renovate icon indicating copy to clipboard operation
renovate copied to clipboard

Published 20 hours ago verified publisher icon renovatebot

Ability to ignore pinned NuGet dependencies

Open hotchkj opened this issue 1 year ago • 5 comments

What would you like Renovate to be able to do?

If I have a NuGet dependency in a csproj file of the following

<PackageReference Include="MyShippedAPI" Version="[10.0.0]" />

the reference is to an API that is already shipped and therefore immutable - imagine this is 'Addon for Product V10'.

I am attempting to tell NuGet, and developers, that this exact package match is required and under no circumstances should it be changed. Renovate creates PRs for all of our projects that have this specified, and given other default grouping, it's extremely hard to avoid changes to these creeping in. I can specifically exclude each package by hand via a package name match on MyShippedAPI, but this is tedious and error-prone across large numbers of repos & large numbers of dependencies.

An example repo can be found here. Prior discussion.

From discussion, the first stumbling block is that currentValue as extracted from NuGet doesn't even show the pinning; it would currently report 10.0.0.

If you have any ideas on how this should be implemented, please tell us here.

N/A

Is this a feature you are interested in implementing yourself?

Yes

hotchkj avatar Apr 04 '23 09:04 hotchkj

The goal here is to allow the use of matchCurrentValue (not matchCurrentVersion) to regex match against the pinned syntax.

Changing the NuGet manager to extract the [...] around the version is probably the easy bit. The hard bit is adapting the NuGet versioning to this too. But it should be considered similar to pinned versions in other languages such as ==1.2.0 in pep440 versioning, for example.

rarkins avatar Apr 04 '23 09:04 rarkins

Here are the approximate steps I think:

  1. Adjust the manager/nuget functionality to extract e.g. [1.2.3] as currentValue="[1.2.3]" and not `"1.2.3" as today.
  2. Adjust versioning/nuget functions as needed, starting with making sure isValid("[1.2.3]") returns true, isSingleVersion("[1.2.3]") returns true, etc.
  3. Consider if this is needed to add or fix registryStrategy=pin

rarkins avatar Apr 04 '23 09:04 rarkins

@rarkins Any news on this? :)

darthkurak avatar Jan 24 '24 12:01 darthkurak

This would be really useful for us.

We currently have a need to target multiple versions of packages switched on dotnet version and renovate will occasionally try and bump the older branches a major version.

Having the ability to pin those packages would be highly useful.

(We also have the need to pin some packages even more specificly than major version)

nicholass-alcidion avatar May 30 '24 22:05 nicholass-alcidion

use package rules to stop specific updates on specific branches.

viceice avatar Jun 17 '24 06:06 viceice