Swift: Add support for private SPM Package Registry dependencies (`.package(id:)`)

[eric-robinson]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Package ecosystem

swift

Problem Description

Dependabot's Swift support does not handle SPM Package Registry dependencies declared with .package(id:) syntax. We use a private SPM registry (JFrog Artifactory) to distribute internal packages, and this prevents us from using Dependabot with our app's Swift packages.

Current behavior:

1. Registry dependencies (.package(id: ...)) are not recognized
2. If any package in the dependency graph uses registry dependencies, swift package show-dependencies fails because the registry is inaccessible: "error: no registry configured for 'company' scope"
3. This blocks Dependabot entirely — even packages with only public URL-based dependencies cannot be processed if they transitively depend on a package with registry dependencies

Example Package.swift:

dependencies: [
    .package(id: "company.my-internal-package", from: "1.0.0"),  // Registry dependency - NOT supported
    .package(url: "https://github.com/Alamofire/Alamofire", from: "5.0.0"),  // Works
]

Impact

• Cannot use Dependabot at all with a project that has registry dependencies anywhere in the dependency graph
• exclude-paths config doesn't help because SPM resolves the full dependency graph before Dependabot's filtering applies

Environment

• Swift tools version: 6.2
• Registry: Private SPM registry (JFrog Artifactory)
• Setup: Monorepo with multiple packages, some using registry dependencies