dependabot-nuget 0.247.0 → 0.249.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e8dda5e47b38dec152ba8797986aaaca62fde7dbed194960864b779932d6ff7
-  data.tar.gz: 4f1cb76b3dafc332d90ddf7acec0b39c6295d2d9749741e3229af6ad7d7e363d
+  metadata.gz: c23304dabfd9e4506478efc6188332716cc7ff097f8042b45c67bfda9cf1b6ae
+  data.tar.gz: 74f8d095b039666ca96e098913667e8c40552df5963187cf4ae66a86ac429ae1
 SHA512:
-  metadata.gz: c350131e183da643b7caf57a76acc2cb954e9d7f0a4532b340db90a064f0e1b7d735a531d2bea8efea6ee483060b3dbb8efb4a8e1567d2c9d30d88bc907848f2
-  data.tar.gz: 9f2a6505e1eca5a2fbe8369e8e21ce0b5eabc4c658bec9d628b5250c16f78f40a7c8b19bc0778b2b7fe6e0c3b215a71b2282407544eb0f6808bdfde3da35d8e0
+  metadata.gz: 904dae0561b8288c0cc8b319269a6352cdfa1d4d443e01b052e99bf3294277523f1a227944a7787024a216ad1661a21647330e116f6e5a9c66d95cbd630d7f47
+  data.tar.gz: 75cff9a26706bc60d8f5423d8e096fe4b1a1ccf20c3bb3fff5a5c6428ac6cfdd3b58e0a9ce490a9fb6577e852bd59417917bde19ad3697ed8d76aa789bdb4591

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Update.cs

@@ -3,6 +3,8 @@ using System.IO;
 using System.Text;
 using System.Threading.Tasks;
 
+using NuGetUpdater.Core;
+using NuGetUpdater.Core.Test;
 using NuGetUpdater.Core.Test.Update;
 
 using Xunit;
@@ -291,6 +293,61 @@ public partial class EntryPointTests
             );
         }
 
+        [Fact]
+        public async Task UpdaterDoesNotUseRepoGlobalJsonForMSBuildTasks()
+        {
+            // This is a _very_ specific scenario where the `NuGetUpdater.Cli` tool might pick up a `global.json` from
+            // the root of the repo under test and use it's `sdk` property when trying to locate MSBuild.  To properly
+            // test this, it must be tested in a new process where MSBuild has not been loaded yet and the runner tool
+            // must be started with its working directory at the test repo's root.
+            using var tempDir = new TemporaryDirectory();
+            await File.WriteAllTextAsync(Path.Join(tempDir.DirectoryPath, "global.json"), """
+                {
+                  "sdk": {
+                    "version": "99.99.99"
+                  }
+                }
+                """);
+            await File.WriteAllTextAsync(Path.Join(tempDir.DirectoryPath, "project.csproj"), """
+                <Project Sdk="Microsoft.NET.Sdk">
+                  <PropertyGroup>
+                    <TargetFramework>net8.0</TargetFramework>
+                  </PropertyGroup>
+                  <ItemGroup>
+                    <PackageReference Include="Newtonsoft.Json" Version="7.0.1" />
+                  </ItemGroup>
+                </Project>
+                """);
+            var executableName = $"NuGetUpdater.Cli{(Environment.OSVersion.Platform == PlatformID.Win32NT ? ".exe" : "")}";
+            var executableArgs = string.Join(" ",
+            [
+                "update",
+                "--repo-root",
+                tempDir.DirectoryPath,
+                "--solution-or-project",
+                Path.Join(tempDir.DirectoryPath, "project.csproj"),
+                "--dependency",
+                "Newtonsoft.Json",
+                "--new-version",
+                "13.0.1",
+                "--previous-version",
+                "7.0.1",
+                "--verbose"
+            ]);
+
+            // verify base run
+            var (exitCode, output, error) = await ProcessEx.RunAsync(executableName, executableArgs, workingDirectory: tempDir.DirectoryPath);
+            Assert.True(exitCode == 0, $"Error running update on unsupported SDK.\nSTDOUT:\n{output}\nSTDERR:\n{error}");
+
+            // verify project update
+            var updatedProjectContents = await File.ReadAllTextAsync(Path.Join(tempDir.DirectoryPath, "project.csproj"));
+            Assert.Contains("13.0.1", updatedProjectContents);
+
+            // verify `global.json` untouched
+            var updatedGlobalJsonContents = await File.ReadAllTextAsync(Path.Join(tempDir.DirectoryPath, "global.json"));
+            Assert.Contains("99.99.99", updatedGlobalJsonContents);
+        }
+
         private static async Task Run(Func<string, string[]> getArgs, (string Path, string Content)[] initialFiles, (string, string)[] expectedFiles)
         {
             var actualFiles = await RunUpdate(initialFiles, async path =>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/SdkPackageUpdater.cs

