search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.6k stars 976 forks source link

Recently added support .NET assembly binding redirects doesn't appear to be working #8738

Open SaraHelmeIress opened 7 months ago

SaraHelmeIress commented 7 months ago

Is there an existing issue for this?

Package ecosystem

NuGet

Package manager version

No response

Language version

The solution targets .NET 4.7.2

Manifest location and content before the Dependabot update

Relevant snippets of files copied below:

.proj file snippet:

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
    <Reference Include="Microsoft.AspNetCore.Hosting.Server.Abstractions, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.AspNetCore.Hosting.Server.Abstractions.2.1.1\lib\netstandard2.0\Microsoft.AspNetCore.Hosting.Server.Abstractions.dll</HintPath>
    </Reference>
    <Reference Include="Microsoft.AspNetCore.Http.Features, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.AspNetCore.Http.Features.2.1.1\lib\netstandard2.0\Microsoft.AspNetCore.Http.Features.dll</HintPath>
    </Reference>
    <Reference Include="Microsoft.Extensions.Configuration.Abstractions, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.Extensions.Configuration.Abstractions.2.1.1\lib\netstandard2.0\Microsoft.Extensions.Configuration.Abstractions.dll</HintPath>
    </Reference>
  </ItemGroup>
</Project>

packages.config file snippet:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Microsoft.AspNetCore.Hosting.Server.Abstractions" version="2.1.1" targetFramework="net47" />
  <package id="Microsoft.AspNetCore.Http.Features" version="2.1.1" targetFramework="net47" />
  <package id="Microsoft.Extensions.Configuration.Abstractions" version="2.1.1" targetFramework="net47" />
</packages>

app.config file snippet:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.AspNetCore.Http.Features" publicKeyToken="adb9793829ddae60" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.1.1.0" newVersion="2.1.1.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.1.1.0" newVersion="2.1.1.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

dependabot.yml content

Sensitive data removed and replaced with [text in brackets]

version: 2
registries:
  npm-artifactory:
    type: npm-registry
    url: [Artifactory URL here]
    token: [Artifactory Access Token here]
  nuget-artifactory:
    type: nuget-feed
    url: [Artifactory URL here]
    token: [Artifactory Access Token here]

updates:
  - package-ecosystem: gitsubmodule
    directory: "/"
    schedule:
      interval: daily
      time: "15:00"
      timezone: "Europe/London"
    target-branch: "develop"
    open-pull-requests-limit: 1

  - package-ecosystem: nuget
    directory: "/[project directory here]"
    schedule:
      interval: daily
      time: "15:00"
      timezone: "Europe/London"
    target-branch: "develop"
    open-pull-requests-limit: 1
    registries:
      - nuget-artifactory
    ignore:
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]

  - package-ecosystem: npm
    directory: "/[project directory]"
    schedule:
      interval: daily
      time: "15:00"
      timezone: "Europe/London"
    open-pull-requests-limit: 1
    registries:
      - npm-artifactory
    ignore:
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]

Updated dependency

Bump Microsoft.AspNetCore.Hosting.Server.Abstractions from 2.1.1 to 2.2.0

What you expected to see, versus what you actually saw

Since the update in Dec v0.238.0 we were expecting the update of app/web.config defined bindingRedirect dependencies to be updated alongside .proj and packages.config files. We don't believe there is any additional configuration required to do this. Please see this existing issue for details, the issue has been closed & I cannot reopen it, this is the PR for that issue.

If we update the dependency using VisualStudio then the app.config, the .proj file and the packages.config file all get updated correctly (see next section).

When Dependabot runs we see the .proj file & packages.config file get update whilst the app.config file is ignored and no updates are made. In addition we see additional dependencies updated to the most recent version rather than matching/equivalent version.

