dependabot-core
dependabot-core copied to clipboard
dependabot
Dependabot not finding all instances of package upgrades in .NET solution
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
Nuget
Package manager version
No response
Language version
.NET 8
Manifest location and content before the Dependabot update
Example of Filesystem/Project structure:
- /src/SolutionFile.sln
- /src/API1/API1.csproj
- /src/API1/API1.Tests.csproj
- /src/API2/API2.csproj
- /src/API2/API2.Tests.csproj
- /src/API3/API3.csproj
- /src/API3/API3.Tests.csproj
- /src/Common.csproj
- /src/Common.Tests.csproj
dependabot.yml content
- package-ecosystem: "nuget" directory: "/src" schedule: interval: "weekly" target-branch: "develop"
Updated dependency
XUnit 2.6.6 -> 2.7.0 However this happens with all dependencies
What you expected to see, versus what you actually saw
My 4 Test projects in the structure attached all use XUnit (happens for other dependencies too). Dependabot has detected a package upgrade from 2.6.6 -> 2.7.0 and created a PR for the change, this is great. However, it has only 2 of the Test project csproj files in the PR. It has not found the package reference upgrades in the other 2 of my csproj projects. The projects are all referenced correctly from the solution file.
Native package manager behavior
Update is possible to consolidate across all projects
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
This seems to be happening to me aswell:
https://github.com/redbaty/Wasari/pull/79
Dependabot found the correct packages to update, yet the commit only changes one csproj: https://github.com/redbaty/Wasari/pull/79/commits/c0d3cbb6afcb5fcb05a23c6afc5eea43f8142db9
Yes, I'm experiencing the same (or similar) issue. In one of my repos, dependabot claims to update three packages, but actually only updates a single package - the last one mentioned:
- See: https://github.com/IEvangelist/profanity-filter/pull/16
Here's my dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
- package-ecosystem: "github-actions" # Core GitHub Actions
directory: "/"
schedule:
interval: "weekly"
day: "wednesday"
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
day: "wednesday"
open-pull-requests-limit: 5
groups:
# Group .NET updates together for solutions.
dotnet:
patterns:
- "*" # Prefer a single PR per solution update.
I have same issue - dependabot PR groups several package changes but only the last package in the list is changed. My dependabot.yml file:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Enable version updates for nuget
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
groups:
major:
patterns:
- "*"
update-types: ["major"]
minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"
I have again experienced the same issue. Here's a PR once more that claims to upgrade two NuGet packages, yet it only actually upgraded the last one it mentions in the PR. Please help!
https://github.com/IEvangelist/profanity-filter/pull/17
Same issue here, this reports that it upgrades three NuGet packages:
Updates
Microsoft.DotNet.Arcade.Sdkfrom 8.0.0-beta.24123.1 to 8.0.0-beta.24151.4 UpdatesMicrosoft.DotNet.Helix.Sdkfrom 8.0.0-beta.24123.1 to 8.0.0-beta.24151.4 UpdatesMicrosoft.DotNet.SharedFramework.Sdkfrom 8.0.0-beta.24123.1 to 8.0.0-beta.24151.4
But this only updates the last one mentioned:
@matt-mckinstry-cloudm do you have a public repo that has this problem? There's likely some issue between the projects and/or packages that dependabot isn't handling correctly.
We're seeing this as well, but unfortunately a private GH repo connecting to a private AzDO artifacts connection.
Symptoms:
- An update to a package is made in the private AzDO artifacts feed
- 5 projects out of the 29 that should be updated are updated by Dependabot
- All are csproj using PackageReference
- None of these csproj files have weird conditions around the PackageReference
EDIT 0: Bizarre finding in the Dependabot log:
...
{
"FilePath": "ProjectABC/ProjectABC.csproj",
"Dependencies": [
...
{
"Name": "Suzy.ABC.XYZ",
"Version": "1.17.25",
"Type": "PackageReference",
"EvaluationResult": {
"ResultType": "Success",
"OriginalValue": "1.17.25",
"EvaluatedValue": "1.17.25",
"RootPropertyName": null,
"ErrorMessage": null
},
"TargetFrameworks": [
"net8.0"
],
"IsDevDependency": false,
"IsDirect": true,
"IsTransitive": false,
"IsOverride": false,
"IsUpdate": false,
"InfoUrl": null
},
...
STDERR:
Package [Suzy.ABC.XYZ] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/path/to/ProjectABC/ProjectABC.csproj].
Update complete.
Writing update result to [/tmp/update-result.json].
updater | 2024/07/17 19:40:03 INFO <job_857193570> update result: {
"ErrorType": null,
"ErrorDetails": null
}
And when you open ProjectABC.csproj:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
... boring property group things
</PropertyGroup>
<ItemGroup>
... project references
</ItemGroup>
<ItemGroup>
...
<PackageReference Include="Suzy.ABC.XYZ" Version="1.17.25" />
...
</ItemGroup>
<Target Name="PostBuild" AfterTargets="PostBuildEvent">
... copy some shared libs to the target directory
</Target>
</Project>
EDIT 1: Another dependabot run failed and it makes even less sense. From the log:
...
updater | 2024/07/18 19:54:02 INFO <job_857699013> Checking if Suzy.ABC.XYZ 1.17.25 needs updating
proxy | 2024/07/18 19:54:02 [640] GET [https://pkgs.dev.azure.c.../nuget/v3/index.json)
proxy | 2024/07/18 19:54:02 [640] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:02 [640] 200 [https://pkgs.dev.azure.c.../nuget/v3/index.json)
proxy | 2024/07/18 19:54:02 [644] GET [https://pkgs.dev.azure.c.../nuget/v3/registrations2/suzy.abc.xyz/index.json)
2024/07/18 19:54:02 [644] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:02 [644] 200 [https://pkgs.dev.azure.c.../index.json)
proxy | 2024/07/18 19:54:02 [646] GET [https://pkgs.dev.azure.c.../suzy.abc.xyz.nuspec)
proxy | 2024/07/18 19:54:02 [646] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:02 [646] 200 [https://pkgs.dev.azure.c.../suzy.abc.xyz/1.17.25/suzy.abc.xyz.nuspec)
updater | 2024/07/18 19:54:02 INFO <job_857699013> Latest version is 1.17.43
updater | 2024/07/18 19:54:02 INFO <job_857699013> Requirements to unlock all
updater | 2024/07/18 19:54:02 INFO <job_857699013> Requirements update strategy
updater | Finding updated dependencies for Suzy.ABC.XYZ.
proxy | 2024/07/18 19:54:03 [648] GET [https://pkgs.dev.azure.c.../suzy.abc.xyz/1.17.43/suzy.abc.xyz.nuspec)
proxy | 2024/07/18 19:54:03 [648] * authenticating nuget feed request (host: pkgs.dev.azure.com, basic auth)
proxy | 2024/07/18 19:54:03 [648] 200 [https://pkgs.dev.azure.c...suzy.abc.xyz/1.17.43/suzy.abc.xyz.nuspec)
...
/tmp/package-dependency-resolution_diNPqP/Project.csproj : error NU1102: Unable to find package Suzy.ABC.XYZ with version (= 1.17.43)
/tmp/package-dependency-resolution_diNPqP/Project.csproj : error NU1102: - Found 30 version(s) in nuget_source_1 [ Nearest version: 1.17.42 ]
@matt-mckinstry-cloudm do you have a public repo that has this problem? There's likely some issue between the projects and/or packages that dependabot isn't handling correctly.
Apologies Im only seeing this now. No our Repos are all private unfortunately.