Paklo Docs

Introduction

Getting StartedHosted ServiceConfiguration

Extensions

Azure DevOps ExtensionCLI

General

Private Registries and FeedsSecurity Advisories and VulnerabilitiesExperimentsLimitations and Unsupported Features

Advanced

Custom CA CertificatesTroubleshootingContributing
Paklo Docs

Private Registries and Feeds

Configure authentication for private package registries, feeds, and repositories.

Dependabot can authenticate to private package sources to access internal dependencies. See GitHub's Dependabot Private Registry Documentation. This page only documents Paklo-specific differences.

Basic Configuration

Define registries in the top-level registries section:

version: 2
registries:
  my-private-npm:
    type: npm-registry
    url: https://npm.example.com
    token: ${{ NPM_TOKEN }}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - my-private-npm
    schedule:
      interval: "weekly"

Azure DevOps-Specific: Variable Substitution

Use ${{ VARIABLE_NAME }} syntax for secrets:

registries:
  my-registry:
    type: npm-registry
    url: https://npm.example.com
    token: ${{ NPM_TOKEN }}

Important differences from GitHub:

  • ❌ Azure DevOps template variables ($(VariableName)) are not supported
  • ✅ Use ${{ VARIABLE_NAME }} notation instead
  • Variable substitution only works for: username, password, token, key

Variable sources:

  • CLI: Environment variables, manual prompt input
  • Extension: Pipeline variables, variable groups
  • Hosted: Web interface configuration

Azure DevOps-Specific: Artifacts Configuration

Token Format

Important: Use the PAT: prefix for Azure DevOps feeds:

registries:
  azure-artifacts:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/org/_packaging/feed/nuget/v3/index.json
    token: PAT:${{ AZDO_PAT }}

Feed URL Format

# All views
url: https://pkgs.dev.azure.com/{org}/_packaging/{feed}/nuget/v3/index.json

# Specific view
url: https://pkgs.dev.azure.com/{org}/_packaging/{feed}@{view}/nuget/v3/index.json

PAT Permissions

The Personal Access Token must have:

  • Packaging (Read) permission
  • Access to the feed (granted directly or via [{project}]\Contributors group)

Example: Azure DevOps Artifacts with npm

version: 2
registries:
  azure-nuget:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/org/_packaging/feed/nuget/v3/index.json
    token: PAT:${{ AZDO_PAT }}
  
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{ NPM_TOKEN }}

updates:
  - package-ecosystem: "nuget"
    directory: "/"
    registries:
      - azure-nuget
    schedule:
      interval: "weekly"
  
  - package-ecosystem: "npm"
    directory: "/frontend"
    registries:
      - npm-private
    schedule:
      interval: "weekly"

Troubleshooting

Authentication Failures

Common issues:

  1. Incorrect or expired credentials
  2. Missing token permissions
  3. Self-signed certificates - see Custom CA Certificates
  4. For Azure DevOps: Missing PAT: prefix or wrong feed URL

Debug:

paklo run --debug ...

Azure DevOps Feed Issues

  1. Check PAT format - Must use PAT:${{ VARIABLE }}

  2. Verify feed URL - Use full v3 API URL format

  3. Check permissions - PAT needs Packaging (Read)

  4. Test manually:

    curl -u "user:$AZDO_PAT" https://pkgs.dev.azure.com/org/_packaging/feed/nuget/v3/index.json

How is this guide?

Last updated on

CLI

Run Dependabot updates locally from your machine, CI/CD pipelines, or any environment with Docker.

Security Advisories and Vulnerabilities

Configure security-only updates and provide custom security advisories for dependencies.

On this page

Basic Configuration
Azure DevOps-Specific: Variable Substitution
Azure DevOps-Specific: Artifacts Configuration
Token Format
Feed URL Format
PAT Permissions
Example: Azure DevOps Artifacts with npm
Troubleshooting
Authentication Failures
Azure DevOps Feed Issues