dependabot-core
dependabot-core copied to clipboard
dependabot
Problems with Local Package Source NU1301
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
nuget
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
I've had a look at the existing issues and I don't think this is covered (or at least not reported elsewhere).
We are using a Local Package source as part of a nuget.config file in the repository root.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<!-- Remove the machine Nuget.config that force using Packages
This causes problems with dotnet restore.
-->
<clear/>
<!-- Some Packages are stored locally to avoid problems with getting them from ADO -->
<add key="Local" value="packages" />
<!-- Add the standard package source back in. -->
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
</configuration>
I have 2 solutions, both are failing with similar errors. 1 Solution uses the package store, the other does not. This bug report will focus on the one that does not.
The solution is a simple .NET 6 / ASP.NET 6 website, single project.
I have tried adding an ignore: to the yml to ignore the packages that I store locally in the repo, but to no avail.
This is a private repo, so I can't share links, let me know if there's more you need.
The main error is here from the logs:
updater | No global.json files found.
updater | No dotnet-tools.json files found.
updater | Running for project [/home/dependabot/dependabot-updater/repo/FakeService/FakeService.csproj]
updater | Running for SDK-style project
updater | dotnet build in GetAllPackageDependenciesAsync failed. STDOUT: MSBuild version 17.6.3+07e294721 for .NET
updater | Determining projects to restore...
updater | /tmp/package-dependency-resolution_xrY0iA/Project.csproj : error NU1301: The local source '/tmp/package-dependency-resolution_xrY0iA/packages' doesn't exist.
updater | /tmp/package-dependency-resolution_xrY0iA/Project.csproj : error NU1301: The local source '/tmp/package-dependency-resolution_xrY0iA/packages' doesn't exist.
updater | /tmp/package-dependency-resolution_xrY0iA/Project.csproj : error NU1301: The local source '/tmp/package-dependency-resolution_xrY0iA/packages' doesn't exist.
updater | Failed to restore /tmp/package-dependency-resolution_xrY0iA/Project.csproj (in 216 ms).
updater |
updater | Build FAILED.
updater |
updater | /tmp/package-dependency-resolution_xrY0iA/Project.csproj : error NU1301: The local source '/tmp/package-dependency-resolution_xrY0iA/packages' doesn't exist.
updater | /tmp/package-dependency-resolution_xrY0iA/Project.csproj : error NU1301: The local source '/tmp/package-dependency-resolution_xrY0iA/packages' doesn't exist.
updater | /tmp/package-dependency-resolution_xrY0iA/Project.csproj : error NU1301: The local source '/tmp/package-dependency-resolution_xrY0iA/packages' doesn't exist.
updater | 0 Warning(s)
updater | 3 Error(s)
updater |
updater | Time Elapsed 00:00:02.48
updater |
updater | STDERR:
updater |
updater | Package [Datadog.Trace.Bundle] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/FakeService/FakeService.csproj].
updater | Update complete.
updater | 2023/12/06 10:28:03 INFO <job_759101326> Creating a pull request for 'fake-service'
updater | 2023/12/06 10:28:03 INFO <job_759101326> Sending event c8928bbbd73049459f6c463556006d89 to Sentry
proxy | 2023/12/06 10:28:03 [190] POST https://sentry.io:443/api/1451818/store/
proxy | 2023/12/06 10:28:03 [190] 200 https://sentry.io:443/api/1451818/store/
updater | 2023/12/06 10:28:04 ERROR <job_759101326> Error processing job (NoMethodError)
updater | 2023/12/06 10:28:04 ERROR <job_759101326> undefined method `directory' for nil:NilClass
updater |
updater | return "" if files.first.directory == "/"
updater | ^^^^^^^^^^
updater | 2023/12/06 10:28:04 ERROR <job_759101326> /home/dependabot/common/lib/dependabot/pull_request_creator/message_builder.rb:182:in `pr_name_directory'
updater | 2023/12/06 10:28:04 ERROR <job_759101326> /home/dependabot/common/lib/dependabot/pull_request_creator/message_builder.rb:170:in `group_pr_name'
updater | 2023/12/06 10:28:04 ERROR <job_759101326> /home/dependabot/common/lib/dependabot/pull_request_creator/message_builder.rb:56:in `pr_name'
updater | 2023/12/06 10:28:04 ERROR <job_759101326> /home/dependabot/common/lib/dependabot/pull_request_creator/message_builder.rb:107:in `message'
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
Just FYI, this only happens when there are updates. Everything was reported OK by Dependabot last week, but over the weekend a new dependency update is available and now I am getting failures again.
can confirm this issue. we have the same problem. it worked just fine before. looks like it has a wrong working directory as the relative path seems to be wrong.
tagging @brettfo as it looks like it's related to some major nuget changes.
Was wondering why I was not getting any more automated PR so decided to manual run Dependabot; a quick Google search caused me to find this issue.
Temporarily removing the dependency from the local feed, and the PRs started appearing again.
Last PR I got was on Nov 27, 2023 ; whereas I introduced the local nuget folder on Sep 17, 2023 In between I got multiple Dependabot PRs
As it turns out, if you have open Dependabot PRs, and you than activate a local nuget feed, it also closes the PRs due to the samen "unknown_error"
yes, unfortunately it breaks dependabot completely as it can't detect the current state of the packages.
Interestingly enough, 10 hours ago I received a Dependabot PR for my tool-manifest file. I still have my local nuget folder enabled, so somewhere they treat the manifest updates separately form the other ones
looks like dependabot is collecting the source urls/paths here:
https://github.com/dependabot/dependabot-core/blob/991a3a567247d98bb3ddfdd1f9c841ddcca54f0c/nuget/lib/dependabot/nuget/update_checker/repository_finder.rb#L224
as it's using 1:1 the value from the nuget.config value attribute, it will fail as we are using relative paths. so basically it should verify the value field and detect if it's an absolute path/url or an relative one. in case of a relative path it would need to prepend the path of the nuget.config it just read. unfortunately I'm not a ruby dev.
CC @brettfo
I guess not, I've been manually updating dependencies since this happened. There's no workaround I know of, so dependabot is still completely broken for my .NET stuff.
doesn't look like they are that interested to fix what they broke. after the major dependabot nuget update in november, there are so many basic things broken. the issue section is flooded with nuget problems. I doubt this will be fixed in the next few months.
We're having the same issue with dependabot. It's not working with the local sources packages.
I just got a lot of PRs from Dependabot, while I had the local feed enabled. Looks to be working now :)
Looks to be working here too - I've manually kicked off the dependabot job and getting PRs raised too.
I'll close this issue