dependabot-nuget 0.241.0 → 0.242.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4785ffa6c4f7a334d8c7d57932d82420af791410a4ebfe9a38f2ee73da5d271
-  data.tar.gz: 0cfcaa2b152867cccce8907eb64d98a72d217626467ee25bfb5ea2bb1839e0c0
+  metadata.gz: 1a49c3bda283658e65f9a37cf33e5b4855048bf2673bcfdcde4bb2e39d00d68e
+  data.tar.gz: 340fb04884786613bcbf75e25f7b51be9e662d26211418804965162df2c95c2a
 SHA512:
-  metadata.gz: f3dd5df35c8cd6e2991e61c6327f9144c6c600578c477309b7a0624a0a768d356fada0d2e33e3a9d5695cb8c8271e75e639f0b5246db9795c97425d23e1ae99f
-  data.tar.gz: b8424ae0c6d11cba9066601d4db01e16e2382d633814b091cd5ae14f38da505d6504bed7c2285eb634bf173a1353245bbefeaedeee26b8cbebf513c1188955cb
+  metadata.gz: 55e5a6b6949b5d30cfd95fb8ac185e9ccad548e0f8cc073237181c8a99e76252602920f6ff4cce68afb8310b4e358a7191ff4c9fe1ef27e92147529eb6c0012a
+  data.tar.gz: ea153c1649add8848551c6a54577beb7fa554f557275d1ed09928d741bc5ded5a1bfe7ed39561592bda152d8ded72f4081d30da3fcd748500f5d887825c27eb9

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Dependency.cs

@@ -1,3 +1,3 @@
 namespace NuGetUpdater.Core;
 
-public sealed record Dependency(string Name, string? Version, DependencyType Type, bool IsDevDependency = false, bool IsOverride = false);
+public sealed record Dependency(string Name, string? Version, DependencyType Type, bool IsDevDependency = false, bool IsOverride = false, bool IsUpdate = false);

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/DotNetToolsJsonBuildFile.cs

@@ -1,4 +1,3 @@
-using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -8,11 +7,11 @@ namespace NuGetUpdater.Core;
 
 internal sealed class DotNetToolsJsonBuildFile : JsonBuildFile
 {
-    public static DotNetToolsJsonBuildFile Open(string repoRootPath, string path)
-        => new(repoRootPath, path, File.ReadAllText(path));
+    public static DotNetToolsJsonBuildFile Open(string repoRootPath, string path, Logger logger)
+        => new(repoRootPath, path, File.ReadAllText(path), logger);
 
-    public DotNetToolsJsonBuildFile(string repoRootPath, string path, string contents)
-        : base(repoRootPath, path, contents)
+    public DotNetToolsJsonBuildFile(string repoRootPath, string path, string contents, Logger logger)
+        : base(repoRootPath, path, contents, logger)
     {
     }
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/GlobalJsonBuildFile.cs

@@ -7,18 +7,29 @@ namespace NuGetUpdater.Core;
 
 internal sealed class GlobalJsonBuildFile : JsonBuildFile
 {
-    public static GlobalJsonBuildFile Open(string repoRootPath, string path)
-        => new(repoRootPath, path, File.ReadAllText(path));
+    public static GlobalJsonBuildFile Open(string repoRootPath, string path, Logger logger)
+        => new(repoRootPath, path, File.ReadAllText(path), logger);
 
-    public GlobalJsonBuildFile(string repoRootPath, string path, string contents)
-        : base(repoRootPath, path, contents)
+    public GlobalJsonBuildFile(string repoRootPath, string path, string contents, Logger logger)
+        : base(repoRootPath, path, contents, logger)
     {
     }
 
-    public JsonObject? Sdk => Node.Value?["sdk"]?.AsObject();
+    public JsonObject? Sdk
+    {
+        get
+        {
+            return Node.Value is JsonObject root ? root["sdk"]?.AsObject() : null;
+        }
+    }
 
-    public JsonObject? MSBuildSdks =>
-        Node.Value?["msbuild-sdks"]?.AsObject();
+    public JsonObject? MSBuildSdks
+    {
+        get
+        {
+            return Node.Value is JsonObject root ? root["msbuild-sdks"]?.AsObject() : null;
+        }
+    }
 
     public IEnumerable<Dependency> GetDependencies() => MSBuildSdks?.AsObject().Select(
         t => new Dependency(t.Key, t.Value?.GetValue<string>() ?? string.Empty, DependencyType.MSBuildSdk)) ?? Enumerable.Empty<Dependency>();

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/JsonBuildFile.cs

@@ -8,11 +8,13 @@ namespace NuGetUpdater.Core;
 internal abstract class JsonBuildFile : BuildFile<string>
 {
     protected Lazy<JsonNode?> Node;
+    private readonly Logger logger;
 
-    public JsonBuildFile(string repoRootPath, string path, string contents)
+    public JsonBuildFile(string repoRootPath, string path, string contents, Logger logger)
         : base(repoRootPath, path, contents)
     {
         Node = new Lazy<JsonNode?>(() => null);
+        this.logger = logger;
         ResetNode();
     }
 
