No longer able to update multiple nuget packages in a group

xt0rted commented 6 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

.NET SDK 8.0.202

Manifest location and content before the Dependabot update

https://github.com/xt0rted/dotnet-startup-projects/blob/aeee53717e182c592fec1ff5eda214fed7e7d1a7/test/Tests.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <RootNamespace>StartupProjects</RootNamespace>
  </PropertyGroup>

  <ItemGroup>
    <Content Include="xunit.runner.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </Content>
  </ItemGroup>

  <ItemGroup>
    <Using Include="Shouldly" />
    <Using Include="System.CommandLine" />
    <Using Include="System.CommandLine.Invocation" />
    <Using Include="System.CommandLine.IO" />
    <Using Include="System.CommandLine.Rendering" />
    <Using Include="Xunit" />
  </ItemGroup>

  <ItemGroup>
    <PackageReference Include="GitHubActionsTestLogger" Version="2.3.3">
      <PrivateAssets>all</PrivateAssets>
      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
    </PackageReference>
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
    <PackageReference Include="Shouldly" Version="4.2.1" />
    <PackageReference Include="Verify.Xunit" Version="20.8.2" />
    <PackageReference Include="xunit" Version="2.6.6" />
    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.6">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>
  </ItemGroup>

  <ItemGroup>
    <ProjectReference Include="..\src\startup-projects.csproj" />
  </ItemGroup>

</Project>

dependabot.yml content

https://github.com/xt0rted/dotnet-startup-projects/blob/main/.github/dependabot.yml

version: 2

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "actions/*"
          - "github/*"
      my-actions:
        patterns:
          - "xt0rted/*"

  - package-ecosystem: "npm"
    directory: "/"
    versioning-strategy: "increase"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 99

  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      analyzers:
        patterns:
          - "IDisposableAnalyzers"
          - "Roslynator.*"
      dotnet:
        patterns:
          - "Microsoft.Extensions.*"
          - "Microsoft.SourceLink.GitHub"
      system-commandline:
        patterns:
          - "System.CommandLine"
          - "System.CommandLine.*"
      testing:
        patterns:
          - "GitHubActionsTestLogger"
          - "Microsoft.NET.Test.Sdk"
          - "Shouldly"
          - "Verify.Xunit"
          - "xunit"
          - "xunit.*"

Updated dependency

The update should have made the following changes:

Package	From	To
Verify.Xunit	20.8.2	23.5.0
xunit	2.6.6	2.7.0
xunit.runner.visualstudio	2.5.6	2.5.7

What you expected to see, versus what you actually saw

A PR should have been opened, instead the dependabot run failed with multiple errors. With the old non-.net based updater this would have opened a PR. Since the new version is using the dotnet cli/nuget it's not possible because it's doing one at a time and there's a mismatch between their versions. But if they're updated in a group, as the VS GUI does or hand editing the file, then it works just fine.

This is the PR that was opened but which doesn't build https://github.com/xt0rted/dotnet-startup-projects/pull/167

https://github.com/xt0rted/dotnet-startup-projects/network/updates/799629162

updater |   Updating dotnet-tools.json files.
updater |     Dependency [Verify.Xunit] not found in any dotnet-tools.json files.
updater | Running for project file [test/Tests.csproj]
updater | Updating project [/home/dependabot/dependabot-updater/repo/src/startup-projects.csproj]
updater |   Updating [global.json] file.
updater |     Dependency [Verify.Xunit] not found.
updater |   Running for SDK-style project
updater |     Package [Verify.Xunit] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/src/startup-projects.csproj].
updater | Update complete.
updater | Updating project [/home/dependabot/dependabot-updater/repo/test/Tests.csproj]
updater |   Running for SDK-style project
updater |     Found incorrect [PackageReference] version attribute in [test/Tests.csproj].
updater | dotnet build in GetAllPackageDependenciesAsync failed. STDOUT: MSBuild version 17.9.6+a4ecab324 for .NET
updater |   Determining projects to restore...
updater | /tmp/package-dependency-resolution_ZOYY5B/Project.csproj : error NU1107: Version conflict detected for xunit.extensibility.core. Install/reference xunit.extensibility.core 2.7.0 directly to project Project to resolve this issue. 
updater | /tmp/package-dependency-resolution_ZOYY5B/Project.csproj : error NU1107:  Project -> Verify.Xunit 23.5.0 -> xunit.extensibility.execution 2.7.0 -> xunit.extensibility.core (= 2.7.0) 
updater | /tmp/package-dependency-resolution_ZOYY5B/Project.csproj : error NU1107:  Project -> xunit 2.6.6 -> xunit.core 2.6.6 -> xunit.extensibility.core (= 2.6.6).
updater |   Failed to restore /tmp/package-dependency-resolution_ZOYY5B/Project.csproj (in 385 ms).
updater | 
updater | Build FAILED.
updater | 
updater | /tmp/package-dependency-resolution_ZOYY5B/Project.csproj : error NU1107: Version conflict detected for xunit.extensibility.core. Install/reference xunit.extensibility.core 2.7.0 directly to project Project to resolve this issue. 
updater | /tmp/package-dependency-resolution_ZOYY5B/Project.csproj : error NU1107:  Project -> Verify.Xunit 23.5.0 -> xunit.extensibility.execution 2.7.0 -> xunit.extensibility.core (= 2.7.0) 
updater | /tmp/package-dependency-resolution_ZOYY5B/Project.csproj : error NU1107:  Project -> xunit 2.6.6 -> xunit.core 2.6.6 -> xunit.extensibility.core (= 2.6.6).
updater |     0 Warning(s)
updater |     1 Error(s)

