/
  proxy | 2023/12/07 03:12:00 [057] 200 https://pypi.org:443/simple/charset-normalizer/
updater | 2023/12/07 03:12:00 INFO <job_759412622> Requirements to unlock update_not_possible
updater | 2023/12/07 03:12:00 INFO <job_759412622> Requirements update strategy bump_versions
updater | 2023/12/07 03:12:00 INFO <job_759412622> No update possible for charset-normalizer 3.3.2
updater | 2023/12/07 03:12:00 INFO <job_759412622> Finished job processing
updater | time="2023-12-07T03:12:00Z" level=info msg="task complete" container_id=job-759412622-updater exit_code=0 job_id=759412622 step=updater

Smallest manifest that reproduces the issue

[tool.poetry]
name = "dependabot"
version = "0.0.0"
description = ""
authors = ["lucemia <[email protected]>"]
readme = "README.md"

[tool.poetry.dependencies]
python = "^3.10.8, <3.12"
requests = "*"

[build-system]
requires = ["poetry-core>=1.0.0", "poetry-dynamic-versioning"]
build-backend = "poetry_dynamic_versioning.backend"

[[tool.poetry.source]]
name = "g8"
priority = "explicit"
@lucemia lucemia added the T: bug 🐞 Something isn't working label Dec 7, 2023
@lucemia lucemia changed the title Dependabot Bot check public package against private source Dependabot will check public package against private source if defined registries in dependabot.yml Dec 7, 2023
@lucemia lucemia mentioned this issue Dec 12, 2023
Closed
1 task
@domsj-foodpairing
Copy link

I'm also experiencing this.
I want to add/clarify the following.

Poetry has support for different priorities for additional package sources, see https://python-poetry.org/docs/repositories/#project-configuration
One of those priorities is named explicit, as used in the example config from OP above.
Poetry documentation states the following:

Explicit sources are considered only for packages that explicitly indicate their source.

Despite this dependabot is indeed checking for each (pypi public) package some information on the private package source.
This slow things down and may lead to incorrect results.

@domsj-foodpairing domsj-foodpairing mentioned this issue Feb 29, 2024
Closed
1 task
@Nishnha Nishnha mentioned this issue May 13, 2024
Open
1 task
@fragkakis fragkakis mentioned this issue Jan 14, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lucemia @abdulapopoola @domsj-foodpairing