Updated .proj file snippet:

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
    <Reference Include="Microsoft.AspNetCore.Hosting.Server.Abstractions, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
      <HintPath>..\packages\Microsoft.AspNetCore.Hosting.Server.Abstractions.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Hosting.Server.Abstractions.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="Microsoft.AspNetCore.Http.Features, Version=5.0.17.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
      <HintPath>..\packages\Microsoft.AspNetCore.Http.Features.5.0.17\lib\net461\Microsoft.AspNetCore.Http.Features.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="Microsoft.Extensions.Configuration.Abstractions, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
      <HintPath>..\packages\Microsoft.Extensions.Configuration.Abstractions.8.0.0\lib\net462\Microsoft.Extensions.Configuration.Abstractions.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="Microsoft.Extensions.Primitives, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
      <HintPath>..\packages\Microsoft.Extensions.Primitives.8.0.0\lib\net462\Microsoft.Extensions.Primitives.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="System.IO.Pipelines, Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51">
      <HintPath>..\packages\System.IO.Pipelines.8.0.0\lib\net462\System.IO.Pipelines.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="System.Memory, Version=4.0.1.2, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51">
      <HintPath>..\packages\System.Memory.4.5.5\lib\net461\System.Memory.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="System.Runtime.CompilerServices.Unsafe, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
      <HintPath>..\packages\System.Runtime.CompilerServices.Unsafe.6.0.0\lib\net461\System.Runtime.CompilerServices.Unsafe.dll</HintPath>
      <Private>True</Private>
    </Reference>
  </ItemGroup>
</Project>

Updated packages.config file snippet:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Microsoft.AspNetCore.Hosting.Server.Abstractions" version="2.2.0" targetFramework="net472" />
  <package id="Microsoft.AspNetCore.Http.Features" version="5.0.17" targetFramework="net472" />
  <package id="Microsoft.Extensions.Configuration.Abstractions" version="8.0.0" targetFramework="net472" />
  <package id="Microsoft.Extensions.Primitives" version="8.0.0" targetFramework="net472" />
  <package id="System.IO.Pipelines" version="8.0.0" targetFramework="net472" />
  <package id="System.Memory" version="4.5.5" targetFramework="net472" />
  <package id="System.Runtime.CompilerServices.Unsafe" version="6.0.0" targetFramework="net472" />
</packages>

Native package manager behavior

Using VisualStudio we see app.config, .proj & packages.config files all updated as follows:

Updated .proj file snippet:

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
    <Reference Include="Microsoft.AspNetCore.Hosting.Server.Abstractions, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.AspNetCore.Hosting.Server.Abstractions.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Hosting.Server.Abstractions.dll</HintPath>
    </Reference>
    <Reference Include="Microsoft.AspNetCore.Http.Features, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.AspNetCore.Http.Features.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Http.Features.dll</HintPath>
    </Reference>
    <Reference Include="Microsoft.Extensions.Configuration.Abstractions, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.Extensions.Configuration.Abstractions.2.2.0\lib\netstandard2.0\Microsoft.Extensions.Configuration.Abstractions.dll</HintPath>
    </Reference>
  </ItemGroup>
</Project>

Updated packages.config file snippet:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Microsoft.AspNetCore.Hosting.Server.Abstractions" version="2.2.0" targetFramework="net472" />
  <package id="Microsoft.AspNetCore.Http.Features" version="2.2.0" targetFramework="net472" />
  <package id="Microsoft.Extensions.Configuration.Abstractions" version="2.2.0" targetFramework="net472" />
</packages>

Updated app.config file snippet:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <runtime>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.AspNetCore.Http.Features" publicKeyToken="adb9793829ddae60" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.2.0.0" newVersion="2.2.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Extensions.Configuration.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.2.0.0" newVersion="2.2.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.AspNetCore.Hosting.Server.Abstractions" publicKeyToken="adb9793829ddae60" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.2.0.0" newVersion="2.2.0.0" />
      </dependentAssembly>
  </runtime>
</configuration>

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

marco-carvalho commented 4 months ago

There are some progress in this issue? Right now I can't merge dependabot PRs in .NET Framework repos because of this inconsistency in assemblyBinding.

mmoreno79 commented 3 months ago

We are managing a legacy project in .NET Framework also and agree experiencing the same issue. Looks like this has been moved to planned but wasn't sure what's to be expected next. Is there going to be a fix for this?

rhyskoedijk commented 1 month ago

This issue would be fixed by https://github.com/dependabot/dependabot-core/pull/10110, please upvote the PR if this still impacts your .NET Framework projects.