Open timheuer opened 5 months ago
I downloaded BaGet but wasn't able to repro. Can you give some details on how you have BaGet setup?
This isn’t dependent on an BaGet. I get this cache bar all the time
Adding the content from e-mail here:
Yellow bar during installation is standard. The idea is that the status from the installation operation is posted on that yellow bar, somewhere visible to the user. This yellow bar would normally be very quick, and not raise much suspicion in general.
The process of operations for an installation in PackageReference is really a restore. Restore itself is broken in a few parts, for simplicity, I'll call out that it's package resolution and package download, assets selection and then vulnerability checking. Based on the internal video + investigation, we think it might be that restore is stuck waiting for a request to complete acquiring vulnerability data (which is why it gets stuck at vulnerability info cache consistently).
Some guesses were because that's the first time that source is being accessed, details on PackageReference and requiring sources to always be available - https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#packagereference-and-sources, which could due to the source mapping existing.
We're yet unable to confirm the repro.
Assigning to current hotseat @kartheekp-ms to investigate more. Feel free to chat with us (@jgonz120 and me) offline.
Team Triage:
A few ideas:
@kartheekp-ms Please continue the investigation so we can confirm our assumptions. If you find anything not aligning with our assumptions, please let us know so we can retriage.
I am able to reproduce the yellow bar in Visual Studio by following below steps.
Manage NuGet Packages..
Microsoft.Extensions.DependencyInjection
package Install
Actual: I noticed the yellow bar for only a fraction of second that has the same message mentioned in the issue description.
Upon debugging, I found the exact line of code and call stack that resulted in this yellow bar. Looking at the commit history it looks like commit has introduced a new method to run NuGet audit while enabling vulnerability checking for packages.config projects during commandline restore. There have been some changes to the same file in https://github.com/NuGet/NuGet.Client/pull/5646 PR. These changes were pointing to the packages.config style projects but not sure yet why this change impacts package reference style projects also.
NuGet.PackageManagement.UI.dll
NuGet.PackageManagement.UI.PackageRestoreBar.ShowMessage(string message) Line 367
NuGet.PackageManagement.UI.PackageRestoreBar.Log(MessageLevel level, string message, object[] args) Line 300
NuGet.PackageManagement.dll
NuGet.ProjectManagement.LoggerAdapter.LogInformation(string data) Line 34
NuGet.Protocol.dll
NuGet.Protocol.HttpSource.GetAsync.AnonymousMethod__0(CancellationToken lockedToken) Line 87
NuGet.Protocol.HttpSource.GetAsync<CaseInsensitiveDictionary<IReadOnlyList<PackageVulnerabilityInfo>>>(HttpSourceCachedRequest request, Func<HttpSourceResult, Task<CaseInsensitiveDictionary<IReadOnlyList<PackageVulnerabilityInfo>>>> processAsync, ILogger log, CancellationToken token) Line 79
NuGet.Protocol.Resources.VulnerabilityInfoResourceV3.GetVulnerabilityDataAsync(V3VulnerabilityIndexEntry vulnerabilityPage, SourceCacheContext cacheContext, ILogger logger, CancellationToken cancellationToken) Line 98
NuGet.Protocol.Resources.VulnerabilityInfoResourceV3.GetVulnerabilityInfoAsync(SourceCacheContext cacheContext, ILogger logger, CancellationToken cancellationToken) Line 151
NuGet.Common.dll
NuGet.Common.ConcurrencyUtilities.ExecuteWithFileLockedAsync<CaseInsensitiveDictionary<IReadOnlyList<PackageVulnerabilityInfo>>>(string filePath, Func<CancellationToken, Task<CaseInsensitiveDictionary<IReadOnlyList<PackageVulnerabilityInfo>>>> action, CancellationToken token) Line 102
NuGet.PackageManagement.dll (Async)
NuGet.PackageManagement.AuditChecker.GetAllVulnerabilityDataAsync.__GetVulnerabilityInfoAsync|5_0(SourceRepository source, SourceCacheContext cacheContext, ILogger logger) Line 186