updater |   Updating dotnet-tools.json files.
updater |     Dependency [xunit] not found in any dotnet-tools.json files.
updater | Running for project file [test/Tests.csproj]
updater | Updating project [/home/dependabot/dependabot-updater/repo/src/startup-projects.csproj]
updater |   Updating [global.json] file.
updater |     Dependency [xunit] not found.
updater |   Running for SDK-style project
updater |     Package [xunit] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/src/startup-projects.csproj].
updater | Update complete.
updater | Updating project [/home/dependabot/dependabot-updater/repo/test/Tests.csproj]
updater |   Running for SDK-style project
updater | dotnet build in GetAllPackageDependenciesAsync failed. STDOUT: MSBuild version 17.9.6+a4ecab324 for .NET
updater |   Determining projects to restore...
updater | /tmp/package-dependency-resolution_yuAJio/Project.csproj : error NU1107: Version conflict detected for xunit.extensibility.core. Install/reference xunit.extensibility.core 2.7.0 directly to project Project to resolve this issue. 
updater | /tmp/package-dependency-resolution_yuAJio/Project.csproj : error NU1107:  Project -> Verify.Xunit 23.5.0 -> xunit.extensibility.execution 2.7.0 -> xunit.extensibility.core (= 2.7.0) 
updater | /tmp/package-dependency-resolution_yuAJio/Project.csproj : error NU1107:  Project -> xunit 2.6.6 -> xunit.core 2.6.6 -> xunit.extensibility.core (= 2.6.6).
updater |   Failed to restore /tmp/package-dependency-resolution_yuAJio/Project.csproj (in 365 ms).
updater | 
updater | Build FAILED.
updater | 
updater | /tmp/package-dependency-resolution_yuAJio/Project.csproj : error NU1107: Version conflict detected for xunit.extensibility.core. Install/reference xunit.extensibility.core 2.7.0 directly to project Project to resolve this issue. 
updater | /tmp/package-dependency-resolution_yuAJio/Project.csproj : error NU1107:  Project -> Verify.Xunit 23.5.0 -> xunit.extensibility.execution 2.7.0 -> xunit.extensibility.core (= 2.7.0) 
updater | /tmp/package-dependency-resolution_yuAJio/Project.csproj : error NU1107:  Project -> xunit 2.6.6 -> xunit.core 2.6.6 -> xunit.extensibility.core (= 2.6.6).
updater |     0 Warning(s)
updater |     1 Error(s)
updater | 
updater | Time Elapsed 00:00:01.50
updater | 
updater |  STDERR: 
updater | 
updater |     Package [xunit] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/test/Tests.csproj].
updater | Update complete.
updater | 2024/03/13 20:20:10 ERROR <job_799629162> Error processing xunit (Dependabot::DependabotError)
updater | 2024/03/13 20:20:10 ERROR <job_799629162> FileUpdater failed
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:69:in `run'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation_2_7.rb:59:in `bind_call'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation_2_7.rb:59:in `block in create_validator_method_fast0'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/dependency_change_builder.rb:42:in `create_from'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `bind_call'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `validate_call_skip_block_type'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:111:in `block in create_validator_slow_skip_block_type'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/group_update_creation.rb:114:in `create_change_for'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/group_update_creation.rb:72:in `block in compile_all_dependency_changes_for'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/group_update_creation.rb:38:in `each'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/group_update_creation.rb:38:in `compile_all_dependency_changes_for'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/create_group_update_pull_request.rb:70:in `dependency_change'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/create_group_update_pull_request.rb:44:in `perform'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/group_update_all_versions.rb:127:in `run_update_for'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/group_update_all_versions.rb:109:in `block in run_grouped_dependency_updates'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/group_update_all_versions.rb:108:in `each'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/group_update_all_versions.rb:108:in `run_grouped_dependency_updates'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/group_update_all_versions.rb:55:in `perform'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:45:in `run'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:44:in `block in perform_job'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace/tracer.rb:37:in `block in in_span'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace.rb:70:in `block in with_span'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/context.rb:87:in `with_value'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace.rb:70:in `with_span'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace/tracer.rb:37:in `in_span'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:18:in `perform_job'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:37:in `run'
updater | 2024/03/13 20:20:10 ERROR <job_799629162> bin/update_files.rb:33:in `<main>'