@@ -231,7 +231,7 @@ internal static class SdkPackageUpdater
         logger.Log($"    Adding [{dependencyName}/{newDependencyVersion}] as a top-level package reference.");
 
         // see https://learn.microsoft.com/nuget/consume-packages/install-use-packages-dotnet-cli
-        var (exitCode, _, _) = await ProcessEx.RunAsync("dotnet", $"add {projectPath} package {dependencyName} --version {newDependencyVersion}");
+        var (exitCode, _, _) = await ProcessEx.RunAsync("dotnet", $"add {projectPath} package {dependencyName} --version {newDependencyVersion}", workingDirectory: Path.GetDirectoryName(projectPath));
         if (exitCode != 0)
         {
             logger.Log($"    Transitive dependency [{dependencyName}/{newDependencyVersion}] was not added.");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs

@@ -41,9 +41,29 @@ internal static partial class MSBuildHelper
         // Ensure MSBuild types are registered before calling a method that loads the types
         if (!IsMSBuildRegistered)
         {
-            var defaultInstance = MSBuildLocator.QueryVisualStudioInstances().First();
-            MSBuildPath = defaultInstance.MSBuildPath;
-            MSBuildLocator.RegisterInstance(defaultInstance);
+            var globalJsonPath = "global.json";
+            var tempGlobalJsonPath = globalJsonPath + Guid.NewGuid().ToString();
+            var globalJsonExists = File.Exists(globalJsonPath);
+            try
+            {
+                if (globalJsonExists)
+                {
+                    Console.WriteLine("Temporarily removing `global.json` for MSBuild detection.");
+                    File.Move(globalJsonPath, tempGlobalJsonPath);
+                }
+
+                var defaultInstance = MSBuildLocator.QueryVisualStudioInstances().First();
+                MSBuildPath = defaultInstance.MSBuildPath;
+                MSBuildLocator.RegisterInstance(defaultInstance);
+            }
+            finally
+            {
+                if (globalJsonExists)
+                {
+                    Console.WriteLine("Restoring `global.json` after MSBuild detection.");
+                    File.Move(tempGlobalJsonPath, globalJsonPath);
+                }
+            }
         }
     }
 
@@ -311,7 +331,7 @@ internal static partial class MSBuildHelper
         try
         {
             var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages);
-            var (exitCode, stdOut, stdErr) = await ProcessEx.RunAsync("dotnet", $"restore \"{tempProjectPath}\"");
+            var (exitCode, stdOut, stdErr) = await ProcessEx.RunAsync("dotnet", $"restore \"{tempProjectPath}\"", workingDirectory: tempDirectory.FullName);
 
             // NU1608: Detected package version outside of dependency constraint
 
@@ -451,7 +471,7 @@ internal static partial class MSBuildHelper
         {
             var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages);
 
-            var (exitCode, stdout, stderr) = await ProcessEx.RunAsync("dotnet", $"build \"{tempProjectPath}\" /t:_ReportDependencies");
+            var (exitCode, stdout, stderr) = await ProcessEx.RunAsync("dotnet", $"build \"{tempProjectPath}\" /t:_ReportDependencies", workingDirectory: tempDirectory.FullName);
 
             if (exitCode == 0)
             {

data/lib/dependabot/nuget/file_fetcher/import_paths_finder.rb

@@ -3,6 +3,7 @@
 
 require "nokogiri"
 require "pathname"
+require "sorbet-runtime"
 
 require "dependabot/nuget/file_fetcher"
 

data/lib/dependabot/nuget/file_fetcher/sln_project_paths_finder.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require "pathname"
+require "sorbet-runtime"
+
 require "dependabot/nuget/file_fetcher"
 
 module Dependabot

data/lib/dependabot/nuget/file_fetcher.rb

@@ -25,7 +25,7 @@ module Dependabot
         return true if filenames.any? { |f| f.match?("^src$") }
         return true if filenames.any? { |f| f.end_with?(".proj") }
 
