Open mauroservienti opened 5 months ago
It continues to happen, here is a PR raised about 1 hour ago: https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/687
Here is another PR showing the same problem https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/698
@mauroservienti Do you have a log that you can share for this run? In some cases to properly update a package we also need to update some transitive dependencies, but I can't tell from just the PR if that's what's happening here.
@brettfo, here is the log for the run that created that PR: https://github.com/ServiceComposer/ServiceComposer.AspNetCore/network/updates/869233142
As far as I can tell, in that PR, all the packages that dependabot updated are unrelated
I don't seem to have access to the log linked. Could you post it here, or if not you can email it to me directly at brettfo@microsoft.com
here is the log file ServiceComposer.AspNetCore_ServiceComposer_a5087b73fe31d6be54a29217211a8127e836175c.json
And here is another strange unexpected PR changing dependencies that’s not supposed to touch https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/700/files
An another example, or possibly a variation of this: a test project references the main project; the PR adds packages from the main project into the test project's manifest! (I had to add the main project's packages to the ignore:
list of the test project directory)
The git diff obscures the problem because of newline changes, so make sure to look at the rich diff instead:
And here is another one: https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/701
The current architecture of dependabot doesn't fully work with the complexities of NuGet dependencies, but I'm currently working on a rewrite of the NuGet update detection logic which should fix this. I don't yet have an ETA on that work being done, but it is actively being worked on.
Is there an existing issue for this?
Package ecosystem
Nuget
Package manager version
No response
Language version
C#
Manifest location and content before the Dependabot update
As you can see from this dependabot PR, the updated dependencies are way more than what they should be. it should only be updating
xunit.runner.visualstudio
and not all the other dependencies.dependabot.yml content
Updated dependency
xunit.runner.visualstudio from 2.5.7 to 2.8.0, but it's happening for all dependencies
What you expected to see, versus what you actually saw
Only the mentioned dependency is updated, and not all of the dependencies in the project.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response