search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.75k stars 1.03k forks source link

NuGet Package With wildcard version throws error #9442

Open martin-shields-sage opened 8 months ago

martin-shields-sage commented 8 months ago

Is there an existing issue for this?

Package ecosystem

nuget

Package manager version

latest

Language version

.NET 6

Manifest location and content before the Dependabot update

https://github.com/martin-shields-sage/TestProject/blob/master/TestProject.csproj

dependabot.yml content

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2
updates:
  - package-ecosystem: "nuget" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"

Updated dependency

https://www.nuget.org/packages/Newtonsoft.Json

12.* -> 13.0.3

What you expected to see, versus what you actually saw

I expect to get a PR for it to update newtonsoft.json to version 13... (If i update my .csproj with 12.0.3 for example it will run successfully and provide the PR) what I got was an error in dependabot and no PR made.

Native package manager behavior

NuGet resolves 12.* to the latest version which at the time of writing is 12.0.3

Images of the diff or a link to the PR, issue, or logs

 proxy | 2024/04/05 13:15:18 proxy starting, commit: cf8623577dad71c128f219df2b27df6de35b909d
  proxy | 2024/04/05 13:15:18 Listening (:1080)
updater | 2024-04-05T13:15:19.275575323 [810630670:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2024-04-05T13:15:22Z" level=info msg="guest starting" commit=6d38d40701a6d7284d26225f78dd2c6b85c16229
updater | time="2024-04-05T13:15:22Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=810630670 updater_timeout=45m0s updater_version=5fcf148988e84e7e03871d44106032320cf7c61d-nuget
updater | 2024/04/05 13:15:27 INFO <job_810630670> Starting job processing
updater | 2024/04/05 13:15:27 INFO <job_810630670> Job definition: {"job":{"allowed-updates":[{"dependency-type":"direct","update-type":"all"}],"commit-message-options":{"include-scope":null,"prefix":null,"prefix-development":null},"credentials-metadata":[{"host":"github.com","type":"git_source"}],"debug":null,"dependencies":null,"dependency-group-to-refresh":null,"dependency-groups":[],"existing-group-pull-requests":[],"existing-pull-requests":[],"experiments":{"proxy-cached":true,"record-ecosystem-versions":true,"record-update-job-unknown-error":true},"ignore-conditions":[],"lockfile-only":false,"max-updater-run-time":2700,"package-manager":"nuget","proxy-log-response-body-on-auth-failure":true,"reject-external-code":false,"repo-private":false,"requirements-update-strategy":null,"security-advisories":[],"security-updates-only":false,"source":{"api-endpoint":"https://api.github.com/","branch":null,"directory":"/.","hostname":"github.com","provider":"github","repo":"martin-shields-sage/TestProject"},"update-subdependencies":false,"updating-a-pull-request":false,"vendor-dependencies":false}}
updater | 
  proxy | 2024/04/05 13:15:28 [002] GET https://github.com:443/martin-shields-sage/TestProject/info/refs?service=git-upload-pack
  proxy | 2024/04/05 13:15:28 [002] * authenticating git server request (host: github.com)
  proxy | 2024/04/05 13:15:28 [002] 200 https://github.com:443/martin-shields-sage/TestProject/info/refs?service=git-upload-pack
  proxy | 2024/04/05 13:15:28 [004] POST https://github.com:443/martin-shields-sage/TestProject/git-upload-pack
  proxy | 2024/04/05 13:15:28 [004] * authenticating git server request (host: github.com)
  proxy | 2024/04/05 13:15:28 [004] 200 https://github.com:443/martin-shields-sage/TestProject/git-upload-pack
  proxy | 2024/04/05 13:15:28 [006] POST https://github.com:443/martin-shields-sage/TestProject/git-upload-pack
  proxy | 2024/04/05 13:15:28 [006] * authenticating git server request (host: github.com)
  proxy | 2024/04/05 13:15:28 [006] 200 https://github.com:443/martin-shields-sage/TestProject/git-upload-pack
updater | 2024/04/05 13:15:28 INFO <job_810630670> Finished job processing
updater | time="2024-04-05T13:15:28Z" level=info msg="task complete" container_id=job-810630670-file-fetcher exit_code=0 job_id=810630670 step=fetcher
updater | 2024/04/05 13:15:31 INFO <job_810630670> Starting job processing
  proxy | 2024/04/05 13:15:32 [008] GET https://api.nuget.org:443/v3/registration5-gz-semver2/newtonsoft.json/index.json
  proxy | 2024/04/05 13:15:32 [008] 200 https://api.nuget.org:443/v3/registration5-gz-semver2/newtonsoft.json/index.json
updater | 2024/04/05 13:15:32 INFO <job_810630670> The following dependencies were found:
updater |   name: Newtonsoft.Json, version: 
updater |     file: TestProject.csproj, metadata: 
updater | 2024/04/05 13:15:32 INFO <job_810630670> Starting update job for martin-shields-sage/TestProject
updater | 2024/04/05 13:15:32 INFO <job_810630670> Checking all dependencies for version updates...
