Renovate hostRules 401 for a private registry in CI
Renovate authenticates to private registries through hostRules. A 401 means no valid token was sent for that host: either there is no hostRules entry, the matchHost does not match the feed, or the referenced secret resolved to empty.
What this error means
Renovate logs a 401 or 403 for a private registry host during dependency lookup or lockfile update, and packages from that feed are never updated.
WARN: Received a 401 (Unauthorized) response
hostType: npm
host: pkgs.internal.example.comCommon causes
No hostRules entry for the registry host
Without a hostRules rule matching the host, Renovate sends unauthenticated requests and the feed returns 401.
matchHost mismatch or an empty token
A matchHost that does not match the actual host, or a secret that resolved to empty, leaves the request unauthenticated.
How to fix it
Add a matching hostRules entry
- Set
matchHostto the exact registry host. - Set
hostTypeto the ecosystem (npm, pypi, docker, maven). - Provide the token from an encrypted value or environment secret.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"hostRules": [
{
"matchHost": "pkgs.internal.example.com",
"hostType": "npm",
"token": "{{ secrets.NPM_INTERNAL_TOKEN }}"
}
]
}Verify scope for a persistent 403
A 403 authenticates but lacks access. Confirm the token belongs to a principal permitted to read that feed or package.
How to prevent it
- Keep a hostRules entry for each private registry host.
- Match
matchHostexactly and set the correcthostType. - Store tokens as encrypted secrets, never in plaintext config.