search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.61k stars 981 forks source link

Nuget scanner is targeting ProjectReferences and PackageReferences in monoliths, timeout with complicated sub tree on projectReferences, add some type of flag to only look at PackageReference and turn of ProjectRefernce #4991

Open bruno-salapic opened 2 years ago

bruno-salapic commented 2 years ago

Large C# dotnet projects timeout or hang indefinitely when a complicated subtree of ProjectReferences tags exist (ex monoliths)

Package ecosystem nuget

Package manager version latest nuget

Language version c# dotnet6

dependabot.yml content

- package-ecosystem: "nuget" # See documentation for possible values
    directory: "/DependabotScan/" # Location of package manifests
    schedule:
      interval: "daily"
    registries: "*"
    open-pull-requests-limit: 1

What you expected to see, versus what you actually saw I expect to see a scan of all the packages that need updates for a single specific project and create prs accordingly

vs

dependabot scan fails because the project its targeting has Project references that also have project references, and then those have project references. Inspecting the scan once it completes(takes forever wish there was a way to view logs while it's running but that's a separate feature request)

throws a 400 secondary rate limit error after waiting a long time for the task to complete

Images of the diff or a link to the PR, issue or logs

🕹 Bonus points: Smallest manifest that reproduces the issue

C# project reference

DependabotScan.csproj file
      - Infra.Shopping
                 - Application/ProjA
                        - Application/ProjB
                        - Application/ProjD
                        - Application/ProjE
                 - Application/ProjB
                        - Application/ProjC
                               - Application/ProjE
                        - Application/ProjE
                 - Domain/ProjA
                         - Domain/ProjB
                 - Domain/ProjB
                 - Domain/ProjC
                 - Common/ProjA
                 ... etc (different length in indents represents subproject with new set of project references)

Solution: Would just be easier if you force the NuGet package ecosystem scans to only look for PackageReferences tags in csproj files instead of PackageReference & ProjectReferences Tags

brettfo commented 3 months ago

Are you still seeing timeouts when scanning the repo? There have been some recent improvements to dependency scanning that hopefully should result in a timeout.