@@ -27,6 +29,19 @@ internal abstract class JsonBuildFile : BuildFile<string>
 
     private void ResetNode()
     {
-        Node = new Lazy<JsonNode?>(() => JsonHelper.ParseNode(Contents));
+        Node = new Lazy<JsonNode?>(() =>
+        {
+            try
+            {
+                return JsonHelper.ParseNode(Contents);
+            }
+            catch (System.Text.Json.JsonException ex)
+            {
+                // We can't police that people have legal JSON files.
+                // If they don't, we just return null.
+                logger.Log($"Failed to parse JSON file: {RepoRelativePath}, got {ex}");
+                return null;
+            }
+        });
     }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/DotNetToolsJsonUpdater.cs

@@ -10,7 +10,7 @@ internal static partial class DotNetToolsJsonUpdater
 {
     public static async Task UpdateDependencyAsync(string repoRootPath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, Logger logger)
     {
-        var buildFiles = LoadBuildFiles(repoRootPath);
+        var buildFiles = LoadBuildFiles(repoRootPath, logger);
         if (buildFiles.Length == 0)
         {
             logger.Log($"  No dotnet-tools.json files found.");
@@ -49,7 +49,7 @@ internal static partial class DotNetToolsJsonUpdater
         }
     }
 
-    private static ImmutableArray<DotNetToolsJsonBuildFile> LoadBuildFiles(string repoRootPath)
+    private static ImmutableArray<DotNetToolsJsonBuildFile> LoadBuildFiles(string repoRootPath, Logger logger)
     {
         var options = new EnumerationOptions()
         {
@@ -60,7 +60,7 @@ internal static partial class DotNetToolsJsonUpdater
             MatchCasing = MatchCasing.CaseInsensitive,
         };
         return Directory.EnumerateFiles(repoRootPath, "dotnet-tools.json", options)
-            .Select(path => DotNetToolsJsonBuildFile.Open(repoRootPath, path))
+            .Select(path => DotNetToolsJsonBuildFile.Open(repoRootPath, path, logger))
             .ToImmutableArray();
     }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/GlobalJsonUpdater.cs

@@ -15,7 +15,7 @@ internal static partial class GlobalJsonUpdater
             return;
         }
 
-        var globalJsonFile = GlobalJsonBuildFile.Open(repoRootPath, globalJsonPath);
+        var globalJsonFile = GlobalJsonBuildFile.Open(repoRootPath, globalJsonPath, logger);
 
         logger.Log($"  Updating [{globalJsonFile.RepoRelativePath}] file.");
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/SdkPackageUpdater.cs

@@ -34,7 +34,7 @@ internal static partial class SdkPackageUpdater
         foreach (var tfm in tfms)
         {
             var dependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(repoRootPath, projectPath, tfm, topLevelDependencies, logger);
-            foreach (var (packageName, packageVersion, _, _, _) in dependencies)
+            foreach (var (packageName, packageVersion, _, _, _, _) in dependencies)
             {
                 if (packageName.Equals(dependencyName, StringComparison.OrdinalIgnoreCase))
                 {
@@ -76,7 +76,7 @@ internal static partial class SdkPackageUpdater
         var packagesAndVersions = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
         foreach (var (tfm, dependencies) in tfmsAndDependencies)
         {
-            foreach (var (packageName, packageVersion, _, _, _) in dependencies)
+            foreach (var (packageName, packageVersion, _, _, _, _) in dependencies)
             {
                 if (packagesAndVersions.TryGetValue(packageName, out var existingVersion) &&
                     existingVersion != packageVersion)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs

@@ -136,7 +136,7 @@ internal static partial class MSBuildHelper
 
     public static IEnumerable<Dependency> GetTopLevelPackageDependenyInfos(ImmutableArray<ProjectBuildFile> buildFiles)
     {
-        Dictionary<string, string> packageInfo = new(StringComparer.OrdinalIgnoreCase);
+        Dictionary<string, (string, bool)> packageInfo = new(StringComparer.OrdinalIgnoreCase);
         Dictionary<string, string> packageVersionInfo = new(StringComparer.OrdinalIgnoreCase);
         Dictionary<string, string> propertyInfo = new(StringComparer.OrdinalIgnoreCase);
 
@@ -154,7 +154,22 @@ internal static partial class MSBuildHelper
                 {
                     if (!string.IsNullOrWhiteSpace(attributeValue))
                     {
-                        packageInfo[attributeValue] = versionSpecification;
+                        if (packageInfo.TryGetValue(attributeValue, out var existingInfo))
+                        {
+                            var existingVersion = existingInfo.Item1;
+                            var existingUpdate = existingInfo.Item2;
+                            // Retain the version from the Update reference since the intention
+                            // would be to override the version of the Include reference.
+                            var vSpec = string.IsNullOrEmpty(versionSpecification) || existingUpdate ? existingVersion : versionSpecification;
+
+                            var isUpdate = existingUpdate && string.IsNullOrEmpty(packageItem.Include);
+                            packageInfo[attributeValue] = (vSpec, isUpdate);
+                        }
+                        else
+                        {
+                            var isUpdate = !string.IsNullOrEmpty(packageItem.Update);
+                            packageInfo[attributeValue] = (versionSpecification, isUpdate);
+                        }
                     }
                 }
             }
@@ -180,8 +195,9 @@ internal static partial class MSBuildHelper
             }
         }
 
