Dependabot Proxy is now open source (MIT)

[ghostinhershell]

The Dependabot Proxy is now open source under the MIT license.
See the release notes: https://github.blog/changelog/2026-02-03-the-dependabot-proxy-is-now-open-source-with-an-mit-license/

What’s changing?

The Dependabot Proxy is the HTTP proxy that handles authentication when Dependabot connects to:

• the GitHub API, and
• private package registries

Now that it’s open source, you can inspect the code, file issues publicly, and contribute improvements.

Why this matters

Dependabot has helped teams keep dependencies up to date (and reduce exposure to known vulnerabilities) since it was introduced on GitHub in 2019. Open-sourcing the proxy is a meaningful step for:

• Auditability: review how authentication is handled end-to-end
• Extensibility: add or improve support for ecosystems and registries
• Community collaboration: propose fixes and enhancements upstream

What it supports

The proxy is written in Go and supports a wide range of ecosystems and tools, including:

• npm
• Maven
• Docker
• Cargo
• Helm
• NuGet
• pip
• RubyGems
• Terraform

It also supports multiple Git servers, including GitHub and Azure DevOps.

Get involved

• Read the announcement: https://github.blog/changelog/2026-02-03-the-dependabot-proxy-is-now-open-source-with-an-mit-license/
• If you use Dependabot heavily, consider reviewing the proxy’s behavior for your registries and opening issues/PRs with suggestions.

Questions or feedback? Drop them in the comments—especially around registry support, auth flows, or anything you’d like to see improved.