Open lukaspieper opened 3 years ago
Per https://github.com/NuGet/Home/wiki/%5BSpec%5D-PackageDownload-support items which use PackageDownload
intentionally should not impact the project dependency graph, so they should be ignored by dependabot. If you want something to be part of the dependency graph and monitored by dependabot, then it should be a PackageReference
@mwaddell I do not get it. It is still a dependency. These are usually CLI apps (e.g. test runners, NuGet CLI, etc). Updating them is important as well. Here is an example where we missed support for PackageDownload
: https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/pull/842
Please treat package download like package reference. For some tools it's not possible to use it as package reference since MS Build complains - but we still need automatic updates of it. If the update is not wanted the user can disable it via ordinary Dependabot configuration mechanisms.
@pellared As workaround you may use:
<PackageReference Include="Nuget.CommandLine" Version="6.2.1" ExcludeAssets="all" />
as described here in the first info box: https://nuke.build/docs/common/cli-tools/
I have changed my package downloads to that and it works with Dependabot
<PackageReference Include="Nuget.CommandLine" Version="6.2.1" ExcludeAssets="all" />
I have changed my package downloads to that and it works with Dependabot
The workaround no longer works with the current version of Dependabot. See https://github.com/dependabot/dependabot-core/issues/10482
Hi,
It seems that Dependabot currently ignores
PackageDownload
in csproj files. You can find a sample csproj here.I'm still fairly new to Dependabot and was just quickly browsing this repository. Would it be sufficient to add
PackageDownload
in the same way asPackageReference
to project_file_declaration_finder.rb?Thanks.