Resolving a dependabot alert on a repository using the Github NPM Package Registry looks for updates in the wrong registry

[ImRodry]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

yarn v4.5.3

Language version

Node.js v22.13.1

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
registries:
  private:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.GH_TOKEN }}
    replaces-base: true
updates:
  - package-ecosystem: npm
    directory: "/"
    registries:
      - private

Updated dependency

undici from 6.19.8 to 6.21.1 or later

What you expected to see, versus what you actually saw

When requesting dependabot to resolve a security alert and create a PR on a context that has a private repo configured with the Github Package Registry, dependabot will try to look for updates on the affected package on the Github Package Regitry despite the package being a public one. It should instead look in the yarn registry like it is written in the yarn.lock file.

Native package manager behavior

The native package manager looks for updates for the package in the regitry specified in the lockfile

Images of the diff or a link to the PR, issue, or logs

Smallest manifest that reproduces the issue

{
	"name": "test",
	"version": "1.0.0",
	"description": "Test app",
	"main": "dist/index.js",
	"license": "UNLICENSED",
	"private": true,
	"dependencies": {
		"discord.js": "^14.16.3",
	},
}