Dependabot nuget issue with Directory.Packages.props

[jenivial]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

net6.0

Manifest location and content before the Dependabot update

Directory.Packages.props

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 1
    target-branch: "main"
    labels:
      - "nuget dependencies"
      - "dependabot"
      - "minor"

Updated dependency

AutoMapper

What you expected to see, versus what you actually saw

I would expect an pr with the Automapper update, but I'm seeing:

updater | 2023/12/14 15:35:02 ERROR <job_762373268> Error processing AutoMapper (RuntimeError)
updater | 2023/12/14 15:35:02 ERROR <job_762373268> UpdateChecker found viable dependencies to be updated, but FileUpdater failed to update any files
updater | 2023/12/14 15:35:02 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:136:in `check_and_create_pull_request'
updater | 2023/12/14 15:35:02 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:60:in `check_and_create_pr_with_error_handling'
updater | 2023/12/14 15:35:02 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `block in perform'
updater | 2023/12/14 15:35:02 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `each'
updater | 2023/12/14 15:35:02 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `perform'
updater | 2023/12/14 15:35:02 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:64:in `run'
updater | 2023/12/14 15:35:02 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:41:in `perform_job'
updater | 2023/12/14 15:35:03 ERROR <job_762373268> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
updater | 2023/12/14 15:35:03 ERROR <job_762373268> bin/update_files.rb:24:in `<main>'
updater | 2023/12/14 15:35:03 INFO <job_762373268> Finished job processing
updater | 2023/12/14 15:35:03 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +-------------------------------+
updater | | Dependencies failed to update |
updater | +---------------+---------------+
updater | | AutoMapper    | unknown_error |
updater | +---------------+---------------+
updater | time="2023-12-14T15:35:03Z" level=info msg="task complete" container_id=job-762373268-updater exit_code=0 job_id=762373268 step=updater

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

https://github.com/jenivial/net-dependabot-test

Smallest manifest that reproduces the issue

No response

[jenivial]

I have being testing this, first time with dependabot and I have found that this is failing on /dependabot/common/lib/dependabot/pull_request_creator/message_builder.rb It seems that it is passing a files array empty and since it is making an first it fails.

      def pr_name_directory
        return "" if files.first.directory == "/"

        " in #{files.first.directory}"
      end

I will try to make a pr, but if someone with more experience takes this it would be great since I'm actually not sure were this files should be passed.

[nicolas63]

same error here (https://github.com/jhipster/jhipster-dotnetcore/network/updates/766570175) :

updater | 2023/12/26 12:02:17 INFO <job_766570175> Updating Microsoft.AspNetCore.Components.Authorization, Microsoft.AspNetCore.Components, Microsoft.AspNetCore.Components.WebAssembly, System.Text.Json, Microsoft.AspNetCore.Components.WebAssembly.DevServer, Microsoft.AspNetCore.Components.WebAssembly.Server, Microsoft.AspNetCore.SpaServices.Extensions, Microsoft.AspNetCore.Mvc.NewtonsoftJson, Microsoft.AspNetCore.Authentication.JwtBearer, System.IdentityModel.Tokens.Jwt, Microsoft.AspNetCore.Authentication.OpenIdConnect, Microsoft.AspNetCore.Mvc.Testing
updater | 2023/12/26 12:02:17 INFO <job_766570175> Sending event dcc0fa22990449fab6b200e400edf2f1 to Sentry
  proxy | 2023/12/26 12:02:17 [080] POST https://sentry.io:443/api/1451818/store/
  proxy | 2023/12/26 12:02:17 [080] 200 https://sentry.io:443/api/1451818/store/
updater | 2023/12/26 12:02:17 ERROR <job_766570175> Error processing Microsoft.AspNetCore.Authentication.OpenIdConnect (RuntimeError)
updater | 2023/12/26 12:02:17 ERROR <job_766570175> UpdateChecker found viable dependencies to be updated, but FileUpdater failed to update any files
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:136:in `check_and_create_pull_request'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:60:in `check_and_create_pr_with_error_handling'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `block in perform'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `each'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `perform'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:64:in `run'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:43:in `perform_job'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
updater | 2023/12/26 12:02:17 ERROR <job_766570175> bin/update_files.rb:24:in `<main>'
updater | 2023/12/26 12:02:17 INFO <job_766570175> Checking if Microsoft.AspNetCore.Authentication.JwtBearer 7.0.4 needs updating

