Assembly binding redirects are not updated in a .NET Framework project migrated from packages.config to PackageReference

[rhyskoedijk]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

NuGet

Package manager version

v0.266.0

Language version

No response

Manifest location and content before the Dependabot update

WebApplication2.csproj: https://github.com/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/blob/main/WebApplication2-PackageReference/WebApplication2.csproj

Web.config: https://github.com/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/blob/main/WebApplication2-PackageReference/Web.config

dependabot.yml content

N/A, updated using dry-run.rb

Updated dependency

Microsoft.IdentityModel.Protocols.OpenIdConnect from 7.5.2 to 8.0.0.

What you expected to see, versus what you actually saw

If a .NET Framework project is migrated from packages.config to PackageReference and it has assembly binding redirects, I expect Dependabot to update the app/web.config file when updating dependencies.

What actually happens is Dependabot does not update app/web.config, which results in the app throwing runtime errors.

This is similar to #8738, which was fixed by https://github.com/dependabot/dependabot-core/pull/10110. However, this specific issue only affects .NET Framework project migrated from packages.config to PackageReference.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

=> cloning into /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test
=> parsing dependency files
running NuGet discovery:
/opt/nuget/NuGetUpdater/NuGetUpdater.Cli discover --repo-root /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test --workspace /WebApplication2-PackageReference --output /tmp/.dependabot/discovery.1.json --verbose
Discovering build files in workspace [/home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/WebApplication2-PackageReference].
  No dotnet-tools.json file found.
  No global.json file found.
  Discovering projects beneath [WebApplication2-PackageReference].
  No packages.config file found.
  Central Package Management is not enabled.
Discovery complete.
I, [2024-07-21T13:41:07.234470 #916]  INFO -- : Discovery JSON content: {
  "Path": "WebApplication2-PackageReference",
  "IsSuccess": true,
  "Projects": [
    {
      "FilePath": "WebApplication2.csproj",
      "Dependencies": [
        ...snip...
      ],
      "IsSuccess": true,
      "Properties": [
        ...snip...
      ],
      "TargetFrameworks": [
        "net481"
      ],
      "ReferencedProjectPaths": []
    },
    {
      "FilePath": "WebApplication2.csproj.user",
      "Dependencies": [],
      "IsSuccess": true,
      "Properties": [],
      "TargetFrameworks": [],
      "ReferencedProjectPaths": []
    }
  ],
  "DirectoryPackagesProps": null,
  "GlobalJson": null,
  "DotNetToolsJson": null,
  "ErrorType": null,
  "ErrorDetails": null
}
=> updating 1 dependencies: Microsoft.IdentityModel.Protocols.OpenIdConnect

=== Microsoft.IdentityModel.Protocols.OpenIdConnect (7.5.2)
 => checking for updates 1/1
🌍 --> GET https://api.nuget.org/v3/registration5-gz-semver2/microsoft.identitymodel.protocols.openidconnect/index.json
🌍 <-- 200 https://api.nuget.org/v3/registration5-gz-semver2/microsoft.identitymodel.protocols.openidconnect/index.json
I, [2024-07-21T13:41:08.460934 #916]  INFO -- : Filtered out 8 pre-release versions
🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/7.5.2/microsoft.identitymodel.protocols.openidconnect.nuspec
🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/7.5.2/microsoft.identitymodel.protocols.openidconnect.nuspec
 => latest available version is 8.0.0
 => latest allowed version is 7.5.2
 => requirements to unlock: all
 => requirements update strategy: 
Finding updated dependencies for Microsoft.IdentityModel.Protocols.OpenIdConnect.
🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec
🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec
...snip...
🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.jsonwebtokens/8.0.0/microsoft.identitymodel.jsonwebtokens.nuspec
🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.jsonwebtokens/8.0.0/microsoft.identitymodel.jsonwebtokens.nuspec
running NuGet updater:
/opt/nuget/NuGetUpdater/NuGetUpdater.Cli update --repo-root /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test --solution-or-project /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/WebApplication2-PackageReference/WebApplication2.csproj --dependency Microsoft.IdentityModel.Protocols.OpenIdConnect --new-version 8.0.0 --previous-version 7.5.2 --result-output-path /tmp/update-result.json --verbose
  No dotnet-tools.json file found.
  No global.json file found.
Running for project file [WebApplication2-PackageReference/WebApplication2.csproj]
Updating project [/home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/WebApplication2-PackageReference/WebApplication2.csproj]
  Running for SDK-style project
    Found incorrect [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj].
    Found incorrect peer [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj].
    Found incorrect peer [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj].
    Found incorrect peer [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj].
    Saved [WebApplication2-PackageReference/WebApplication2.csproj].
Update complete.
  Writing update result to [/tmp/update-result.json].
I, [2024-07-21T13:41:28.740551 #916]  INFO -- : update result: {
  "ErrorType": null,
  "ErrorDetails": null
}
Adding BOM to [WebApplication2.csproj].
The contents of file [WebApplication2.csproj] were updated.
🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec
🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec
🌍 --> GET https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet.git/info/refs?service=git-upload-pack
🌍 <-- 200 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet.git/info/refs?service=git-upload-pack
 => bump microsoft.identitymodel.protocols.openidconnect from 7.5.2 to 8.0.0 in /webapplication2-packagereference

    ± WebApplication2-PackageReference/WebApplication2.csproj
    ~~~
    --- /tmp/original20240721-916-6btbhk        2024-07-21 13:41:34.287275186 +0000
    +++ /tmp/updated20240721-916-l7ab6z 2024-07-21 13:41:34.287275186 +0000
    @@ -219,10 +219,10 @@
           <Version>5.3.0</Version>
         </PackageReference>
         <PackageReference Include="Microsoft.IdentityModel.Protocols">
    -      <Version>7.6.2</Version>
    +      <Version>8.0.0</Version>
         </PackageReference>
         <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect">
    -      <Version>7.5.2</Version>
    +      <Version>8.0.0</Version>
         </PackageReference>
         <PackageReference Include="Microsoft.Web.Infrastructure">
           <Version>2.0.0</Version>
    @@ -234,10 +234,10 @@
           <Version>13.0.3</Version>
         </PackageReference>
         <PackageReference Include="System.IdentityModel.Tokens.Jwt">
    -      <Version>7.6.2</Version>
    +      <Version>8.0.0</Version>
         </PackageReference>
         <PackageReference Include="System.Text.Json">
    -      <Version>8.0.3</Version>
    +      <Version>8.0.4</Version>
         </PackageReference>
         <PackageReference Include="WebGrease">
           <Version>1.6.0</Version>
    ~~~
    5 insertions (+), 5 deletions (-)
🌍 Total requests made: '71'

Smallest manifest that reproduces the issue

Reproduction repository:

• .NET Framework project migrated from packages.config to PackageReference: https://github.com/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/tree/main/WebApplication2-PackageReference

Dry run command:

bin/dry-run.rb nuget rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test --dir="/WebApplication2-PackageReference" --dep="Microsoft.IdentityModel.Protocols.OpenIdConnect"

[brettfo]

Good find. We currently only update binding redirects when a packages.config file is present, but we need to always attempt to update binding redirects.