-        foreach (var (name, version) in packageInfo)
+        foreach (var (name, info) in packageInfo)
         {
+            var (version, isUpdate) = info;
             if (version.Length != 0 || !packageVersionInfo.TryGetValue(name, out var packageVersion))
             {
                 packageVersion = version;
@@ -195,8 +211,8 @@ internal static partial class MSBuildHelper
             // We don't know the version for range requirements or wildcard
             // requirements, so return "" for these.
             yield return packageVersion.Contains(',') || packageVersion.Contains('*')
-                ? new Dependency(name, string.Empty, DependencyType.Unknown)
-                : new Dependency(name, packageVersion, DependencyType.Unknown);
+                ? new Dependency(name, string.Empty, DependencyType.Unknown, IsUpdate: isUpdate)
+                : new Dependency(name, packageVersion, DependencyType.Unknown, IsUpdate: isUpdate);
         }
     }
 
@@ -247,7 +263,7 @@ internal static partial class MSBuildHelper
         try
         {
             var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages);
-            var (exitCode, stdOut, stdErr) = await ProcessEx.RunAsync("dotnet", $"build \"{tempProjectPath}\"");
+            var (exitCode, stdOut, stdErr) = await ProcessEx.RunAsync("dotnet", $"restore \"{tempProjectPath}\"");
 
             // NU1608: Detected package version outside of dependency constraint
 
@@ -284,13 +300,15 @@ internal static partial class MSBuildHelper
             Environment.NewLine,
             packages
                 .Where(p => !string.IsNullOrWhiteSpace(p.Version)) // empty `Version` attributes will cause the temporary project to not build
-                .Select(static p => $"<PackageReference Include=\"{p.Name}\" Version=\"[{p.Version}]\" />"));
+                // If all PackageReferences for a package are update-only mark it as such, otherwise it can cause package incoherence errors which do not exist in the repo.
+                .Select(static p => $"<PackageReference {(p.IsUpdate ? "Update" : "Include")}=\"{p.Name}\" Version=\"[{p.Version}]\" />"));
 
         var projectContents = $"""
                 <Project Sdk="Microsoft.NET.Sdk">
                   <PropertyGroup>
                     <TargetFramework>{targetFramework}</TargetFramework>
                     <GenerateDependencyFile>true</GenerateDependencyFile>
+                    <RunAnalyzers>false</RunAnalyzers>
                   </PropertyGroup>
                   <ItemGroup>
                     {packageReferences}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/ProcessExtensions.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Diagnostics;
 using System.Text;
+using System.Threading;
 using System.Threading.Tasks;
 
 namespace NuGetUpdater.Core;
@@ -11,6 +12,7 @@ public static class ProcessEx
     {
         var tcs = new TaskCompletionSource<(int, string, string)>();
 
+        var redirectInitiated = new ManualResetEventSlim();
         var process = new Process
         {
             StartInfo =
@@ -37,8 +39,21 @@ public static class ProcessEx
 
         process.Exited += (sender, args) =>
         {
-            tcs.TrySetResult((process.ExitCode, stdout.ToString(), stderr.ToString()));
-            process.Dispose();
+            // It is necessary to wait until we have invoked 'BeginXReadLine' for our redirected IO. Then,
+            // we must call WaitForExit to make sure we've received all OutputDataReceived/ErrorDataReceived calls
+            // or else we'll be returning a list we're still modifying. For paranoia, we'll start a task here rather
+            // than enter right back into the Process type and start a wait which isn't guaranteed to be safe.
+            Task.Run(() =>
+            {
+               redirectInitiated.Wait();
+               redirectInitiated.Dispose();
+               redirectInitiated = null;
+
+               process.WaitForExit();
+
+               tcs.TrySetResult((process.ExitCode, stdout.ToString(), stderr.ToString()));
+               process.Dispose();
+            });
         };
 
 #if DEBUG
@@ -61,6 +76,8 @@ public static class ProcessEx
         process.BeginOutputReadLine();
         process.BeginErrorReadLine();
 
+        redirectInitiated.Set();
+
         return tcs.Task;
     }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Files/DotNetToolsJsonBuildFileTests.cs

@@ -32,7 +32,8 @@ public class DotnetToolsJsonBuildFileTests
     private static DotNetToolsJsonBuildFile GetBuildFile() => new(
         repoRootPath: "/",
         path: "/.config/dotnet-tools.json",
-        contents: DotnetToolsJson);
+        contents: DotnetToolsJson,
+        logger: new Logger(verbose: true));
 
     [Fact]
     public void GetDependencies_ReturnsDependencies()

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Files/GlobalJsonBuildFileTests.cs

