Fix registry resolution for scoped npm packages without explicit scoped registry

[Copilot]

What are you trying to accomplish?

Dependabot incorrectly uses replaces-base registries for scoped packages that lack explicit scoped registry configuration. When a custom registry (e.g., GitHub npm) is configured with replaces-base: true for specific scoped packages like @chocoapp/*, Dependabot also attempts to fetch unrelated scoped packages like @types/k6 from that registry instead of the public npm registry, causing ERR_PNPM_NO_MATCHING_VERSION failures.

This fix ensures scoped packages without explicit scoped registry configuration use the public npm registry, not the replaces-base registry.

Anything you want to highlight for special attention from reviewers?

Changes to RegistryFinder:

• explicit_registry_from_rc: For scoped packages, falls back to global_registry_from_config_files (excludes replaces-base credentials) instead of configured_global_registry

• first_registry_with_dependency_details: When no registry has the dependency, scoped packages fall back to public npm registry instead of global_registry

• global_registry_from_config_files (new): Returns global registry from config files (.npmrc, .yarnrc, .yarnrc.yml) only, excluding replaces-base credentials

Registry resolution priority after fix:

1. Explicit scoped registry for the package's scope → use it
2. Global registry from config files (.npmrc/.yarnrc) → use it for all packages
3. No explicit config for scoped package → public npm registry (NOT replaces-base)
4. replaces-base registry → only for unscoped packages

How will you know you've accomplished your goal?

Added test case that reproduces the issue: configures a replaces-base credential for GitHub npm registry, then verifies @types/k6 resolves to public npm registry, not the GitHub registry.

All existing tests pass (57 registry_finder tests + 337 package/update_checker tests).

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• gitlab.com
  • Triggering command: /usr/bin/node node /usr/bin/corepack npm install babel-preset-php@gitlab:kornelski/babel-preset-php#5fbc24ccc37bd72052ce71ceae5b4934feb3ac19 --force --dry-run false --ignore-scripts --package-lock-only by/efd56fd6ee95a--global bash --no�� --noprofile e-handler f .com: bot/uv/file_updaconfig /snap/bin/grep /usr/bin/runc.orcredential.helper (dns block)
  • Triggering command: /usr/bin/node node /opt/npm_and_yarn/run.js f node k yarn config f caFilePath /etc/ssl/certs/cconfig f git k --global --add /usr/bin/git [email protected]/ update f /usr/bin/git (dns block)
  • Triggering command: /usr/bin/node node /opt/npm_and_yarn/run.js 3.4.0/bin/node node /usr�� pnpm r f --lockfile-only --no-save -r /usr/bin/git stat�� [email protected]: all d47f67a09506399dfc9ddc075d .com: .yarn/cache /usr/bin/node git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Dependabot can't find dependency which obviously exists</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
registries:
  github-npm:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{secrets.NPM_TOKEN}}
updates:
  - package-ecosystem: 'npm'
    directory: '/spaces/platform/'
    schedule:
      interval: 'daily'
    registries:
      - github-npm
    allow:
      - dependency-type: 'all'
    ignore:
      - dependency-name: '@chocoapp/*'
        update-types: [ "version-update:semver-major" ]
    open-pull-requests-limit: 10
    commit-message:
      prefix: "chore(deps)"
      include: "scope"

What you expected to see, versus what you actually saw

I'm running Dependabot which is taking a lot of time and then gives me this error:

Progress: resolved 1, reused 0, downloaded 0, added 0
/home/dependabot/dependabot-updater/repo/spaces/platform/e2e:
 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for @types/[email protected] while fetching it from https://npm.pkg.github.com/

It's very terse and also it's obviously not true because these types are right there in NPM.

</issue_description>

Comments on the Issue (you are @copilot in this section)

@a-schur Greetings @alperchoco #13030 has been closed. Is this issue still appearing for you? If so please provide a link to the relevant manifest files to reproduce

• Fixes Dependabot can't find dependency which obviously exists #13214

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.