Private and public npm registry for version updates with dependabot

[benebene84]

I want to enable version updates in Github dependabot with the help of a dependabot.yml file.

As dependencies in my package.json i have "normal" packages that should resolve to the npm registry and one private Github packages npm package. This is my dependabot.yml file:

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file



version: 2

registries:
  github-private:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.WHATEVER_TOKEN_FOR_AUTH }}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - github-private
    schedule:
      interval: "daily"
    groups:
      radix:
        patterns:
          - "@radix-ui/*"
      tanstack:
        patterns:
          - "@tanstack/*"
      storybook:
        patterns:
          - "@storybook/*"
          - "storybook"

Now if I look at the log files from dependabot, it tries to fetch all packages from the private Github packages, not only the one's i have specified in the .npmrc file.

if I add a allow and specify which packages should be allowed, it only tries to update the one package that is from the private repo.
Do I have to separate them?

Any help appreciated.

Thanks
Benedikt