@@ -31,7 +31,24 @@ public class GlobalJsonBuildFileTests
     private static GlobalJsonBuildFile GetBuildFile(string contents) => new(
         repoRootPath: "/",
         path: "/global.json",
-        contents: contents);
+        contents: contents,
+        logger: new Logger(verbose: true));
+
+    [Fact]
+    public void GlobalJson_Malformed_DoesNotThrow()
+    {
+        var buildFile = GetBuildFile("""[{ "Random": "stuff"}]""");
+
+        Assert.Null(buildFile.MSBuildSdks);
+    }
+
+    [Fact]
+    public void GlobalJson_NotJson_DoesNotThrow()
+    {
+        var buildFile = GetBuildFile("not json");
+
+        Assert.Null(buildFile.MSBuildSdks);
+    }
 
     [Fact]
     public void GlobalJson_GetDependencies_ReturnsDependencies()

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/MSBuildHelperTests.cs

@@ -171,6 +171,144 @@ public class MSBuildHelperTests
         Assert.Equal(expectedDependencies, actualDependencies);
     }
 
+    [Fact]
+    public async Task AllPackageDependencies_DoNotTruncateLongDependencyLists()
+    {
+        using var temp = new TemporaryDirectory();
+        var expectedDependencies = new Dependency[]
+        {
+            new("Castle.Core", "4.4.1", DependencyType.Unknown),
+            new("Microsoft.ApplicationInsights", "2.10.0", DependencyType.Unknown),
+            new("Microsoft.ApplicationInsights.Agent.Intercept", "2.4.0", DependencyType.Unknown),
+            new("Microsoft.ApplicationInsights.DependencyCollector", "2.10.0", DependencyType.Unknown),
+            new("Microsoft.ApplicationInsights.PerfCounterCollector", "2.10.0", DependencyType.Unknown),
+            new("Microsoft.ApplicationInsights.WindowsServer", "2.10.0", DependencyType.Unknown),
+            new("Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel", "2.10.0", DependencyType.Unknown),
+            new("Microsoft.AspNet.TelemetryCorrelation", "1.0.5", DependencyType.Unknown),
+            new("Microsoft.Bcl.AsyncInterfaces", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Caching.Abstractions", "1.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Caching.Memory", "1.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.DependencyInjection", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.DependencyInjection.Abstractions", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.DiagnosticAdapter", "1.1.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Http", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Logging", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Logging.Abstractions", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Options", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.PlatformAbstractions", "1.1.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Primitives", "7.0.0", DependencyType.Unknown),
+            new("Moq", "4.16.1", DependencyType.Unknown),
+            new("MSTest.TestFramework", "2.1.0", DependencyType.Unknown),
+            new("Newtonsoft.Json", "12.0.1", DependencyType.Unknown),
+            new("System", "4.1.311.2", DependencyType.Unknown),
+            new("System.Buffers", "4.5.1", DependencyType.Unknown),
+            new("System.Collections.Concurrent", "4.3.0", DependencyType.Unknown),
+            new("System.Collections.Immutable", "1.3.0", DependencyType.Unknown),
+            new("System.Collections.NonGeneric", "4.3.0", DependencyType.Unknown),
+            new("System.Collections.Specialized", "4.3.0", DependencyType.Unknown),
+            new("System.ComponentModel", "4.3.0", DependencyType.Unknown),
+            new("System.ComponentModel.Annotations", "5.0.0", DependencyType.Unknown),
+            new("System.ComponentModel.Primitives", "4.3.0", DependencyType.Unknown),
+            new("System.ComponentModel.TypeConverter", "4.3.0", DependencyType.Unknown),
+            new("System.Core", "3.5.21022.801", DependencyType.Unknown),
+            new("System.Data.Common", "4.3.0", DependencyType.Unknown),
+            new("System.Diagnostics.DiagnosticSource", "7.0.0", DependencyType.Unknown),
+            new("System.Diagnostics.PerformanceCounter", "4.5.0", DependencyType.Unknown),
+            new("System.Diagnostics.StackTrace", "4.3.0", DependencyType.Unknown),
+            new("System.Dynamic.Runtime", "4.3.0", DependencyType.Unknown),
+            new("System.IO.FileSystem.Primitives", "4.3.0", DependencyType.Unknown),
+            new("System.Linq", "4.3.0", DependencyType.Unknown),
+            new("System.Linq.Expressions", "4.3.0", DependencyType.Unknown),
+            new("System.Memory", "4.5.5", DependencyType.Unknown),
+            new("System.Net.WebHeaderCollection", "4.3.0", DependencyType.Unknown),
+            new("System.Numerics.Vectors", "4.4.0", DependencyType.Unknown),
+            new("System.ObjectModel", "4.3.0", DependencyType.Unknown),
+            new("System.Private.DataContractSerialization", "4.3.0", DependencyType.Unknown),
+            new("System.Reflection.Emit", "4.3.0", DependencyType.Unknown),
+            new("System.Reflection.Emit.ILGeneration", "4.3.0", DependencyType.Unknown),
+            new("System.Reflection.Emit.Lightweight", "4.3.0", DependencyType.Unknown),
+            new("System.Reflection.Metadata", "1.4.1", DependencyType.Unknown),
+            new("System.Reflection.TypeExtensions", "4.3.0", DependencyType.Unknown),
+            new("System.Runtime.CompilerServices.Unsafe", "6.0.0", DependencyType.Unknown),
+            new("System.Runtime.InteropServices.RuntimeInformation", "4.3.0", DependencyType.Unknown),
+            new("System.Runtime.Numerics", "4.3.0", DependencyType.Unknown),
+            new("System.Runtime.Serialization.Json", "4.3.0", DependencyType.Unknown),
+            new("System.Runtime.Serialization.Primitives", "4.3.0", DependencyType.Unknown),
+            new("System.Security.Claims", "4.3.0", DependencyType.Unknown),
+            new("System.Security.Cryptography.OpenSsl", "4.3.0", DependencyType.Unknown),
+            new("System.Security.Cryptography.Primitives", "4.3.0", DependencyType.Unknown),
+            new("System.Security.Principal", "4.3.0", DependencyType.Unknown),
+            new("System.Text.RegularExpressions", "4.3.0", DependencyType.Unknown),
+            new("System.Threading", "4.3.0", DependencyType.Unknown),
+            new("System.Threading.Tasks.Extensions", "4.5.4", DependencyType.Unknown),
+            new("System.Threading.Thread", "4.3.0", DependencyType.Unknown),
+            new("System.Threading.ThreadPool", "4.3.0", DependencyType.Unknown),
+            new("System.Xml.ReaderWriter", "4.3.0", DependencyType.Unknown),
+            new("System.Xml.XDocument", "4.3.0", DependencyType.Unknown),
+            new("System.Xml.XmlDocument", "4.3.0", DependencyType.Unknown),
+            new("System.Xml.XmlSerializer", "4.3.0", DependencyType.Unknown),