updater | 2024/04/05 13:15:32 INFO <job_810630670> Checking if Newtonsoft.Json  needs updating
updater | 2024/04/05 13:15:32 INFO <job_810630670> Latest version is 13.0.3
updater | 2024/04/05 13:15:32 INFO <job_810630670> Requirements to unlock own
updater | 2024/04/05 13:15:33 INFO <job_810630670> Requirements update strategy 
updater | 2024/04/05 13:15:33 ERROR <job_810630670> Error processing Newtonsoft.Json (ArgumentError)
updater | 2024/04/05 13:15:33 ERROR <job_810630670> blank strings must not be provided as versions
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/common/lib/dependabot/dependency.rb:357:in `check_values'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation_2_7.rb:652:in `bind_call'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation_2_7.rb:652:in `block in create_validator_procedure_fast0'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/common/lib/dependabot/dependency.rb:129:in `initialize'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `bind_call'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `validate_call_skip_block_type'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:111:in `block in create_validator_slow_skip_block_type'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/common/lib/dependabot/update_checkers/base.rb:246:in `new'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/common/lib/dependabot/update_checkers/base.rb:246:in `updated_dependency_with_own_req_unlock'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `bind_call'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `validate_call'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/_methods.rb:272:in `block in _on_method_added'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/common/lib/dependabot/update_checkers/base.rb:109:in `updated_dependencies'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `bind_call'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `validate_call'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/_methods.rb:272:in `block in _on_method_added'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:103:in `check_and_create_pull_request'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:64:in `check_and_create_pr_with_error_handling'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:39:in `block in perform'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:39:in `each'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:39:in `perform'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:45:in `run'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:44:in `block in perform_job'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace/tracer.rb:37:in `block in in_span'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace.rb:70:in `block in with_span'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/context.rb:87:in `with_value'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace.rb:70:in `with_span'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/opentelemetry-api-1.2.3/lib/opentelemetry/trace/tracer.rb:37:in `in_span'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:18:in `perform_job'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:37:in `run'
updater | 2024/04/05 13:15:33 ERROR <job_810630670> bin/update_files.rb:44:in `<main>'
updater | 2024/04/05 13:15:33 INFO <job_810630670> Finished job processing
updater | 2024/04/05 13:15:33 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------------------+
updater | |  Dependencies failed to update  |
updater | +-----------------+---------------+
updater | | Newtonsoft.Json | unknown_error |
updater | +-----------------+---------------+
updater | time="2024-04-05T13:15:33Z" level=info msg="task complete" container_id=job-810630670-updater exit_code=0 job_id=810630670 step=updater

image image

Smallest manifest that reproduces the issue

https://github.com/martin-shields-sage/TestProject

the project above is a simple c# console application using .NET6 and demonstrates the issue.

martin-shields-sage commented 8 months ago

Just to note, I originally saw this in one of my other repos and when I was able to run the CLI locally to see if I could figure out the issue I got these addtional logs:

updater |   Running for SDK-style project
updater |     Found unsupported version property [****] value [6.0.2.*] in [Directory.Build.props].
updater |     Found unsupported version property [****] value [6.0.1.*] in [Directory.Build.props].

I have *d out the property names due to those being private packages

jchannon commented 1 month ago

Any plans to support wildcards with nuget? Just came across this

brettfo commented 1 month ago

We're working on using the full MSBuild to evaluate dependencies. That work is ongoing and won't be ready for a few more weeks, but it does handle wildcard versions.