search

fsprojects / Paket

A dependency manager for .NET with support for NuGet packages and Git repositories.
https://fsprojects.github.io/Paket/
MIT License
1.99k stars 520 forks source link

Allow updating a transitive dependency #4230

Open Tarmil opened 8 months ago

Tarmil commented 8 months ago

Description

It is currently not possible to update a transitive dependency on the command line without updating the direct dependency that requires it. I sometimes need to retrieve a bugfix on the transitive dependency and would rather not update more than needed just to test the bugfix.

Repro steps

In a solution where P is a transitive dependency, run:

dotnet paket update P

Expected behavior

Package P is updated. The direct dependency that requires it as a transitive dependency is not updated, unless the latest version of P is out of range for the currently installed version of the direct dependency.

(this is the behavior observed when using the workaround described below)

Actual behavior

Paket returns an error:

Paket version 7.2.1+8e4eb74b42fbd45f39f7afce9184c16ebb65f16c
Total time taken: 0 milliseconds
Paket failed with
-> Package P was not found in paket.dependencies in group Main.

Known workarounds

Manually add the package to paket.dependencies, run paket update P, then manually remove it from paket.dependencies.

Tarmil commented 8 months ago

This is becoming even more useful now that .NET 8 gives warnings (which I had as errors on a project I just tried to restore) when a package version has a security advisory against it.

da9l commented 2 weeks ago

This is really becoming a rather big maintenance problem. On the same project I've needed to do the workaround about four to five times this year and there are multiple projects to be maintained. Security wise it would add a lot of value if paket update could support updates of transient deps out of the box.