+            new("Microsoft.ApplicationInsights.Web", "2.10.0", DependencyType.Unknown),
+            new("MSTest.TestAdapter", "2.1.0", DependencyType.Unknown),
+            new("NETStandard.Library", "2.0.3", DependencyType.Unknown),
+        };
+        var packages = new[] {
+            new Dependency("System", "4.1.311.2", DependencyType.Unknown),
+            new Dependency("System.Core", "3.5.21022.801", DependencyType.Unknown),
+            new Dependency("Moq", "4.16.1", DependencyType.Unknown),
+            new Dependency("Castle.Core", "4.4.1", DependencyType.Unknown),
+            new Dependency("MSTest.TestAdapter", "2.1.0", DependencyType.Unknown),
+            new Dependency("MSTest.TestFramework", "2.1.0", DependencyType.Unknown),
+            new Dependency("Microsoft.ApplicationInsights", "2.10.0", DependencyType.Unknown),
+            new Dependency("Microsoft.ApplicationInsights.Agent.Intercept", "2.4.0", DependencyType.Unknown),
+            new Dependency("Microsoft.ApplicationInsights.DependencyCollector", "2.10.0", DependencyType.Unknown),
+            new Dependency("Microsoft.ApplicationInsights.PerfCounterCollector", "2.10.0", DependencyType.Unknown),
+            new Dependency("Microsoft.ApplicationInsights.Web", "2.10.0", DependencyType.Unknown),
+            new Dependency("Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel", "2.10.0", DependencyType.Unknown),
+            new Dependency("Microsoft.ApplicationInsights.WindowsServer", "2.10.0", DependencyType.Unknown),
+            new Dependency("Microsoft.Extensions.Http", "7.0.0", DependencyType.Unknown),
+            new Dependency("Newtonsoft.Json", "12.0.1", DependencyType.Unknown)
+        };
+        var actualDependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(temp.DirectoryPath, temp.DirectoryPath, "netstandard2.0", packages);
+        for(int i = 0; i < actualDependencies.Length; i++)
+        {
+            var ad = actualDependencies[i];
+            var ed = expectedDependencies[i];
+            Assert.Equal(ed, ad);
+        }
+        Assert.Equal(expectedDependencies, actualDependencies);
+    }
+
+    [Fact]
+    public async Task AllPackageDependencies_DoNotIncludeUpdateOnlyPackages()
+    {
+        using var temp = new TemporaryDirectory();
+        var expectedDependencies = new Dependency[]
+        {
+            new("Microsoft.Bcl.AsyncInterfaces", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.DependencyInjection", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.DependencyInjection.Abstractions", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Http", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Logging", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Logging.Abstractions", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Options", "7.0.0", DependencyType.Unknown),
+            new("Microsoft.Extensions.Primitives", "7.0.0", DependencyType.Unknown),
+            new("System.Buffers", "4.5.1", DependencyType.Unknown),
+            new("System.ComponentModel.Annotations", "5.0.0", DependencyType.Unknown),
+            new("System.Diagnostics.DiagnosticSource", "7.0.0", DependencyType.Unknown),
+            new("System.Memory", "4.5.5", DependencyType.Unknown),
+            new("System.Numerics.Vectors", "4.4.0", DependencyType.Unknown),
+            new("System.Runtime.CompilerServices.Unsafe", "6.0.0", DependencyType.Unknown),
+            new("System.Threading.Tasks.Extensions", "4.5.4", DependencyType.Unknown),
+            new("NETStandard.Library", "2.0.3", DependencyType.Unknown),
+        };
+        var packages = new[] {
+            new Dependency("Microsoft.Extensions.Http", "7.0.0", DependencyType.Unknown),
+            new Dependency("Newtonsoft.Json", "12.0.1", DependencyType.Unknown, IsUpdate: true)
+        };
+        var actualDependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(temp.DirectoryPath, temp.DirectoryPath, "netstandard2.0", packages);
+        Assert.Equal(expectedDependencies, actualDependencies);
+    }
+
     [Fact]
     public async Task AllPackageDependenciesCanBeFoundWithNuGetConfig()
     {
@@ -349,6 +487,72 @@ public class MSBuildHelperTests
                 new("Newtonsoft.Json", "12.0.1", DependencyType.Unknown)
             }
         };
+
+        // version is set in one file, used in another
+        yield return new object[]
+        {
+            // build file contents
+            new[]
+            {
+                ("Packages.props", """
+                    <Project>
+                      <ItemGroup>
+                        <PackageReference Update="Azure.Identity" Version="1.6.0" />
+                        <PackageReference Update="Microsoft.Data.SqlClient" Version="5.1.4" />
+                      </ItemGroup>
+                    </Project>
+                """),
+                ("project.csproj", """
+                    <Project Sdk="Microsoft.NET.Sdk">
+                      <PropertyGroup>
+                        <TargetFramework>netstandard2.0</TargetFramework>
+                      </PropertyGroup>
+                      <ItemGroup>
+                        <PackageReference Include="Azure.Identity" Version="1.6.1" />
+                      </ItemGroup>
+                    </Project>
+                    """)
+            },
+            // expected dependencies
+            new Dependency[]
+            {
+                new("Azure.Identity", "1.6.0", DependencyType.Unknown),
+                new("Microsoft.Data.SqlClient", "5.1.4", DependencyType.Unknown, IsUpdate: true)
+            }
+        };
+
+        // version is set in one file, used in another
+        yield return new object[]
+        {
+            // build file contents
+            new[]
+            {
+                ("project.csproj", """
+                    <Project Sdk="Microsoft.NET.Sdk">
+                      <PropertyGroup>
+                        <TargetFramework>netstandard2.0</TargetFramework>
+                      </PropertyGroup>
+                      <ItemGroup>
+                        <PackageReference Include="Azure.Identity" />
+                      </ItemGroup>
+                    </Project>
+                    """),
+                ("Packages.props", """
+                    <Project>
+                      <ItemGroup>
+                        <PackageReference Update="Azure.Identity" Version="1.6.0" />
+                        <PackageReference Update="Microsoft.Data.SqlClient" Version="5.1.4" />
+                      </ItemGroup>
+                    </Project>
+                """)
+            },
+            // expected dependencies
+            new Dependency[]
+            {
+                new("Azure.Identity", "1.6.0", DependencyType.Unknown),
+                new("Microsoft.Data.SqlClient", "5.1.4", DependencyType.Unknown, IsUpdate: true)
+            }
+        };
     }
 
