Open rhyskoedijk opened 1 month ago
NuGet
v0.266.0
No response
WebApplication2.csproj: https://github.com/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/blob/main/WebApplication2-PackageReference/WebApplication2.csproj
Web.config: https://github.com/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/blob/main/WebApplication2-PackageReference/Web.config
N/A, updated using dry-run.rb
Microsoft.IdentityModel.Protocols.OpenIdConnect from 7.5.2 to 8.0.0.
If a .NET Framework project is migrated from packages.config to PackageReference and it has assembly binding redirects, I expect Dependabot to update the app/web.config file when updating dependencies.
What actually happens is Dependabot does not update app/web.config, which results in the app throwing runtime errors.
This is similar to #8738, which was fixed by https://github.com/dependabot/dependabot-core/pull/10110. However, this specific issue only affects .NET Framework project migrated from packages.config to PackageReference.
=> cloning into /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test => parsing dependency files running NuGet discovery: /opt/nuget/NuGetUpdater/NuGetUpdater.Cli discover --repo-root /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test --workspace /WebApplication2-PackageReference --output /tmp/.dependabot/discovery.1.json --verbose Discovering build files in workspace [/home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/WebApplication2-PackageReference]. No dotnet-tools.json file found. No global.json file found. Discovering projects beneath [WebApplication2-PackageReference]. No packages.config file found. Central Package Management is not enabled. Discovery complete. I, [2024-07-21T13:41:07.234470 #916] INFO -- : Discovery JSON content: { "Path": "WebApplication2-PackageReference", "IsSuccess": true, "Projects": [ { "FilePath": "WebApplication2.csproj", "Dependencies": [ ...snip... ], "IsSuccess": true, "Properties": [ ...snip... ], "TargetFrameworks": [ "net481" ], "ReferencedProjectPaths": [] }, { "FilePath": "WebApplication2.csproj.user", "Dependencies": [], "IsSuccess": true, "Properties": [], "TargetFrameworks": [], "ReferencedProjectPaths": [] } ], "DirectoryPackagesProps": null, "GlobalJson": null, "DotNetToolsJson": null, "ErrorType": null, "ErrorDetails": null } => updating 1 dependencies: Microsoft.IdentityModel.Protocols.OpenIdConnect === Microsoft.IdentityModel.Protocols.OpenIdConnect (7.5.2) => checking for updates 1/1 🌍 --> GET https://api.nuget.org/v3/registration5-gz-semver2/microsoft.identitymodel.protocols.openidconnect/index.json 🌍 <-- 200 https://api.nuget.org/v3/registration5-gz-semver2/microsoft.identitymodel.protocols.openidconnect/index.json I, [2024-07-21T13:41:08.460934 #916] INFO -- : Filtered out 8 pre-release versions 🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/7.5.2/microsoft.identitymodel.protocols.openidconnect.nuspec 🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/7.5.2/microsoft.identitymodel.protocols.openidconnect.nuspec => latest available version is 8.0.0 => latest allowed version is 7.5.2 => requirements to unlock: all => requirements update strategy: Finding updated dependencies for Microsoft.IdentityModel.Protocols.OpenIdConnect. 🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec 🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec ...snip... 🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.jsonwebtokens/8.0.0/microsoft.identitymodel.jsonwebtokens.nuspec 🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.jsonwebtokens/8.0.0/microsoft.identitymodel.jsonwebtokens.nuspec running NuGet updater: /opt/nuget/NuGetUpdater/NuGetUpdater.Cli update --repo-root /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test --solution-or-project /home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/WebApplication2-PackageReference/WebApplication2.csproj --dependency Microsoft.IdentityModel.Protocols.OpenIdConnect --new-version 8.0.0 --previous-version 7.5.2 --result-output-path /tmp/update-result.json --verbose No dotnet-tools.json file found. No global.json file found. Running for project file [WebApplication2-PackageReference/WebApplication2.csproj] Updating project [/home/dependabot/tmp/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/WebApplication2-PackageReference/WebApplication2.csproj] Running for SDK-style project Found incorrect [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj]. Found incorrect peer [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj]. Found incorrect peer [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj]. Found incorrect peer [PackageReference] version node in [WebApplication2-PackageReference/WebApplication2.csproj]. Saved [WebApplication2-PackageReference/WebApplication2.csproj]. Update complete. Writing update result to [/tmp/update-result.json]. I, [2024-07-21T13:41:28.740551 #916] INFO -- : update result: { "ErrorType": null, "ErrorDetails": null } Adding BOM to [WebApplication2.csproj]. The contents of file [WebApplication2.csproj] were updated. 🌍 --> GET https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec 🌍 <-- 200 https://api.nuget.org/v3-flatcontainer/microsoft.identitymodel.protocols.openidconnect/8.0.0/microsoft.identitymodel.protocols.openidconnect.nuspec 🌍 --> GET https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet.git/info/refs?service=git-upload-pack 🌍 <-- 200 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet.git/info/refs?service=git-upload-pack => bump microsoft.identitymodel.protocols.openidconnect from 7.5.2 to 8.0.0 in /webapplication2-packagereference ± WebApplication2-PackageReference/WebApplication2.csproj ~~~ --- /tmp/original20240721-916-6btbhk 2024-07-21 13:41:34.287275186 +0000 +++ /tmp/updated20240721-916-l7ab6z 2024-07-21 13:41:34.287275186 +0000 @@ -219,10 +219,10 @@ <Version>5.3.0</Version> </PackageReference> <PackageReference Include="Microsoft.IdentityModel.Protocols"> - <Version>7.6.2</Version> + <Version>8.0.0</Version> </PackageReference> <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect"> - <Version>7.5.2</Version> + <Version>8.0.0</Version> </PackageReference> <PackageReference Include="Microsoft.Web.Infrastructure"> <Version>2.0.0</Version> @@ -234,10 +234,10 @@ <Version>13.0.3</Version> </PackageReference> <PackageReference Include="System.IdentityModel.Tokens.Jwt"> - <Version>7.6.2</Version> + <Version>8.0.0</Version> </PackageReference> <PackageReference Include="System.Text.Json"> - <Version>8.0.3</Version> + <Version>8.0.4</Version> </PackageReference> <PackageReference Include="WebGrease"> <Version>1.6.0</Version> ~~~ 5 insertions (+), 5 deletions (-) 🌍 Total requests made: '71'
Reproduction repository:
Dry run command:
bin/dry-run.rb nuget rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test --dir="/WebApplication2-PackageReference" --dep="Microsoft.IdentityModel.Protocols.OpenIdConnect"
Good find. We currently only update binding redirects when a packages.config file is present, but we need to always attempt to update binding redirects.
packages.config
Is there an existing issue for this?
Package ecosystem
NuGet
Package manager version
v0.266.0
Language version
No response
Manifest location and content before the Dependabot update
WebApplication2.csproj: https://github.com/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/blob/main/WebApplication2-PackageReference/WebApplication2.csproj
Web.config: https://github.com/rhyskoedijk/dependabot-nuget-webconfig-assembly-binding-test/blob/main/WebApplication2-PackageReference/Web.config
dependabot.yml content
N/A, updated using dry-run.rb
Updated dependency
Microsoft.IdentityModel.Protocols.OpenIdConnect from 7.5.2 to 8.0.0.
What you expected to see, versus what you actually saw
If a .NET Framework project is migrated from packages.config to PackageReference and it has assembly binding redirects, I expect Dependabot to update the app/web.config file when updating dependencies.
What actually happens is Dependabot does not update app/web.config, which results in the app throwing runtime errors.
This is similar to #8738, which was fixed by https://github.com/dependabot/dependabot-core/pull/10110. However, this specific issue only affects .NET Framework project migrated from packages.config to PackageReference.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Smallest manifest that reproduces the issue
Reproduction repository:
Dry run command: