Dependabot errors when npmAlwaysAuth is true

[apgrucza]

Select Topic Area

Bug

Body

I have dependabot.yml and .yarnrc.yml configured to use a private npm registry, but the Dependabot update jobs all fail with errors such as this:

updater | 2024/02/13 23:29:52 ERROR <job_786741409> Error processing webpack (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | 2024/02/13 23:29:52 ERROR <job_786741409> ➤ YN0000: ┌ Resolution step
updater | ➤ YN0033: │ webpack@npm:^5.90.1: No authentication configured for request
updater | ➤ YN0000: └ Completed
updater | ➤ YN0000: Failed with errors in 0s 182ms

dependabot.yml:

version: 2
registries:
  npm-artifactory:
    type: npm-registry
    url: https://[redacted]
    token: ${{secrets.MY_ARTIFACTORY_ACCESS_TOKEN}}
    replaces-base: true
updates:
  - package-ecosystem: "npm"
    directory: "/src/tv"
    registries:
      - npm-artifactory
    schedule:
      interval: "monthly"
    open-pull-requests-limit: 20

.yarnrc.yml:

npmRegistryServer: "https://[redacted]"
npmAlwaysAuth: true
npmAuthToken: "${ARTIFACTORY_ACCESS_TOKEN:-}"

The errors seem to go away when I change npmAlwaysAuth to false, but I cannot do that because then when I run yarn in my local environment (which has ARTIFACTORY_ACCESS_TOKEN set), it doesn't authenticate with my private registry. So I need Dependabot to work when npmAlwaysAuth is true.

[carogalvin]

Have you reviewed the documentation on how to set up Dependabot to access private registries? https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot

[apgrucza]

Yes I have, and I have also read this page, which says that .yarnrc.yml should not contain environment variables. Whereas this page says you can, as long as you provide a fallback value. I thought I had done this with npmAuthToken: "${ARTIFACTORY_ACCESS_TOKEN:-}", but when I change this to provide a non-empty fallback value with npmAuthToken: "${ARTIFACTORY_ACCESS_TOKEN:-foo}", the Dependabot errors go away!

Obviously foo is not a valid token, so this result is surprising. Although it seems I've found a solution, I'd still appreciate an explanation of why one works and not the other (since an empty value and foo are both invalid tokens).

A separate but related observation I have made is regarding npmRegistryServer. I used to have this in .yarnrc.yml:

npmRegistryServer: "https://${NPM_REGISTRY:-artifactory.jfrog.redacted/artifactory/api/npm/redacted-npm/}"

This used to work fine, but at some point it stopped working and Dependabot gave errors such as this:

updater | 2024/02/15 02:10:37 ERROR <job_787248991> bad URI(is not URI?): "https://${NPM_REGISTRY:-artifactory.jfrog.redacted/artifactory/api/npm/redacted-npm/}/eslint-config-prettier"

It would be nice if this was fixed, but at least there's a workaround of just hardcoding the URL.

If the above unexpected behaviours cannot be fixed, I'd at least like to see them documented here and/or here.

[apgrucza]

This problem still exists. In addition, something has changed recently that caused the workaround described above (providing a non-empty fallback for npmAuthToken) to not work anymore. I suspect that the bogus fallback value for npmAuthToken is now overriding the valid credentials in dependabot.yml.