     public static IEnumerable<object[]> SolutionProjectPathTestData()

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/SdkPackageUpdaterTests.cs

@@ -187,6 +187,69 @@ public class SdkPackageUpdaterTests
             "Newtonsoft.Json", "12.0.1", "13.0.1", false // isTransitive
         };
 
+        // Make sure we don't update if there are incoherent versions
+        yield return new object[] {
+            new []
+            {
+                (Path: "src/Project.csproj", Content: """
+                    <Project Sdk="Microsoft.NET.Sdk">
+                        <PropertyGroup>
+                            <TargetFramework>netcoreapp2.1</TargetFramework>
+                        </PropertyGroup>
+                        <ItemGroup>
+                            <PackageReference Include="Microsoft.Extensions.Primitives" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Options" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Logging" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.Analyzers" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="2.1.0" />
+                        </ItemGroup>
+                    </Project>
+                    """)
+            }, // starting contents
+            new []
+            {
+                (Path: "src/Project.csproj", Content: """
+                    <Project Sdk="Microsoft.NET.Sdk">
+                        <PropertyGroup>
+                            <TargetFramework>netcoreapp2.1</TargetFramework>
+                        </PropertyGroup>
+                        <ItemGroup>
+                            <PackageReference Include="Microsoft.Extensions.Primitives" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Options" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Logging" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.Analyzers" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.Abstractions" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore" Version="2.2.0" />
+                            <PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.0" />
+                            <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="2.1.0" />
+                        </ItemGroup>
+                    </Project>
+                    """)
+            }, // expected contents
+            "Microsoft.EntityFrameworkCore.SqlServer", "2.1.0", "2.2.0", false // isTransitive
+        };
+
         // PackageReference with Version as child element
         yield return new object[]
         {

data/lib/dependabot/nuget/file_fetcher.rb

@@ -72,7 +72,9 @@ module Dependabot
             project_files += fsproj_file
             project_files += sln_project_files
             project_files += proj_files
-            project_files += project_files.filter_map { |f| directory_packages_props_file_from_project_file(f) }
+            project_files += project_files.filter_map do |f|
+              named_file_up_tree_from_project_file(f, "Directory.Packages.props")
+            end
             project_files
           end
       rescue Octokit::NotFound, Gitlab::Error::NotFound
@@ -191,28 +193,6 @@ module Dependabot
         @proj_files ||= find_and_fetch_with_suffix(".proj")
       end
 
