Dependabot stops inferring .npmrc, uses dependabot.yml scope instead
Dependabot will no longer infer .npmrc configuration for npm private registries, resolving frequent authentication failures caused by lockfile inconsistencies. Instead, users can now define a `scope` property in their `dependabot.yml`, which becomes the authoritative source for registry configuration and takes precedence over committed .npmrc files. This enhancement is available for all github.com users and will ship in GHES 3.23.
- →Dependabot uses dependabot.yml scope for npm registry configuration
- →Scope property takes precedence and improves registry authentication
- →Feature availability and usage
Enhancements (1) ›
- Dependabot uses dependabot.yml scope for npm registry configuration
Dependabot will no longer infer .npmrc configuration for npm private registries, improving reliability by eliminating issues caused by lockfile inconsistencies. Users can now define a `scope` property in their `dependabot.yml` for npm registries, making this the authoritative source for configuration.
Notes (2) ›
- Scope property takes precedence and improves registry authentication
When the `scope` property is provided in `dependabot.yml`, it overrides all other .npmrc sources, including committed files. This simplifies registry authentication for private npm registries where a committed .npmrc is not present or needs to be managed centrally.
- Feature availability and usage
This feature is available for all github.com users and will be included in GHES 3.23. Users can update their `dependabot.yml` to incorporate the `scope` property for relevant npm registries.
https://github.blog/changelog/2026-06-30-dependabot-no-longer-infers-npmrc