Skip to content

GitLab

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Dependency proxy can be accessed with PATs that don't have the scopes `read_registry` and `write_registry`.

GitLab customers with an active subscriptions can reach out to GitLab Support when encountering unexpected problems with this change.

Deprecation Summary

The Dependency Proxy currently does not enforce access token scope restrictions during authentication. Users can access the Dependency Proxy using personal access tokens (PAT) or group access tokens without the required read_registry and write_registry scopes. This behavior will be changed to enforce proper scope checking.

Documentation

Deprecation notice: #426887
Migration guidelines:

Product Usage

The current documentation incorrectly states that users need a personal access token with read_registry and write_registry scopes to authenticate with the Dependency Proxy. However, users can currently authenticate and use the Dependency Proxy without these scopes, as demonstrated by successful docker login and docker pull operations.

Breaking Change?

Yes - This deprecation contains a breaking change as it will affect existing workflows that use tokens without the required scopes.

Affected Customers

Who is affected by this deprecation:

GitLab.com
Self-managed
Dedicated

What pricing tiers are impacted:

GitLab Free
GitLab Premium
GitLab Ultimate

Deprecation Milestone

This deprecation will be announced in milestone: 17.9

Planned Removal Milestone

The feature / functionality will be removed in milestone: 18.0

Rollout Plan

DRI Engineers: @10io DRI Engineering Manager: @crystalpoole

Describe rollout plans on GitLab.com
Link to a feature flag rollout issue that covers:
- Expected release date on GitLab.com and GitLab version
- Rollout timelines
- Creation of any clean-up issues

Migration Steps

Users need to:

Create new access tokens with the required scopes (read_registry and write_registry)
Update workflow variables and scripts with the new tokens
Test their pipelines and workflows with the new tokens before the breaking change is implemented

Development Tasks

Implement scope logging during authentication - MR: !181756 (merged)
Implement scope checking during authentication, behind a feature flag - MR: !182559 (merged)
Create migration documentation
Test impact on existing workflows
Rollout the feature flag
Cleanup the packages_dependency_proxy_containers_scope_check feature flag

Impact Assessment

Severity: High
Scope: Group
Resolution role: Maintainer
Manual task required: Yes
Implementation window: 3 months

Labels

Edited May 12, 2025 by Radamanthus Batnag

Assignee Loading

Time tracking Loading