The Dependabot Proxy is now open source with an MIT license
The Dependabot Proxy is now available as open source under the MIT license.
What’s new
You can now:
- Review the source code to see how authentication works for various package managers and Git servers.
- Submit bug fixes or add support for new package ecosystems.
- File issues and engage with the development team in the open.
This HTTP proxy handles authentication when Dependabot connects to the GitHub API and private package registries. The proxy is built in Go and supports npm, Maven, Docker, Cargo, Helm, NuGet, pip, RubyGems, and Terraform, along with Git servers like GitHub, Azure DevOps, and others.
Why this matters
Dependabot has been helping GitHub users keep dependencies up-to-date since 2019. Millions of developers use it each month to stay on top of security vulnerabilities.
Open sourcing the proxy means you can now see exactly how your dependency updates are authenticated. This is especially useful for organizations with strict compliance requirements who need to audit the tools in their software supply chain.