-        filenames.any? { |name| name.match?(/\.[a-z]{2}proj$/) }
+        filenames.any? { |name| name.match?(/\.(cs|vb|fs)proj$/) }
       end
 
       sig { override.returns(String) }
@@ -53,7 +53,7 @@ module Dependabot
       end
 
       sig { override.returns(T::Array[DependencyFile]) }
-      def fetch_files # rubocop:disable Metrics/AbcSize
+      def fetch_files
         fetched_files = []
         fetched_files += project_files
         fetched_files += directory_build_files
@@ -73,10 +73,7 @@ module Dependabot
         if project_files.none? && packages_config_files.none?
           raise T.must(@missing_sln_project_file_errors.first) if @missing_sln_project_file_errors&.any?
 
-          raise(
-            Dependabot::DependencyFileNotFound,
-            File.join(directory, "<anything>.(cs|vb|fs)proj")
-          )
+          raise_dependency_file_not_found
         end
 
         fetched_files
@@ -102,9 +99,16 @@ module Dependabot
             project_files
           end
       rescue Octokit::NotFound, Gitlab::Error::NotFound
+        raise_dependency_file_not_found
+      end
+
+      sig { returns(T.noreturn) }
+      def raise_dependency_file_not_found
         raise(
-          Dependabot::DependencyFileNotFound,
-          File.join(directory, "<anything>.(cs|vb|fs)proj")
+          Dependabot::DependencyFileNotFound.new(
+            File.join(directory, "*.(sln|csproj|vbproj|fsproj|proj)"),
+            "Unable to find `*.sln`, `*.(cs|vb|fs)proj`, or `*.proj` in directory `#{directory}`"
+          )
         )
       end
 

data/lib/dependabot/nuget/file_parser/dotnet_tools_json_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/global_json_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/packages_config_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/property_value_finder.rb

@@ -1,6 +1,8 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/nuget/file_fetcher/import_paths_finder"
 require "dependabot/nuget/file_parser"
 

data/lib/dependabot/nuget/file_parser.rb

@@ -44,6 +44,16 @@ module Dependabot
           Dependabot.logger.warn "Dependency '#{d.name}' excluded due to unparsable version: #{d.version}"
         end
 
+        dependency_info = dependencies.map do |d|
+          requirements_info = d.requirements.filter_map { |r| "    file: #{r[:file]}, metadata: #{r[:metadata]}" }
+                               .join("\n")
+          "  name: #{d.name}, version: #{d.version}\n#{requirements_info}"
+        end.join("\n")
+
+        if dependencies.length.positive?
+          Dependabot.logger.info "The following dependencies were found:\n#{dependency_info}"
+        end
+
         dependencies
       end
 
@@ -53,9 +63,18 @@ module Dependabot
       def project_file_dependencies
         dependency_set = DependencySet.new
 
-        (project_files + project_import_files).each do |file|
-          parser = project_file_parser
-          dependency_set += parser.dependency_set(project_file: file)
+        project_files.each do |project_file|
+          tfms = project_file_parser.target_frameworks(project_file: project_file)
+          unless tfms.any?
+            Dependabot.logger.warn "Excluding project file '#{project_file.name}' due to unresolvable target framework"
+            next
+          end
+
+          dependency_set += project_file_parser.dependency_set(project_file: project_file)
+        end
+
+        proj_files.each do |proj_file|
+          dependency_set += project_file_parser.dependency_set(project_file: proj_file)
         end
 
         dependency_set
@@ -99,14 +118,21 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def proj_files
+        projfile = /\.proj$/
+
+        dependency_files.select do |df|
+          df.name.match?(projfile)
+        end
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
-        projfile = /\.([a-z]{2})?proj$/
-        packageprops = /[Dd]irectory.[Pp]ackages.props/
+        projectfile = /\.(cs|vb|fs)proj$/
 
         dependency_files.select do |df|
-          df.name.match?(projfile) ||
-            df.name.match?(packageprops)
+          df.name.match?(projectfile)
         end
       end
 
