dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago verified publisher icon dependabot

NuGet dependency assets not considered

Open Sam13 opened this issue 6 months ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

NuGet

Package manager version

No response

Language version

net6, net8

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    registries: "*"
    schedule:
      interval: "daily"

Updated dependency

No response

What you expected to see, versus what you actually saw

When having a .csproj project file with the following package references

 <ItemGroup>
    <PackageReference Include="JetBrains.dotCover.DotNetCliTool" Version="2022.2.4" ExcludeAssets="all" />
    <PackageReference Include="JetBrains.ReSharper.GlobalTools" Version="2024.1.2" ExcludeAssets="all" />
    <PackageReference Include="nbgv" Version="3.6.133" ExcludeAssets="all" />
    <PackageReference Include="Nuke.Common" Version="8.0.0" />
    <PackageReference Include="ReportGenerator" Version="5.3.7" />
    <PackageReference Include="TeamCity.Dotnet.Integration" Version="1.0.32" ExcludeAssets="all" />
  </ItemGroup>

Dependabot fails with the following error:

dotnet build in GetAllPackageDependenciesAsync failed. STDOUT: MSBuild version 17.9.6+a4ecab324 for .NET
  Determining projects to restore...
/tmp/package-dependency-resolution_cgbamk/Project.csproj : error NU1202: Package JetBrains.ReSharper.GlobalTools 2024.1.2 is not compatible with net6.0 (.NETCoreApp,Version=v6.0). Package JetBrains.ReSharper.GlobalTools 2024.1.2 supports: netcoreapp3.1 (.NETCoreApp,Version=v3.1) / any
/tmp/package-dependency-resolution_cgbamk/Project.csproj : error NU1212: Invalid project-package combination for JetBrains.ReSharper.GlobalTools 2024.1.2. DotnetToolReference project style can only contain references of the DotnetTool type 
/tmp/package-dependency-resolution_cgbamk/Project.csproj : error NU1202: Package nbgv 3.6.133 is not compatible with net6.0 (.NETCoreApp,Version=v6.0). Package nbgv 3.6.133 supports: net6.0 (.NETCoreApp,Version=v6.0) / any
/tmp/package-dependency-resolution_cgbamk/Project.csproj : error NU1212: Invalid project-package combination for nbgv 3.6.133. DotnetToolReference project style can only contain references of the DotnetTool type 
  Failed to restore /tmp/package-dependency-resolution_cgbamk/Project.csproj (in 432 ms).

Build FAILED.

It seems that the dependency assets (https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#controlling-dependency-assets) are not respected when generating a temporary project file: https://github.com/dependabot/dependabot-core/blob/c8fa18ef76af57b0a42d0df27682b4801fef9a2c/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs#L706

I could probably switch to PackageDownload instead of PackageReference for the problematic packages but this is not supported by Dependabot: https://github.com/dependabot/dependabot-core/issues/2920

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="nbgv" Version="3.6.133" ExcludeAssets="all" />
  </ItemGroup>

</Project>

Sam13 avatar Aug 22 '24 13:08 Sam13