Login to nexus repository fails with error message "update is impossible"
Hi there,
I am using Dependabot on a GitLab instance via https://gitlab.com/dependabot-gitlab/dependabot in server mode. I am trying to take internal packages from a nexus npm repository (Version: OSS 3.36.0-01) on an internal network.
As an anonymous user, I can read (but not access) the versions in the repository. Therefore, I get the following error for an internal package:
[2021-11-25 14:24:29 +0000 tid=1bhh class=DependencyUpdateJob] INFO: [repository=>npm] Fetching info for @group/package
[2021-11-25 14:24:33 +0000 tid=1bhh class=DependencyUpdateJob] INFO: [repository=>npm] found version for update: @group/package: X.Y.Z => A.B.C
[2021-11-25 14:24:36 +0000 tid=1bhh class=DependencyUpdateJob] ERROR: [repository=>npm] The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): internal-nexus.com/repository/npm-repo-nameThe update of external packages is triggered, however in the package-lock.json, the URL of these packages changes from:
"resolved": "https://internal-nexus.com/repository/npm-repo-name/@group/package/-/package-X.Y.Z.tgz",to:
"resolved": "https://registry.npmjs.org/@group/package/-/package-A.B.C.tgz"When I configure the credentials as of https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#npm-registry (username and password), I get the following log message for every (internal and external) dependency that has been resolved via our nexus server before.
[2021-11-25 14:30:59 +0000 tid=1b81 class=DependencyUpdateJob] INFO: [repository=>npm] Fetching info for @group/package
[2021-11-25 14:31:17 +0000 tid=1b81 class=DependencyUpdateJob] INFO: [repository=>npm] update for '@group/package: X.Y.Z' is impossibleThere is no further logging about why this is impossble. I assume that the login into the repository failed and/or dependabot gets an error message from nexus and is therefore unable to evaluate the dependency updates properly. If I increase the log level via env.logLevel to debug, I do not get any additional information.
Is there any way to get additional information why the update is impossible? I suggest to adjust the error message to provide information that the login to the repository failed. I am not sure, if this is an issue with dependabot-core or dependabot-gitlab. I therefore asked the same question here as well: https://github.com/dependabot/dependabot-core/issues/4455
It would be great if I can get a pointer to the correct direction, why exactly the update of my npm dependency fails and how I can resolve it.