Dependabot timeout issue

[yashj24]

Why are you starting this discussion?

Question

What GitHub Actions topic or product is this about?

Dependabot

Discussion Details

I am running dependabot on a pnpm monorepo which has around 30 packages. I have started getting timeout errors after 55mins of the run from last 3-4 months. Has anyone else also started getting the same issue or know what is the probable cause around this? I have tried multiple solutions already available on internet but the issue seems to be still there. Earlier the dependabot runs were taking 1 and a half minutes only and suddenly started taking 55+ minutes( which results in timeout). Also anyone knows what is the difference between when dependabot wokrflow looks like : npm and yarn in/. #someNumber
And
npm and yarn in / for some dependencies

[yashj24]

I do have username and password in my dependabot workflow file. Have i got it right or is there something else you're suggesting about the registry token?

[yashj24]

I am using private artifactory that needs url and password for authentication

[lewiii254]

Hey @yashj24 👋

I ran into a really similar issue with my own pnpm monorepo (also around 25–30 packages). Dependabot would hang for almost an hour and then time out ,,, it used to finish in under 2 minutes before that.

What helped in my case was a mix of these tweaks:

Split updates by workspace – instead of one massive update, create multiple entries in your dependabot.yml for each package or group of packages. That way Dependabot resolves smaller trees and doesn’t choke on the full monorepo.

Move your registry credentials into dependabot.yml, not the workflow file. Since you’re using a private Artifactory, the setup might look like this:

yaml

registries:
  private-artifactory:
    type: npm-registry
    url: https://your-artifactory-domain/artifactory/api/npm/your-repo/
    username: ${{secrets.ARTIFACTORY_USERNAME}}
    password: ${{secrets.ARTIFACTORY_PASSWORD}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - private-artifactory
    schedule:
      interval: "weekly"

This makes sure Dependabot can authenticate cleanly and doesn’t keep retrying on failed requests (which is usually what eats up that 55+ minute window).

Commit your pnpm-lock.yaml ,,, if it’s missing or outdated, Dependabot takes forever trying to rebuild dependency graphs from scratch.

Once I made those changes, the timeout issues disappeared completely.

Hope that helps! 🚀

[yashj24]

Thanks for replying, i will surely try this. But do we know why dependabot started breaking and showing this behaviour in the first place?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