@@ -134,19 +160,24 @@ module Dependabot
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
-        dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
+        dependency_files.find { |f| f.name.casecmp?("global.json") }
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
-        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
+        dependency_files.find { |f| f.name.casecmp?(".config/dotnet-tools.json") }
       end
 
       sig { override.void }
       def check_required_files
-        return if project_files.any? || packages_config_files.any?
+        if project_files.any? || proj_files.any? || packages_config_files.any? || global_json || dotnet_tools_json
+          return
+        end
 
-        raise "No project file or packages.config!"
+        raise Dependabot::DependencyFileNotFound.new(
+          "*.(cs|vb|fs)proj, *.proj, packages.config, global.json, dotnet-tools.json",
+          "No project file, *.proj, packages.config, global.json, or dotnet-tools.json!"
+        )
       end
     end
   end

data/lib/dependabot/nuget/file_updater/property_value_updater.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 
 require "dependabot/dependency_file"
 require "dependabot/nuget/file_updater"

data/lib/dependabot/nuget/nuget_config_credential_helpers.rb

@@ -1,18 +1,25 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Nuget
     module NuGetConfigCredentialHelpers
+      extend T::Sig
+
+      sig { returns(String) }
       def self.user_nuget_config_path
         home_directory = Dir.home
         File.join(home_directory, ".nuget", "NuGet", "NuGet.Config")
       end
 
+      sig { returns(String) }
       def self.temporary_nuget_config_path
         user_nuget_config_path + "_ORIGINAL"
       end
 
+      sig { params(credentials: T::Array[Dependabot::Credential]).void }
       def self.add_credentials_to_nuget_config(credentials)
         return unless File.exist?(user_nuget_config_path)
 
@@ -48,6 +55,7 @@ module Dependabot
         File.write(user_nuget_config_path, nuget_config)
       end
 
+      sig { void }
       def self.restore_user_nuget_config
         return unless File.exist?(temporary_nuget_config_path)
 
@@ -55,6 +63,7 @@ module Dependabot
         File.rename(temporary_nuget_config_path, user_nuget_config_path)
       end
 
+      sig { params(credentials: T::Array[Dependabot::Credential], _block: T.proc.void).void }
       def self.patch_nuget_config_for_action(credentials, &_block)
         add_credentials_to_nuget_config(credentials)
         begin

data/lib/dependabot/nuget/requirement.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -12,6 +12,9 @@ require "dependabot/nuget/version"
 module Dependabot
   module Nuget
     class Requirement < Dependabot::Requirement
+      extend T::Sig
+
+      sig { override.params(obj: T.any(Gem::Version, String)).returns([String, Gem::Version]) }
       def self.parse(obj)
         return ["=", Nuget::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
 
@@ -28,11 +31,12 @@ module Dependabot
       # For consistency with other languages, we define a requirements array.
       # Dotnet doesn't have an `OR` separator for requirements, so it always
       # contains a single element.
-      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Dependabot::Requirement]) }
       def self.requirements_array(requirement_string)
         [new(requirement_string)]
       end
 
+      sig { params(requirements: T.any(T.nilable(String), T::Array[T.nilable(String)])).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
           convert_dotnet_constraint_to_ruby_constraint(req_string)
@@ -41,6 +45,7 @@ module Dependabot
         super(requirements)
       end
 
+      sig { override.params(version: Gem::Version).returns(T::Boolean) }
       def satisfied_by?(version)
         version = Nuget::Version.new(version.to_s)
         super
@@ -48,10 +53,11 @@ module Dependabot
 
       private
 
+      sig { params(req_string: T.nilable(String)).returns(T.nilable(T.any(String, T::Array[String]))) }
       def convert_dotnet_constraint_to_ruby_constraint(req_string)
         return unless req_string
 
-        return convert_dotnet_range_to_ruby_range(req_string) if req_string&.start_with?("(", "[")
+        return convert_dotnet_range_to_ruby_range(req_string) if req_string.start_with?("(", "[")
 
         return req_string.split(",").map(&:strip) if req_string.include?(",")
 