-      def directory_packages_props_file_from_project_file(project_file)
-        # walk up the tree from each project file stopping at the first `Directory.Packages.props` file found
-        # https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#central-package-management-rules
-
-        found_directory_packages_props_file = nil
-        directory_path = Pathname.new(directory)
-        full_project_dir = Pathname.new(project_file.directory).join(project_file.name).dirname
-        full_project_dir.ascend.each do |base|
-          break if found_directory_packages_props_file
-
-          candidate_file_path = Pathname.new(base).join("Directory.Packages.props").cleanpath.to_path
-          candidate_directory = Pathname.new(File.dirname(candidate_file_path))
-          relative_candidate_directory = candidate_directory.relative_path_from(directory_path)
-          candidate_file = repo_contents(dir: relative_candidate_directory).find do |f|
-            f.name.casecmp?("Directory.Packages.props")
-          end
-          found_directory_packages_props_file = fetch_file_from_host(candidate_file.name) if candidate_file
-        end
-
-        found_directory_packages_props_file
-      end
-
       def find_and_fetch_with_suffix(suffix)
         repo_contents.select { |f| f.name.end_with?(suffix) }.map { |f| fetch_file_from_host(f.name) }
       end

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -293,47 +293,8 @@ module Dependabot
         end
 
         def dependency_url_has_matching_result?(dependency_name, dependency_url)
-          repository_type = dependency_url.fetch(:repository_type)
-          if repository_type == "v3"
-            dependency_url_has_matching_result_v3?(dependency_name, dependency_url)
-          elsif repository_type == "v2"
-            dependency_url_has_matching_result_v2?(dependency_name, dependency_url)
-          else
-            raise "Unknown repository type: #{repository_type}"
-          end
-        end
-
-        def dependency_url_has_matching_result_v3?(dependency_name, dependency_url)
-          versions = NugetClient.get_package_versions_v3(dependency_name, dependency_url)
-
-          versions != nil
-        end
-
-        def dependency_url_has_matching_result_v2?(dependency_name, dependency_url)
-          url = dependency_url.fetch(:versions_url)
-          auth_header = dependency_url.fetch(:auth_header)
-          response = execute_search_for_dependency_url(url, auth_header)
-          return false unless response.status == 200
-
-          doc = Nokogiri::XML(response.body)
-          doc.remove_namespaces!
-          id_nodes = doc.xpath("/feed/entry/properties/Id")
-          found_matching_result = id_nodes.any? do |id_node|
-            return false unless id_node.text
-
-            id_node.text.casecmp?(dependency_name)
-          end
-          found_matching_result
-        end
-
-        def execute_search_for_dependency_url(url, auth_header)
-          cache = ProjectFileParser.dependency_url_search_cache
-          cache[url] ||= Dependabot::RegistryClient.get(
-            url: url,
-            headers: auth_header
-          )
-
-          cache[url]
+          versions = NugetClient.get_package_versions(dependency_name, dependency_url)
+          versions&.any?
         end
 
         def dependency_name(dependency_node, project_file)

data/lib/dependabot/nuget/file_parser.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -85,7 +85,7 @@ module Dependabot
 
       def packages_config_files
         dependency_files.select do |f|
-          f.name.split("/").last.casecmp("packages.config").zero?
+          f.name.split("/").last&.casecmp("packages.config")&.zero?
         end
       end
 
@@ -103,11 +103,11 @@ module Dependabot
       end
 
       def global_json
-        dependency_files.find { |f| f.name.casecmp("global.json").zero? }
+        dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
       end
 
       def dotnet_tools_json
-        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json").zero? }
+        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
       end
 
       def check_required_files

data/lib/dependabot/nuget/nuget_client.rb

@@ -7,7 +7,18 @@ require "dependabot/nuget/update_checker/repository_finder"
 module Dependabot
   module Nuget
     class NugetClient
-      def self.get_package_versions_v3(dependency_name, repository_details)
+      def self.get_package_versions(dependency_name, repository_details)
+        repository_type = repository_details.fetch(:repository_type)
+        if repository_type == "v3"
+          get_package_versions_v3(dependency_name, repository_details)
+        elsif repository_type == "v2"
+          get_package_versions_v2(dependency_name, repository_details)
+        else
+          raise "Unknown repository type: #{repository_type}"
+        end
+      end
+
+      private_class_method def self.get_package_versions_v3(dependency_name, repository_details)
         # Use the registration URL if possible because it is fast and correct
         if repository_details[:registration_url]
           get_versions_from_registration_v3(repository_details)
@@ -20,14 +31,32 @@ module Dependabot
         end
       end
 
