Transitive public dependency of private npm package not resolved

[vinassefranche]

Package ecosystem
npm
Package manager version
yarn 3.2.0
Language version
node 16
Manifest location and content before the Dependabot update
package.json
dependabot.yml content

version: 2
registries:
  github-npm:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{secrets.XXXX}}
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: daily
      time: '06:00'
      timezone: Europe/Paris
    registries:
      - github-npm
    open-pull-requests-limit: 6
    labels:
      - dependabot

We are using GitHub-native Dependabot now, but our project is private so I can't link you to the actual dependabot.yml.
Updated dependency
N/A
What you expected to see, versus what you actually saw
When dependabot tries to find recent versions to create pull requests, it checks for a private dependency (@inato/logging stored in https://npm.pkg.github.com), finds it thanks to the registry set in dependabot.yml but then fails to find the public sub-dependency loglevel because it tries to find it only in https://npm.pkg.github.com

Here are dependabot's logs concerning the update of eslint (it's the same for all the dependencies)

updater | INFO  Checking if eslint 8.17.0 needs updating
  proxy | 2022/06/20 14:20:49 [016] GET https://npm.pkg.github.com:443/eslint
  proxy | 2022/06/20 14:20:49 [016] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2022/06/20 14:20:49 [016] 404 https://npm.pkg.github.com:443/eslint
  proxy | 2022/06/20 14:20:50 [018] GET https://registry.npmjs.org:443/eslint
  proxy | 2022/06/20 14:20:50 [018] 200 https://registry.npmjs.org:443/eslint
  proxy | 2022/06/20 14:20:50 [020] GET https://registry.npmjs.org:443/eslint/8.18.0
  proxy | 2022/06/20 14:20:50 [020] 200 https://registry.npmjs.org:443/eslint/8.18.0
updater | INFO  Latest version is 8.18.0
  proxy | 2022/06/20 14:20:51 [022] GET https://npm.pkg.github.com:443/@inato%2flogging
  proxy | 2022/06/20 14:20:51 [022] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2022/06/20 14:20:52 [022] 200 https://npm.pkg.github.com:443/@inato%2flogging
  proxy | 2022/06/20 14:20:52 [024] GET https://npm.pkg.github.com:443/loglevel
  proxy | 2022/06/20 14:20:52 [024] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2022/06/20 14:20:52 [024] 404 https://npm.pkg.github.com:443/loglevel
updater | INFO  Requirements to unlock own
updater | INFO  Requirements update strategy bump_versions
updater | INFO  Updating eslint from 8.17.0 to 8.18.0
  proxy | 2022/06/20 14:20:52 [026] GET https://npm.pkg.github.com:443/@inato%2flogging
  proxy | 2022/06/20 14:20:52 [026] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2022/06/20 14:20:52 [026] 200 https://npm.pkg.github.com:443/@inato%2flogging
  proxy | 2022/06/20 14:20:52 [028] GET https://npm.pkg.github.com:443/loglevel
  proxy | 2022/06/20 14:20:52 [028] * authenticating npm registry request (host: npm.pkg.github.com, token auth)
  proxy | 2022/06/20 14:20:52 [028] 404 https://npm.pkg.github.com:443/loglevel
updater | INFO  Handled error whilst updating eslint: dependency_file_not_resolvable {:message=>"Error whilst updating eslint in /yarn.lock:\nCouldn't find package \"loglevel\" on the \"npm\" registry."}

I'm suprised that dependabot has anything to check on the private dependency during the process of checking another dependency but, more important, it should try to find the public sub-dependency in https://registry.npmjs.org if not found in the private registry

Tell me if you need more info about the yarn.lock or package.json files or something else

Native package manager behavior
N/A but there a no issues when trying to upgrade any dependency locally
Images of the diff or a link to the PR, issue, or logs

[broksonic21]

Confirming, we also see this on javascript:npm

[broksonic21]

Similar issue reported here for gems too, same basic impact (public of private transitive not working). Any general solve? #3461

[igrek8]

We are also facing the same problem. We have a private package in github npm registry that references packages from npmjs registry. Dependabot, for some reason, tries to resolve npmjs packages via github npm registry.

[broksonic21]

We were able to work around this by lowering our lock file to v2 (put this in our npmrc) and then rerunning npm install to get a new lock. v3 (npm 9+) seems to be the issue, but npm 9+ supports v2.

lockfile-version=2

#6507 (comment) was the hint.

[jakecoffman]

This is probably fixed by #7175.

Since Yarn Berry doesn't have resolved lines in the yarn.lock it was returning [] from dependency_urls which returned true here, thinking that the scoped registry was global, and injecting it into the yarn.rc file.

@vinassefranche could you confirm this is fixed?