@@ -61,6 +67,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(req_string: String).returns(T::Array[String]) }
       def convert_dotnet_range_to_ruby_range(req_string)
         lower_b, upper_b = req_string.split(",").map(&:strip).map do |bound|
           next convert_range_wildcard_req(bound) if bound.include?("*")
@@ -70,9 +77,9 @@ module Dependabot
 
         lower_b =
           if ["(", "["].include?(lower_b) then nil
-          elsif lower_b.start_with?("(") then "> #{lower_b.sub(/\(\s*/, '')}"
+          elsif T.must(lower_b).start_with?("(") then "> #{T.must(lower_b).sub(/\(\s*/, '')}"
           else
-            ">= #{lower_b.sub(/\[\s*/, '').strip}"
+            ">= #{T.must(lower_b).sub(/\[\s*/, '').strip}"
           end
 
         upper_b =
@@ -87,20 +94,22 @@ module Dependabot
       end
       # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { params(req_string: String).returns(String) }
       def convert_range_wildcard_req(req_string)
-        range_end = req_string[-1]
-        defined_part = req_string.split("*").first
+        range_end = T.must(req_string[-1])
+        defined_part = T.must(req_string.split("*").first)
         version = defined_part + "0"
         version += range_end if [")", "]"].include?(range_end)
         version
       end
 
+      sig { params(req_string: String).returns(String) }
       def convert_wildcard_req(req_string)
         return ">= 0-a" if req_string == "*-*"
 
         return ">= 0" if req_string.start_with?("*")
 
-        defined_part = req_string.split("*").first
+        defined_part = T.must(req_string.split("*").first)
         suffix = defined_part.end_with?(".") ? "0" : "a"
         version = defined_part + suffix
         "~> #{version}"

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -1,22 +1,34 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/update_checkers/base"
 
 module Dependabot
   module Nuget
     class CompatibilityChecker
+      extend T::Sig
+
       require_relative "nuspec_fetcher"
       require_relative "nupkg_fetcher"
       require_relative "tfm_finder"
       require_relative "tfm_comparer"
 
+      sig do
+        params(
+          dependency_urls: T::Array[T::Hash[Symbol, String]],
+          dependency: Dependabot::Dependency,
+          tfm_finder: Dependabot::Nuget::TfmFinder
+        ).void
+      end
       def initialize(dependency_urls:, dependency:, tfm_finder:)
         @dependency_urls = dependency_urls
         @dependency = dependency
         @tfm_finder = tfm_finder
       end
 
+      sig { params(version: String).returns(T::Boolean) }
       def compatible?(version)
         nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, dependency.name, version)
         return false unless nuspec_xml
@@ -32,15 +44,23 @@ module Dependabot
         return true if package_tfms.nil?
         return false if package_tfms.empty?
 
-        return false if project_tfms.nil? || project_tfms.empty?
+        return false if project_tfms.nil? || project_tfms&.empty?
 
-        TfmComparer.are_frameworks_compatible?(project_tfms, package_tfms)
+        TfmComparer.are_frameworks_compatible?(T.must(project_tfms), package_tfms)
       end
 
       private
 
-      attr_reader :dependency_urls, :dependency, :tfm_finder
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
+      attr_reader :dependency_urls
 
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+
+      sig { returns(Dependabot::Nuget::TfmFinder) }
+      attr_reader :tfm_finder
+
+      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Boolean) }
       def pure_development_dependency?(nuspec_xml)
         contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
         return false unless contents # no `developmentDependency` element
@@ -55,16 +75,17 @@ module Dependabot
         dependency_groups_with_target_framework.to_a.empty?
       end
 
+      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[String]) }
       def parse_package_tfms(nuspec_xml)
         nuspec_xml.xpath("//dependencies/group").filter_map { |group| group.attribute("targetFramework") }
       end
 
+      sig { returns(T.nilable(T::Array[String])) }
       def project_tfms
-        return @project_tfms if defined?(@project_tfms)
-
-        @project_tfms = tfm_finder.frameworks(dependency)
+        @project_tfms ||= T.let(tfm_finder.frameworks(dependency), T.nilable(T::Array[String]))
       end
 
+      sig { params(dependency_version: String).returns(T.nilable(T::Array[String])) }
       def fetch_package_tfms(dependency_version)
         cache = CacheManager.cache("compatibility_checker_tfms_cache")
         key = "#{dependency.name}::#{dependency_version}"