+      private_class_method def self.get_package_versions_v2(dependency_name, repository_details)
+        doc = execute_xml_nuget_request(repository_details.fetch(:versions_url), repository_details)
+        return unless doc
+
+        id_nodes = doc.xpath("/feed/entry/properties/Id")
+        matching_versions = Set.new
+        id_nodes.each do |id_node|
+          return nil unless id_node.text
+
+          next unless id_node.text.casecmp?(dependency_name)
+
+          version_node = id_node.parent.xpath("Version")
+          matching_versions << version_node.text if version_node && version_node.text
+        end
+
+        matching_versions
+      end
+
       private_class_method def self.get_versions_from_versions_url_v3(repository_details)
-        body = execute_search_for_dependency_url(repository_details[:versions_url], repository_details)
+        body = execute_json_nuget_request(repository_details[:versions_url], repository_details)
         body&.fetch("versions")
       end
 
       private_class_method def self.get_versions_from_registration_v3(repository_details)
         url = repository_details[:registration_url]
-        body = execute_search_for_dependency_url(url, repository_details)
+        body = execute_json_nuget_request(url, repository_details)
 
         return unless body
 
@@ -47,7 +76,7 @@ module Dependabot
           else
             # paged entries
             page_url = page["@id"]
-            page_body = execute_search_for_dependency_url(page_url, repository_details)
+            page_body = execute_json_nuget_request(page_url, repository_details)
             items = page_body.fetch("items")
             items.each do |item|
               catalog_entry = item.fetch("catalogEntry")
@@ -61,7 +90,7 @@ module Dependabot
 
       private_class_method def self.get_versions_from_search_url_v3(repository_details, dependency_name)
         search_url = repository_details[:search_url]
-        body = execute_search_for_dependency_url(search_url, repository_details)
+        body = execute_json_nuget_request(search_url, repository_details)
 
         body&.fetch("data")
             &.find { |d| d.fetch("id").casecmp(dependency_name.downcase).zero? }
@@ -69,21 +98,55 @@ module Dependabot
             &.map { |d| d.fetch("version") }
       end
 
-      private_class_method def self.execute_search_for_dependency_url(url, repository_details)
-        cache = CacheManager.cache("dependency_url_search_cache")
-        cache[url] ||= Dependabot::RegistryClient.get(
+      private_class_method def self.execute_xml_nuget_request(url, repository_details)
+        response = execute_nuget_request_internal(
           url: url,
-          headers: repository_details[:auth_header]
+          auth_header: repository_details[:auth_header],
+          repository_url: repository_details[:repository_url]
         )
+        return unless response.status == 200
 
-        response = cache[url]
+        doc = Nokogiri::XML(response.body)
+        doc.remove_namespaces!
+        doc
+      end
 
+      private_class_method def self.execute_json_nuget_request(url, repository_details)
+        response = execute_nuget_request_internal(
+          url: url,
+          auth_header: repository_details[:auth_header],
+          repository_url: repository_details[:repository_url]
+        )
         return unless response.status == 200
 
         body = remove_wrapping_zero_width_chars(response.body)
         JSON.parse(body)
+      end
+
+      private_class_method def self.execute_nuget_request_internal(
+        url: String,
+        auth_header: String,
+        repository_url: String
+      )
+        cache = CacheManager.cache("dependency_url_search_cache")
+        if cache[url].nil?
+          response = Dependabot::RegistryClient.get(
+            url: url,
+            headers: auth_header
+          )
+
+          if [401, 402, 403].include?(response.status)
+            raise Dependabot::PrivateSourceAuthenticationFailure, repository_url
+          end
+
+          cache[url] = response if !CacheManager.caching_disabled? && response.status == 200
+        else
+          response = cache[url]
+        end
+
+        response
       rescue Excon::Error::Timeout, Excon::Error::Socket
-        repo_url = repository_details[:repository_url]
+        repo_url = repository_url
         raise if repo_url == Dependabot::Nuget::UpdateChecker::RepositoryFinder::DEFAULT_REPOSITORY_URL
 
         raise PrivateSourceTimedOut, repo_url

data/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -235,7 +235,7 @@ module Dependabot
             dependency_urls
             .select { |details| details.fetch(:repository_type) == "v3" }
             .filter_map do |url_details|
-              versions = versions_for_v3_repository(url_details)
+              versions = NugetClient.get_package_versions(dependency.name, url_details)
               next unless versions
 
               { "versions" => versions, "listing_details" => url_details }
@@ -294,10 +294,6 @@ module Dependabot
           nil
         end
 
-        def versions_for_v3_repository(repository_details)
-          NugetClient.get_package_versions_v3(dependency.name, repository_details)
-        end
-
         def dependency_urls
           @dependency_urls ||=
             RepositoryFinder.new(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.241.0
+  version: 0.242.1
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-01-18 00:00:00.000000000 Z
+date: 2024-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.241.0
+        version: 0.242.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.241.0
+        version: 0.242.1
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -369,7 +369,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.241.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.242.1
 post_install_message: 
 rdoc_options: []
 require_paths: