search

fsprojects / Paket

A dependency manager for .NET with support for NuGet packages and Git repositories.
https://fsprojects.github.io/Paket/
MIT License
1.99k stars 520 forks source link

`paket update` does not restrict the packages to those compatible only with .NET 6 in the SAFE template #4197

Open mrakgr opened 1 year ago

mrakgr commented 1 year ago

Description

This is the dependency file for the SAFE template at the time of writing.

source https://api.nuget.org/v3/index.json
framework: net6.0
storage: none

nuget Fsharp.Core ~> 6
nuget Fable.Remoting.Giraffe
nuget Saturn
nuget Expecto

nuget Fable.Core
nuget Fable.Elmish
nuget Fable.Elmish.React
nuget Fable.Elmish.Debugger
nuget Fable.Elmish.HMR
nuget Fable.Mocha
nuget Fable.React
nuget Fable.Remoting.Client
nuget Feliz
nuget Feliz.Bulma
nuget Fulma

nuget Fake.Core.Target
nuget Fake.IO.FileSystem
nuget Farmer

Note that it targets .NET 6. When I do a paket update with all the projects removed from the solution file, it finishes fine. But with the projects there, I get an error.

E:\Webdev\Fable\Safe Stack Examples\full\src\Server\Server.fsproj : error NU1202: Package Microsoft.AspNetCore.Authentication.JwtBearer 7.0.3 is not compatible with net6.0 (.NETCoreApp,Version=v6.0). Package Microsoft.AspNetCor
e.Authentication.JwtBearer 7.0.3 supports: net7.0 (.NETCoreApp,Version=v7.0) [E:\Webdev\Fable\Safe Stack Examples\full\full.sln]
  Restored E:\Webdev\Fable\Safe Stack Examples\full\src\Client\Client.fsproj (in 150 ms).
  Failed to restore E:\Webdev\Fable\Safe Stack Examples\full\src\Server\Server.fsproj (in 154 ms).
  Restored E:\Webdev\Fable\Safe Stack Examples\full\src\Shared\Shared.fsproj (in 150 ms).
  Restored E:\Webdev\Fable\Safe Stack Examples\full\Build.fsproj (in 150 ms).

And indeed, if I look at the lock file, I see something like...

    Microsoft.AspNetCore.Authentication.JwtBearer (7.0.3)
    Saturn (0.16.1)
      FSharp.Control.Websockets (>= 0.2.2)
      Giraffe (>= 6.0)
      Microsoft.AspNetCore.Authentication.JwtBearer (>= 6.0.3)

There is a constraint missing that the package should be the latest targeting .NET 6. It instead gets the .NET 7 compatible package.

Repro steps

Assuming that the SAFE template 4.2.0 is installed and paket 7.2.0 is installed globally:

dotnet new SAFE
paket update

Known workarounds

Adding nuget Microsoft.AspNetCore.Authentication.JwtBearer ~> 6 into the paket.dependencies fixes the issue.

halcwb commented 1 year ago

In fact it seems that the framework restriction is completely ignored. When running paket upgrade everything resolves to net7.0 although the restriction is in the paket.dependencies file for net6.0, all projects target net6.0 and the global.json is also limited to net6.0.

isaacabraham commented 1 year ago

Yes, the JwtBearer issue is something I've seen too - it's because there's a breaking change between 6 and 7 and the packages that rely on it don't have that max boundary at ~6 so a full update breaks.

We can certainly add that limit into the deps file (although we're now looking to the next SAFE iteration anyway).

To be honest I no longer recommend ever calling paket update anymore - I always suggest using paket update --keep-major because it's just too big a change.

sja-schleupen commented 5 months ago

Had it with assemblies of Microsoft targeting net8.0 (System.*) currently. We understood just now, that we had the same issue with assemblies of .NET 6.0 some time ago, when .NET 6.0 was released