The Dependabot Proxy is now open source with an MIT license

Source: GitHub Changelog

What’s new

• Review the source code to see how authentication works for various package managers and Git servers.
• Submit bug fixes or add support for new package ecosystems.
• File issues and engage with the development team in the open.

This HTTP proxy handles authentication when Dependabot connects to the GitHub API and private package registries. The proxy is built in Go and supports npm, Maven, Docker, Cargo, Helm, NuGet, pip, RubyGems, and Terraform, along with Git servers like GitHub, Azure DevOps, and others.

Why this matters

Dependabot has been helping GitHub users keep dependencies up-to-date since 2019. Millions of developers use it each month to stay on top of security vulnerabilities.

Open sourcing the proxy means you can now see exactly how your dependency updates are authenticated. This is especially useful for organizations with strict compliance requirements who need to audit the tools in their software supply chain.

Learn more

• Explore the Dependabot Proxy repository
• Learn about Dependabot and how it keeps your dependencies secure
• Read about dependabot-core, the open source engine that powers Dependabot