dependabot-core
dependabot-core copied to clipboard
dependabot
Support for NuGet package lock files
In NuGet 4.9 I think it is they added support for package lock files using the setting RestorePackagesWithLockFile which is part of your .csproj or .props file chain. This creates a file called packages.lock.json alongside your project file. The spec for this can be found at https://github.com/NuGet/Home/wiki/Enable-repeatable-package-restore-using-lock-file
Super keen to do this, but it's going to require some work - at the moment Dependabot does all of its .NET updating in Ruby, and we'll need to change that. We might want to continue this over at https://github.com/dependabot/dependabot-core/issues/541?
@jerriep. given your great work with dotnet-outdated, do you have any advice on how Dependabot can also update any associated dependency lock files in its PR?
Is the best way to run dotnet restore, perhaps with --force-evaluate, or are there other better ways?
@gitfool No, I was not even aware of this new feature until you just pointed it out. You may have to resort to using some of the NuGet Client libraries to achieve this.
Maybe look at this PR and the linked specifications to see whether there are some hints to guide you.
I've written up a workaround for this at https://david.gardiner.net.au/2021/05/dependabot-nuget-lockfiles.html, but would much prefer it was handled natively given that dependabot stops maintaining the PR once a 'foreign' commit has been added.
As a workaround, I define a GitHub action in my repository that kicks dotnet restore.
Note: You need to use Personal Access Token to re-trigger another GitHub Actions (like unit testing)
restore:
name: Update NuGet Lock Files
if: contains(github.head_ref, 'dependabot') && github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
- uses: actions/[email protected]
with:
dotnet-version: 6.0.x
- run: dotnet restore --force-evaluate
- id: diff
continue-on-error: true
run: |
git add -N .
git diff --name-only --exit-code
- if: steps.diff.outcome == 'failure'
run: |
git config user.email "github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
git add .
git commit -m "chore(deps): update NuGet lock file"
git push
@greysteil - do you have any technical pointers to share on what a solution would look like? I'd be happy to contribute a fix if there's a clear path forward.
You could look at what Renovate does since it already handles package lock files: https://github.com/renovatebot/renovate/blob/b6670159c4c6c3e6e1b07829604b2c3301f54162/lib/modules/manager/nuget/artifacts.ts#L98 (Or just switch to Renovate.)
@greysteil - do you have any technical pointers to share on what a solution would look like? I'd be happy to contribute a fix if there's a clear path forward.
I'm not the right person to ask anymore (I'm a PM working across all of GitHub's security products these days, and no longer an expert on Dependabot). @jeffwidman @deivid-rodriguez do either of you have pointers here?
Thanks! I've hacked my way through an implementation (PR #6031). @jeffwidman / @deivid-rodriguez - would appreciate some guidance if you've got the time!
👍🏻 for having this. We've recently added packages.lock file to .NET nanoFramework libraries and tools and now each update from dependabot fails to build because the packages.lock file is not updated along.
Here's the most recent PR failing on the pipeline build: nanoframework/nanoFirmwareFlasher#174
Thanks! I've hacked my way through an implementation (PR #6031). @jeffwidman / @deivid-rodriguez - would appreciate some guidance if you've got the time!
Any updates @jeffwidman @deivid-rodriguez ?
Hei, nice! We love lockfiles around here :)
Both @jeffwidman and I are going through the backlog of PRs, so we should eventually get to this. I personally know nothing about nuget so I will need to read on a few things to properly review that PR. On top of that, I first want to get merged a bunch of other PR I haven't yet got to merging. But I'll get to this one soonish unless Jeff beats me to it!
Hei, nice! We love lockfiles around here :)
Both @jeffwidman and I are going through the backlog of PRs, so we should eventually get to this. I personally know nothing about nuget so I will need to read on a few things to properly review that PR. On top of that, I first want to get merged a bunch of other PR I haven't yet got to merging. But I'll get to this one soonish unless Jeff beats me to it!
I'm glad to read this!
The lack of support for Nuget lockfiles also extends to the dependency graph functionality and vulnerability analysis. Transitive dependencies are not detected even when they have critical vulnerabilities listed against them...
👋 Sorry for the delay.
I reviewed https://github.com/dependabot/dependabot-core/pull/6031, which would add support for NuGet package lock files to :dependabot: and the PR itself looked very straightforward / solid, but I had a couple of questions about general NuGet things. Since I haven't yet gotten a reply from the PR author, can anyone here pop by that PR and provide answers?
Be great to move this forward!
#6031 is too old. I tried to fix it, but I don't know where or how to fix it.
It should be relatively easy. You need to enable lock file generation in the https://github.com/dependabot/dependabot-core/tree/main/nuget/helpers/lib/NuGetUpdater which can actually cause issues with group updates.
Or since there is DotNet executable you can run DotNet restore after update before commit is finalized.
