NuGet feed URL https://nuget.pkg.github.com breaks Dependabot, should org-scoped URL be documented?

[loekensgard]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

Defining registry access for code scanning default setup

What changes are you suggesting?

The documentation states that https://nuget.pkg.github.com/ should be used as NuGet feed URL for Dependabot.
However, this base URL causes HTTP 405 errors when Dependabot attempts to resolve packages, resulting in partial updates, only projects that don't reference private packages get updated, while others are silently skipped.

When the URL is changed to the org-scoped format https://nuget.pkg.github.com/{org}/index.json, Dependabot resolves packages correctly and all projects are updated as expected.

Should the documentation recommend the org-scoped URL instead?

Additional information

Reproduced on internal repositories using GitHub Packages as a private NuGet registry within a GitHub organization.

proxy | GET https://nuget.pkg.github.com:443/FindPackagesById()?id='Intility.Logging.AspNetCore'&semVerLevel=2.0.0                                                                                                       
proxy | 405 https://nuget.pkg.github.com:443/FindPackagesById()...                                                
proxy | error unmarshalling xml response (https://nuget.pkg.github.com/): XML syntax error on line 27: attribute name without = in element

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.