[.NET|NuGet] Add support for `PackageDownload`

[lukaspieper]

Hi,

It seems that Dependabot currently ignores PackageDownload in csproj files. You can find a sample csproj here.

I'm still fairly new to Dependabot and was just quickly browsing this repository. Would it be sufficient to add PackageDownload in the same way as PackageReference to project_file_declaration_finder.rb?

Thanks.

[mwaddell]

Per https://github.com/NuGet/Home/wiki/%5BSpec%5D-PackageDownload-support items which use PackageDownload intentionally should not impact the project dependency graph, so they should be ignored by dependabot. If you want something to be part of the dependency graph and monitored by dependabot, then it should be a PackageReference

[pellared]

@mwaddell I do not get it. It is still a dependency. These are usually CLI apps (e.g. test runners, NuGet CLI, etc). Updating them is important as well. Here is an example where we missed support for PackageDownload: https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/pull/842

[Sam13]

Please treat package download like package reference. For some tools it's not possible to use it as package reference since MS Build complains - but we still need automatic updates of it. If the update is not wanted the user can disable it via ordinary Dependabot configuration mechanisms.

[Sam13]

@pellared As workaround you may use:

<PackageReference Include="Nuget.CommandLine" Version="6.2.1" ExcludeAssets="all" />

as described here in the first info box: https://nuke.build/docs/common/cli-tools/

I have changed my package downloads to that and it works with Dependabot

[Sam13]

<PackageReference Include="Nuget.CommandLine" Version="6.2.1" ExcludeAssets="all" />

I have changed my package downloads to that and it works with Dependabot

The workaround no longer works with the current version of Dependabot. See https://github.com/dependabot/dependabot-core/issues/10482