dependabot-core
dependabot-core copied to clipboard
dependabot
Fix Nuget multi update
I was trying to make nuget native updater work.
I could use some help if you provide me with dependencies that should be updated together and are not to be put to tests.
Also, I would appreciate a review for the dotnet part since this repository is mainly with ruby code.
I need to update how dotnet is invoked from ruby, the changes in dotnet should be complete.
Fixes #8888 Fixes #8576 Fixes #8740
@trejjam , thank you for your contributions. Could you please break down your PR in scoped smaller PRs so we can take a look at them?
And the last one, #8930.
The #8930 conflicts a lot with #8908. I prefer to go through #8930 first.
Hi @tombiddulph! 👋
Could you help me understand when you believe you will have time to review this?
This functionality, which has been broken for a few months already, is creating a lot of friction for us and many others based on the comments on the related issues.
At the same time, I want to thank the Dependabot team for all their hard work and give special kudos to @trejjam for tackling this issue! 💙
Hi @tombiddulph! 👋
Could you help me understand when you believe you will have time to review this?
This functionality, which has been broken for a few months already, is creating a lot of friction for us and many others based on the comments on the related issues.
At the same time, I want to thank the Dependabot team for all their hard work and give special kudos to @trejjam for tackling this issue! 💙
I don't have any permissions on this repo so my approval counts for nothing sadly.
I am not part of the Dependabot team either, so I can not pull any strings to speed things up.
Hi @tombiddulph! 👋
Could you help me understand when you believe you will have time to review this?
This functionality, which has been broken for a few months already, is creating a lot of friction for us and many others based on the comments on the related issues.
At the same time, I want to thank the Dependabot team for all their hard work and give special kudos to @trejjam for tackling this issue! 💙
Instead of @tombiddulph, I guess this should perhaps be directed to @edgarrs?
It seems incredible to me that this broken feature is not the highest priority item for Dependabot at least when it concerns the NuGet integration. I have an open ticket with GitHub support, but even they don't seem to be able to move this along. I've even contacted our technical sales contact at both Microsoft and GitHub about this, but to no avail yet unfortunately.
For all its flaws and shortcomings, Dependabot was really useful since the addition of the grouping, new features were improving the experience. Dependabot was becomming increasingly dependable. However my 💙 for dependabot is quickly fading by now 😒
Yep its a real pain, this issue combined with the last one about failing to resolve packages from private nuget feeds has meant that Dependabot has effectively been broken for me and many others for the majority of 2024 so far. Sadly I don't have the option to use another tool.
My concern is that changes are going to be further rolled out into GHES: https://github.com/dependabot/dependabot-core/issues/8483#issuecomment-1948305876
@JoeRobich @abdulapopoola Please give this the time of day. This is a major issue and has been around for months at this point.
Dropping a note here - sorry about the experience; we'll investigate and see how to get these over the line. Tagging @edgarrs and @brettfo too.
I see this moves the dependency loop from the ruby side to the NuGetUpdater. Can you explain how this behavior change ultimately affects the end-to-end updater output?
The change is there for a case when your group updates packages that depend on each other.
For example, these updates fail when executed separately. Respectively, only the xunit.assert is updated, and the xunit is rejected because of a version downgrade. (On main, the Updater is run separately for each dependency.) When updater tries to update xunit=2.7 it has not changed dependecy xunit.assert=2.6.6 which result in version downgrade.
[
new DependencyRequest { Name = "xunit.assert", NewVersion = "2.7.0", PreviousVersion = "2.6.6" },
// xunit depends on xunit.assert of the same version (or higher)
new DependencyRequest { Name = "xunit", NewVersion = "2.7.0", PreviousVersion = "2.6.6" },
],
The change to execute updates as grouped in the native Updater resolves this since it runs the update check as a group (xunit=2.7, xunit.assert=2.7), which does not result in version downgrade in the process.
We need to add tests for grouped updates on the Ruby side. I know they can be a lot of work with all the request mocking that is required. It would be great if we could find a test case that fails against main but passes with your changes. Let me know if you would like to write these tests or whether someone from our team should.
I will take a look on that
Thanks everyone!
@sebasgomez238 shipped #9228 yesterday and it might already address this issue. Could you please confirm?
Tagging @trejjam , @IshakAtLEGO and @NugetPackage
Grouped updates work as expected as of the last 24 hours thanks to #9228
Thanks everyone!
@sebasgomez238 shipped #9228 yesterday and it might already address this issue. Could you please confirm?
Tagging @trejjam , @IshakAtLEGO and @NugetPackage
Will keep in touch when I have verified this, thanks for the update @abdulapopoola.
Thank you so much @trejjam for all the help over several weeks.
I'm closing this PR since multiple folks now confirm that it works as expected. Please consider filling new issues if they pop up.
And again, deepest gratitudeto @trejjam !