NuGet.PackageManagement.AuditChecker.GetAllVulnerabilityDataAsync(List<SourceRepository> sourceRepositories, SourceCacheContext sourceCacheContext, ILogger logger, CancellationToken cancellationToken) Line 141
NuGet.PackageManagement.AuditChecker.CheckPackageVulnerabilitiesAsync(IEnumerable<PackageRestoreData> packages, Dictionary<string, RestoreAuditProperties> restoreAuditProperties, CancellationToken cancellationToken) Line 58
NuGet.PackageManagement.PackageRestoreManager.RunNuGetAudit(PackageRestoreContext packageRestoreContext, List<SourceRepository> sourceRepositories) Line 457
NuGet.PackageManagement.PackageRestoreManager.RestoreMissingPackagesAsync(PackageRestoreContext packageRestoreContext, INuGetProjectContext nuGetProjectContext, PackageDownloadContext downloadContext) Line 405
NuGet.PackageManagement.PackageRestoreManager.RestoreMissingPackagesAsync(string solutionDirectory, IEnumerable<PackageRestoreData> packages, INuGetProjectContext nuGetProjectContext, PackageDownloadContext downloadContext, ILogger logger, CancellationToken token) Line 360
NuGet.PackageManagement.PackageRestoreManager.RestoreMissingPackagesInSolutionAsync(string solutionDirectory, INuGetProjectContext nuGetProjectContext, ILogger logger, CancellationToken token) Line 280
NuGet.PackageManagement.UI.dll (Async)
NuGet.PackageManagement.UI.PackageRestoreBar.UIRestorePackagesAsync(CancellationToken token) Line 264
NuGet.PackageManagement.UI.PackageManagerControl.ExecuteAction.AnonymousMethod__0() Line 1616
I noticed the yellow bar for only a fraction of second that has the same message mentioned in the issue description.
That matches @jgonz120's summary that I copied here in https://github.com/NuGet/Home/issues/13407#issuecomment-2083405856.
These changes were pointing to the packages.config style projects but not sure yet why this change impacts package reference style projects also
The PackageReference one has been implemented for some time in https://github.com/NuGet/NuGet.Client/blob/12d5c661b77d4933f82a293008c0d56d1d6ce32b/src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/AuditUtility.cs#L334. Runs the same logic, which is what Tim's scenario is hitting.
Sounds to me like we're reaching the same conclusions, and the slowdown is due to a slow responding source.
I think https://github.com/NuGet/Home/issues/13407#issuecomment-2083593103 still makes sense for improvements.
Thanks for the analysis @kartheekp-ms
The bar appears for 5 minutes and NuGet manager hangs forever! I cannot add or remove a package using Visual Studio 2022 (17.10.2) VS restart does not help.
@Gladskih try opening "Developer PowerShell for VS 2022" from your start menu, enter $env:NuGetAudit="false"
, then devenv
. When VS starts up, try again. If the problem goes away, then that tells me that one of your (http) feeds is inaccessible. This will disable the NuGetAudit feature, so you'll no longer get warnings about packages with known vulnerabilities. If you want to make it permanent, then you can add a Directory,Build.props to your repo and set the NuGetAudit property to false, as described in our docs: https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
If your network/server immediately rejects requests to the feed, then the delay should be retry count (default 5) exponential backoff (1s + 2s + 4s + 8s + 16s). If your network/server drops TCP connections, rather than reject, then you'll also have to wait 100 sections per attempt (so 6 100s = 600s).
The bar appears for 5 minutes and NuGet manager hangs forever! I cannot add or remove a package using Visual Studio 2022 (17.10.2) VS restart does not help.
did you manage to find a solution to this? i'm having the exact same issue
@bodzilla AFAIR switching VPN helped. But you can try also the suggestion of zivkan
NuGet Product Used
Visual Studio Package Management UI
Product Version
17.11 preview
Worked before?
Wasn't their prior
Impact
It bothers me. A fix would be nice
Repro Steps & Context
Add a package and see a CACHE goldbar above the PM UI
Verbose Logs
No response