[Zastai]

Looks like this is also what's breaking dependabot on all my projects, for example: https://github.com/Zastai/MetaBrainz.MusicBrainz.CoverArt/network/updates/767826561:

updater | /opt/nuget/NuGetUpdater/NuGetUpdater.Cli update --repo-root /home/dependabot/dependabot-updater/repo --solution-or-project /home/dependabot/dependabot-updater/repo/MetaBrainz.MusicBrainz.CoverArt/MetaBrainz.MusicBrainz.CoverArt.csproj --dependency MetaBrainz.Common.Json --new-version 6.0.1 --previous-version 6.0.0  --verbose
...
updater |   No global.json files found.
updater |   No dotnet-tools.json files found.
updater | Running for project [/home/dependabot/dependabot-updater/repo/MetaBrainz.MusicBrainz.CoverArt/MetaBrainz.MusicBrainz.CoverArt.csproj]
updater |   Running for SDK-style project
updater |     Package [MetaBrainz.Common.Json] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/MetaBrainz.MusicBrainz.CoverArt/MetaBrainz.MusicBrainz.CoverArt.csproj].
updater | Update complete.
...
updater | 2023/12/29 18:39:16 ERROR <job_767826561> Error processing MetaBrainz.Common.Json (RuntimeError)
updater | 2023/12/29 18:39:16 ERROR <job_767826561> UpdateChecker found viable dependencies to be updated, but FileUpdater failed to update any files
...
updater | 2023/12/29 18:39:17 INFO <job_767826561> Finished job processing
updater | 2023/12/29 18:39:17 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +----------------------------------------+
updater | |     Dependencies failed to update      |
updater | +------------------------+---------------+
updater | | MetaBrainz.Common.Json | unknown_error |
updater | +------------------------+---------------+

Now, it is correct that the csproj does not itself contain an updatable reference - but the process should also be looking in any files it includes, implicitly or explicitly - or at the very least, in Directory.Packages.props.

Wasn't the updating previously done using Ruby, just like the scanning is/was? Perhaps there should have been a better spread of test cases for the new implementation...

[alexrp]

Also ran into this in a project where the PackageReference is in a .cproj (a project file for a custom MSBuild SDK of mine, which Dependabot understandably does not support). But the PackageVersion is in Directory.Packages.props, so it should still be able to work.

[brettfo]

There have been some pretty big changes come through the NuGet updater recently, is this an issue that people are still seeing?

[Zastai]

There have been some pretty big changes come through the NuGet updater recently, is this an issue that people are still seeing?

Things seem to have improved; several of my repos had green runs.

Still 2 that continue to fail:

• https://github.com/Zastai/MetaBrainz.MusicBrainz.DiscId/network/updates/826169574
• https://github.com/Zastai/MetaBrainz.MusicBrainz.dotnet-mbdiscid/network/updates/826169513

But those are running into issue #8615 instead, not this one.

[Zastai]

Small note though: there seems to be an excessive reliance on the ManagePackageVersionsCentrally property.

If it's present (and set to true), then Directory.Packages.props appears in its own DirectoryPackagesProps section in the JSON info in the log. If it's not present, Directory.Packages.props appears under the Projects section. So its contents do seem to get processed either way.

However, the presence of Directory.Packages.props defaults ManagePackageVersionsCentrally to true, so it's unclear to me why it's picked up differently in that case.

Note: I have not checked what happens when the props file is present, but ManagePackageVersionsCentrally is explicitly set to false. My expectation is that the .NET SDK will not use its contents.

Now as long as Dependabot does the right thing in these circumstances, it doesn't really matter what section of the JSON a file is in; it's just something that stood out.