search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.74k stars 1.03k forks source link

Dependabot does not respect version range specified in NuGet (PackageReference format) #5204

Open taurit opened 2 years ago

taurit commented 2 years ago

Package ecosystem nuget

Package manager version bug observed in GitHub integration, so I'm not sure

Language version bug observed in GitHub integration, so I'm not sure

Manifest location and content before the Dependabot update I attach a complete set of files to reproduce the problem at the bottom.

MyProject.csproj:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="NodaTime" Version="[2.3.0, 3.0.0)"  />
  </ItemGroup>
</Project>

dependabot.yml:

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency <PackageReference Include="NodaTime" Version="[2.3.0, 3.0.0)" />

What you expected to see, versus what you actually saw I expected to see Dependabot create update from 2.3.0 to 2.4.18 (the last version before 3.0.0). I expected that Dependabot will not try to update to 3.0.0 or newer, because that would violate <PackageReference>'s rules.

Instead, Dependabot did not update the package at all. The logs show:

updater | INFO <job_378612591> Starting job processing
updater | INFO <job_378612591> Starting update job for taurit/MyProject
updater | INFO <job_378612591> Checking if NodaTime  needs updating
  proxy | 2022/05/30 18:12:10 [016] GET https://azuresearch-usnc.nuget.org:443/query?q=nodatime&prerelease=true&semVerLevel=2.0.0
  proxy | 2022/05/30 18:12:10 [016] 200 https://azuresearch-usnc.nuget.org:443/query?q=nodatime&prerelease=true&semVerLevel=2.0.0
updater | INFO <job_378612591> Latest version is 3.1.0
updater | INFO <job_378612591> Requirements to unlock update_not_possible
updater | INFO <job_378612591> Requirements update strategy 
updater | INFO <job_378612591> No update possible for NodaTime 
updater | INFO <job_378612591> Finished job processing

Native package manager behavior

Visual Studio offers update the dependency to the most recent 2.* version available, as expected: Visual Studio Package Manager update experience

Images of the diff or a link to the PR, issue, or logs

I found a PR in dependabot repo which strongly suggests that version ranges are meant to be supported by dependabot:

3087

That's why I create a bug, and not a feature request.

🕹 Bonus points: Smallest manifest that reproduces the issue

Smallest-repository-snapshot-to-reproduce-dependabot-issue-on-GitHub.zip

mattjohnsonpint commented 1 year ago

Any update here?

PioneerWihan commented 1 year ago

Would love it if this bug could be addressed, our team has found immense value in the stability this versioning strategy brings to our engineering department.

brettfo commented 6 months ago

There have been several improvements in the last few months to NuGet version handling. Are you still seeing this issue?

taurit commented 6 months ago

There have been several improvements in the last few months to NuGet version handling. Are you still seeing this issue?

Hi, I just re-tested with my initial example. Version range still doesn't seem to be processed correctly. No version bump is suggested, even though it could.

Example

Here's my minimal repro repository to show the current behavior:

1) Dependabot created a PR to update this reference in MyProject2.csproj:

<PackageReference Include="NodaTime" Version="2.3.0"  />

2) But didn't create a PR to update this in MyProject.csproj:

<PackageReference Include="NodaTime" Version="[2.3.0, 3.0.0)"  />