fsprojects
Allow updating a transitive dependency
Description
It is currently not possible to update a transitive dependency on the command line without updating the direct dependency that requires it. I sometimes need to retrieve a bugfix on the transitive dependency and would rather not update more than needed just to test the bugfix.
Repro steps
In a solution where P is a transitive dependency, run:
dotnet paket update P
Expected behavior
Package P is updated. The direct dependency that requires it as a transitive dependency is not updated, unless the latest version of P is out of range for the currently installed version of the direct dependency.
(this is the behavior observed when using the workaround described below)
Actual behavior
Paket returns an error:
Paket version 7.2.1+8e4eb74b42fbd45f39f7afce9184c16ebb65f16c
Total time taken: 0 milliseconds
Paket failed with
-> Package P was not found in paket.dependencies in group Main.
Known workarounds
Manually add the package to paket.dependencies, run paket update P, then manually remove it from paket.dependencies.
This is becoming even more useful now that .NET 8 gives warnings (which I had as errors on a project I just tried to restore) when a package version has a security advisory against it.
This is really becoming a rather big maintenance problem. On the same project I've needed to do the workaround about four to five times this year and there are multiple projects to be maintained.
Security wise it would add a lot of value if paket update could support updates of transient deps out of the box.
