dependabot still try to access the private package even I have added it into ignore list

[276210854]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pnpm

Package manager version

7.5.0

Language version

No response

Manifest location and content before the Dependabot update

example demo: https://github.com/leileiDemo/dependabot_demo/network/updates

dependabot.yml content

version: 2
updates:

• package-ecosystem: "npm"
  directory: "/"
  versioning-strategy: auto
  schedule:
  interval: "daily"
  open-pull-requests-limit: 12
  ignore:
  • dependency-name: "@liveramp/*"
  • dependency-name: "@trycourier/react-hooks"
  • dependency-name: "@trycourier/react-provider"
  • dependency-name: "eslint"
  • dependency-name: "@commitlint/cli"
  • dependency-name: "react"
    versions: ["17.x","18.x", "16.x"]
  • dependency-name: "react-dom"
    versions: ["17.x","18.x","16.x"]
    groups:
    dev-dependencies:
    patterns:
    • "*"
      update-types:
    • "minor"
    • "patch"
      commit-message:
      prefix: "chore(welcome): "
      target-branch: "main"
      labels:
  • "change/standard"
  • "dependencies"
    assignees:
  • "ambershi1"

Updated dependency

No response

What you expected to see, versus what you actually saw

I want to ignore the private packages which means dependabot will not have access to the private package, but it still accesses to the private package, that causes couples of error like below
 WARN  GET https://liveramp/browserslist-config-common/-/@liveramp/browserslist-config-common-0.0.1.tgz failed, reason: socket hang up updater | updater | FetchError: request to https://library.liveramp.net/artifactory/api/npm/npm/@liveramp/browserslist-config-common/-/@liveramp/browserslist-config-common-0.0.1.tgz failed, reason: socket hang up updater | at ClientRequest.<anonymous> (/home/dependabot/.cache/node/corepack/pnpm/8.8.0/dist/pnpm.cjs:69204:18) updater | at ClientRequest.emit (node:events:517:28) updater | at TLSSocket.socketOnEnd (node:_http_client:525:9) updater | at TLSSocket.emit (node:events:529:35) updater | at endReadableNT (node:internal/streams/readable:1368:12) updater | at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[deivid-rodriguez]

The ignore configuration means that Dependabot won't open PRs for the ignored dependencies, but in general, Dependabot still needs to access all dependencies to be able to provide a valid result. This is not because of what Dependabot does, but because we delegate to package managers (in this case, to PNPM) and PNPM needs to fetch the dependency.

This particular problem may be fixed once this upstream issue is closed.