Open matt-mckinstry-cloudm opened 6 months ago
redbaty
commented
6 months ago This seems to be happening to me aswell:
https://github.com/redbaty/Wasari/pull/79
Dependabot found the correct packages to update, yet the commit only changes one csproj: https://github.com/redbaty/Wasari/pull/79/commits/c0d3cbb6afcb5fcb05a23c6afc5eea43f8142db9
IEvangelist
commented
6 months ago Yes, I'm experiencing the same (or similar) issue. In one of my repos, dependabot claims to update three packages, but actually only updates a single package - the last one mentioned:
Here's my dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
- package-ecosystem: "github-actions" # Core GitHub Actions
directory: "/"
schedule:
interval: "weekly"
day: "wednesday"
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
day: "wednesday"
open-pull-requests-limit: 5
groups:
# Group .NET updates together for solutions.
dotnet:
patterns:
- "*" # Prefer a single PR per solution update.
IshakAtLEGO
commented
6 months ago I have same issue - dependabot PR groups several package changes but only the last package in the list is changed. My dependabot.yml file:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Enable version updates for nuget
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
groups:
major:
patterns:
- "*"
update-types: ["major"]
minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"I have again experienced the same issue. Here's a PR once more that claims to upgrade two NuGet packages, yet it only actually upgraded the last one it mentions in the PR. Please help!
IEvangelist
commented
6 months ago Same issue here, this reports that it upgrades three NuGet packages:
Updates
Microsoft.DotNet.Arcade.Sdkfrom 8.0.0-beta.24123.1 to 8.0.0-beta.24151.4 UpdatesMicrosoft.DotNet.Helix.Sdkfrom 8.0.0-beta.24123.1 to 8.0.0-beta.24151.4 UpdatesMicrosoft.DotNet.SharedFramework.Sdkfrom 8.0.0-beta.24123.1 to 8.0.0-beta.24151.4
But this only updates the last one mentioned:
IEvangelist
commented
5 months ago This seems fixed now... Thanks!
matt-mckinstry-cloudm
commented
5 months ago Still happening in our most recent Dependabot PRs
abdulapopoola
commented
4 months ago Tagging @brettfo
brettfo
commented
4 months ago @matt-mckinstry-cloudm do you have a public repo that has this problem? There's likely some issue between the projects and/or packages that dependabot isn't handling correctly.
watfordsuzy
commented
1 month ago We're seeing this as well, but unfortunately a private GH repo connecting to a private AzDO artifacts connection.
Symptoms:
EDIT 0: Bizarre finding in the Dependabot log:
...
{
"FilePath": "ProjectABC/ProjectABC.csproj",
"Dependencies": [
...
{
"Name": "Suzy.ABC.XYZ",
"Version": "1.17.25",
"Type": "PackageReference",
"EvaluationResult": {
"ResultType": "Success",
"OriginalValue": "1.17.25",
"EvaluatedValue": "1.17.25",
"RootPropertyName": null,
"ErrorMessage": null
},
"TargetFrameworks": [
"net8.0"
],
"IsDevDependency": false,
"IsDirect": true,
"IsTransitive": false,
"IsOverride": false,
"IsUpdate": false,
"InfoUrl": null
},
...
STDERR:
Package [Suzy.ABC.XYZ] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/path/to/ProjectABC/ProjectABC.csproj].
Update complete.
Writing update result to [/tmp/update-result.json].
updater | 2024/07/17 19:40:03 INFO <job_857193570> update result: {
"ErrorType": null,
"ErrorDetails": null
}And when you open ProjectABC.csproj:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
... boring property group things
</PropertyGroup>
<ItemGroup>
... project references
</ItemGroup>
<ItemGroup>
...
<PackageReference Include="Suzy.ABC.XYZ" Version="1.17.25" />
...
</ItemGroup>
<Target Name="PostBuild" AfterTargets="PostBuildEvent">
... copy some shared libs to the target directory
</Target>
</Project>EDIT 1: Another dependabot run failed and it makes even less sense. From the log:
...
updater | 2024/07/18 19:54:02 INFO <job_857699013> Checking if Suzy.ABC.XYZ 1.17.25 needs updating
proxy | 2024/07/18 19:54:02 [640] GET [https://pkgs.dev.azure.c.../nuget/v3/index.json)
proxy | 2024/07/18 19:54:02 [640] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:02 [640] 200 [https://pkgs.dev.azure.c.../nuget/v3/index.json)
proxy | 2024/07/18 19:54:02 [644] GET [https://pkgs.dev.azure.c.../nuget/v3/registrations2/suzy.abc.xyz/index.json)
2024/07/18 19:54:02 [644] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:02 [644] 200 [https://pkgs.dev.azure.c.../index.json)
proxy | 2024/07/18 19:54:02 [646] GET [https://pkgs.dev.azure.c.../suzy.abc.xyz.nuspec)
proxy | 2024/07/18 19:54:02 [646] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:02 [646] 200 [https://pkgs.dev.azure.c.../suzy.abc.xyz/1.17.25/suzy.abc.xyz.nuspec)
updater | 2024/07/18 19:54:02 INFO <job_857699013> Latest version is 1.17.43
updater | 2024/07/18 19:54:02 INFO <job_857699013> Requirements to unlock all
updater | 2024/07/18 19:54:02 INFO <job_857699013> Requirements update strategy
updater | Finding updated dependencies for Suzy.ABC.XYZ.
proxy | 2024/07/18 19:54:03 [648] GET [https://pkgs.dev.azure.c.../suzy.abc.xyz/1.17.43/suzy.abc.xyz.nuspec)
proxy | 2024/07/18 19:54:03 [648] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:03 [648] 200 [https://pkgs.dev.azure.c...suzy.abc.xyz/1.17.43/suzy.abc.xyz.nuspec)
...
/tmp/package-dependency-resolution_diNPqP/Project.csproj : error NU1102: Unable to find package Suzy.ABC.XYZ with version (= 1.17.43)
/tmp/package-dependency-resolution_diNPqP/Project.csproj : error NU1102: - Found 30 version(s) in nuget_source_1 [ Nearest version: 1.17.42 ]@matt-mckinstry-cloudm do you have a public repo that has this problem? There's likely some issue between the projects and/or packages that dependabot isn't handling correctly.
Apologies Im only seeing this now. No our Repos are all private unfortunately.
Is there an existing issue for this?
Package ecosystem
Nuget
Package manager version
No response
Language version
.NET 8
Manifest location and content before the Dependabot update
Example of Filesystem/Project structure:
dependabot.yml content
Updated dependency
XUnit 2.6.6 -> 2.7.0 However this happens with all dependencies
What you expected to see, versus what you actually saw
My 4 Test projects in the structure attached all use XUnit (happens for other dependencies too). Dependabot has detected a package upgrade from 2.6.6 -> 2.7.0 and created a PR for the change, this is great. However, it has only 2 of the Test project csproj files in the PR. It has not found the package reference upgrades in the other 2 of my csproj projects. The projects are all referenced correctly from the solution file.
Native package manager behavior
Update is possible to consolidate across all projects
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response