Dependabot requires private repo auth when it is unnecessary

[mbrancato]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pip

Package manager version

poetry 1.7.x

Language version

python 3.11

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

When using poetry, dependabot cannot open PRs for vulnerable packages identified in poetry.lock because it is trying to install private packages that are not needed to update the poetry.lock file.

For example, in GitHub, an error like this will be seen on the Dependabot vulnerability page.

Creating virtualenv my-app-3Y8T20qu-py3.11 in /home/dependabot/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies...
Source (my_private_pypi): Authorization error accessing <redacted>

Package [my-private-dependency] not found.

However, locally I can do all that is needed to update the dependencies using the following pattern:
poetry update <vulnearble-dep> --lock

Here, the --lock will constrain the work to only updating the lock file, not needing to install all the other dependencies.

Native package manager behavior

% poetry update <vulnearble-dep> --lock
Updating dependencies
Resolving dependencies... (1.9s)

Writing lock file

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[mbrancato]

To clarify some thing here, this is probably due to Dependabot trying to install deps before doing the update. As I see it currently, dependabot is using --lock on the actual update command. But there is no need to actually install packages beforehand, or create a venv at all to do the update. But Dependabot is obviously using a venv.

e.g.

% pip freeze
% poetry update sqlparse --lock --no-interaction
Updating dependencies
Resolving dependencies... (1.9s)

Writing lock file

[Nishnha]

Hi @mbrancato I'll try to get some eyes on this. Do you have an example that you could share that reproduces this, or the job ID of a job that shows this behavior? The job ID should be printed out in the job logs.

[Nishnha]

related:

• Dependabot will check public package against private source if defined registries in dependabot.yml #8554
• Dependabot jobs for Python projects using poetry fails #8020
• Dependabot proxy does not inject python registry credentials for poetry's requests #7940
• Support for Poetry 1.5 Source Priority #7440

[mbrancato]

Hi @Nishnha - here is a job ID: 827058885

I was able to do the same work that Dependabot should try to do without any authorization by simply relying on updating the public depndencies.