Native package manager behavior

Updating these 3 packages together via the Visual Studio UI works without any issue or warnings, the same is true for hand editing the project file and then doing dotnet restore or dotnet build.

I'm not sure how to do this with the default dotnet cli because dotnet add package ... only works with one at a time, while tools like dotnet-outdated work with multiple at a time but aren't official or included in the SDk.

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
    <PackageReference Include="Verify.Xunit" Version="20.8.2" />
    <PackageReference Include="xunit" Version="2.6.6" />
    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.6">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>
  </ItemGroup>

</Project>

xt0rted commented 4 months ago

I'm still hitting this in all of my repos when my testing group tries to update (it's come up in other groups too, but this is the one it consistently happens in). The issue seems to be due to Verify.Xunit needing a higher version of xunit than is installed, but xunit should be updated as part of this group update so 🤷

updater | dotnet build in GetAllPackageDependenciesAsync failed. STDOUT: MSBuild version 17.9.6+a4ecab324 for .NET
updater |   Determining projects to restore...
updater | /tmp/package-dependency-resolution_IWgzgy/Project.csproj : error NU1107: Version conflict detected for xunit.extensibility.core. Install/reference xunit.extensibility.core 2.7.1 directly to project Project to resolve this issue. 
updater | /tmp/package-dependency-resolution_IWgzgy/Project.csproj : error NU1107:  Project -> Verify.Xunit 24.1.0 -> xunit.extensibility.execution 2.7.1 -> xunit.extensibility.core (= 2.7.1) 
updater | /tmp/package-dependency-resolution_IWgzgy/Project.csproj : error NU1107:  Project -> xunit 2.7.0 -> xunit.core 2.7.0 -> xunit.extensibility.core (= 2.7.0).
updater |   Failed to restore /tmp/package-dependency-resolution_IWgzgy/Project.csproj (in 386 ms).
updater | 
updater | Build FAILED.
updater | 
updater | /tmp/package-dependency-resolution_IWgzgy/Project.csproj : error NU1107: Version conflict detected for xunit.extensibility.core. Install/reference xunit.extensibility.core 2.7.1 directly to project Project to resolve this issue. 
updater | /tmp/package-dependency-resolution_IWgzgy/Project.csproj : error NU1107:  Project -> Verify.Xunit 24.1.0 -> xunit.extensibility.execution 2.7.1 -> xunit.extensibility.core (= 2.7.1) 
updater | /tmp/package-dependency-resolution_IWgzgy/Project.csproj : error NU1107:  Project -> xunit 2.7.0 -> xunit.core 2.7.0 -> xunit.extensibility.core (= 2.7.0).
updater |     0 Warning(s)
updater |     1 Error(s)
updater | 
updater | Time Elapsed 00:00:01.44

Something else that's annoying about this is unless I look in the dependabot run logs I have no idea there was even an issue and packages were skipped over. I feel like along with a list of the packages updated there should also be a list of packages with issues so you can see that info immediately and know that things are out of date and need attention. Some times packages are skipped over like this and the PR builds and is merged not even realizing 3 other packages haven't been updated for the last 2 months because there's errors in the log but nothing in the PR and no alerts anywhere on the site about it.

brettfo commented 4 months ago

@xt0rted A few hours after your most recent comment PR #9507 was merged which should handle exactly this scenario. Are you still seeing this error in your repo?

dependabot / dependabot-core