dependabot-nuget 0.248.0 → 0.250.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60679d8e50f3e96aa05400b03ccc9e0dd491c1a7cf340c4c7a39bcb48675c3f6
-  data.tar.gz: 235eb5b57423534578945568766179c2805c6c1e19b5bdb806cc4fd5a5e78dc7
+  metadata.gz: 144460a4e43c2169e3526841828a5a3baa717f83e0becb327f128cb971a3deb8
+  data.tar.gz: 1fdb2e2284043c4c27eb536dbbc0eaef6d180a59c61e6c32c2a74f4aadfb9a85
 SHA512:
-  metadata.gz: 1976d20f2b23920eb44176098e89109ee5e969f7e12eaa959e06948e543b9383dcf08c7521eeb9f69602fab37f17ffaafc937e203cce68439327d9735590e1b9
-  data.tar.gz: d240a0489a0ab0dc72283ea736a55965cb13a2fe375cb7eb5a98beb473f9e227bf6ec52a07fba05f2177ee228c716197f60d5fe35d3170b1687aaa07648915eb
+  metadata.gz: 1d1c53febbc055e0eeecbff13cb9101c17f0b989b039caa719baf2cf6a69e4fc43f8babbe7e533cf75baeb97dd3d58e7344a1ede890410a4c5046ab7951fd2f3
+  data.tar.gz: 285ed503fcefca8cd3ed0d731f59543c76eca79b0da7c738ae1bef523521697c5ee05fcc0c2d8425d86e8c657d1b579464822f359699ed67ca01077d27eb5972

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Update.cs

@@ -3,6 +3,8 @@ using System.IO;
 using System.Text;
 using System.Threading.Tasks;
 
+using NuGetUpdater.Core;
+using NuGetUpdater.Core.Test;
 using NuGetUpdater.Core.Test.Update;
 
 using Xunit;
@@ -291,6 +293,61 @@ public partial class EntryPointTests
             );
         }
 
+        [Fact]
+        public async Task UpdaterDoesNotUseRepoGlobalJsonForMSBuildTasks()
+        {
+            // This is a _very_ specific scenario where the `NuGetUpdater.Cli` tool might pick up a `global.json` from
+            // the root of the repo under test and use it's `sdk` property when trying to locate MSBuild.  To properly
+            // test this, it must be tested in a new process where MSBuild has not been loaded yet and the runner tool
+            // must be started with its working directory at the test repo's root.
+            using var tempDir = new TemporaryDirectory();
+            await File.WriteAllTextAsync(Path.Join(tempDir.DirectoryPath, "global.json"), """
+                {
+                  "sdk": {
+                    "version": "99.99.99"
+                  }
+                }
+                """);
+            await File.WriteAllTextAsync(Path.Join(tempDir.DirectoryPath, "project.csproj"), """
+                <Project Sdk="Microsoft.NET.Sdk">
+                  <PropertyGroup>
+                    <TargetFramework>net8.0</TargetFramework>
+                  </PropertyGroup>
+                  <ItemGroup>
+                    <PackageReference Include="Newtonsoft.Json" Version="7.0.1" />
+                  </ItemGroup>
+                </Project>
+                """);
+            var executableName = $"NuGetUpdater.Cli{(Environment.OSVersion.Platform == PlatformID.Win32NT ? ".exe" : "")}";
+            var executableArgs = string.Join(" ",
+            [
+                "update",
+                "--repo-root",
+                tempDir.DirectoryPath,
+                "--solution-or-project",
+                Path.Join(tempDir.DirectoryPath, "project.csproj"),
+                "--dependency",
+                "Newtonsoft.Json",
+                "--new-version",
+                "13.0.1",
+                "--previous-version",
+                "7.0.1",
+                "--verbose"
+            ]);
+
+            // verify base run
+            var (exitCode, output, error) = await ProcessEx.RunAsync(executableName, executableArgs, workingDirectory: tempDir.DirectoryPath);
+            Assert.True(exitCode == 0, $"Error running update on unsupported SDK.\nSTDOUT:\n{output}\nSTDERR:\n{error}");
+
+            // verify project update
+            var updatedProjectContents = await File.ReadAllTextAsync(Path.Join(tempDir.DirectoryPath, "project.csproj"));
+            Assert.Contains("13.0.1", updatedProjectContents);
+
+            // verify `global.json` untouched
+            var updatedGlobalJsonContents = await File.ReadAllTextAsync(Path.Join(tempDir.DirectoryPath, "global.json"));
+            Assert.Contains("99.99.99", updatedGlobalJsonContents);
+        }
+
         private static async Task Run(Func<string, string[]> getArgs, (string Path, string Content)[] initialFiles, (string, string)[] expectedFiles)
         {
             var actualFiles = await RunUpdate(initialFiles, async path =>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/SdkPackageUpdater.cs

@@ -231,7 +231,7 @@ internal static class SdkPackageUpdater
         logger.Log($"    Adding [{dependencyName}/{newDependencyVersion}] as a top-level package reference.");
 
         // see https://learn.microsoft.com/nuget/consume-packages/install-use-packages-dotnet-cli
-        var (exitCode, _, _) = await ProcessEx.RunAsync("dotnet", $"add {projectPath} package {dependencyName} --version {newDependencyVersion}");
+        var (exitCode, _, _) = await ProcessEx.RunAsync("dotnet", $"add {projectPath} package {dependencyName} --version {newDependencyVersion}", workingDirectory: Path.GetDirectoryName(projectPath));
         if (exitCode != 0)
         {
             logger.Log($"    Transitive dependency [{dependencyName}/{newDependencyVersion}] was not added.");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs

@@ -41,9 +41,29 @@ internal static partial class MSBuildHelper
         // Ensure MSBuild types are registered before calling a method that loads the types
         if (!IsMSBuildRegistered)
         {
-            var defaultInstance = MSBuildLocator.QueryVisualStudioInstances().First();
-            MSBuildPath = defaultInstance.MSBuildPath;
-            MSBuildLocator.RegisterInstance(defaultInstance);
+            var globalJsonPath = "global.json";
+            var tempGlobalJsonPath = globalJsonPath + Guid.NewGuid().ToString();
+            var globalJsonExists = File.Exists(globalJsonPath);
+            try
+            {
+                if (globalJsonExists)
+                {
+                    Console.WriteLine("Temporarily removing `global.json` for MSBuild detection.");
+                    File.Move(globalJsonPath, tempGlobalJsonPath);
+                }
+
+                var defaultInstance = MSBuildLocator.QueryVisualStudioInstances().First();
+                MSBuildPath = defaultInstance.MSBuildPath;
+                MSBuildLocator.RegisterInstance(defaultInstance);
+            }
+            finally
+            {
+                if (globalJsonExists)
+                {
+                    Console.WriteLine("Restoring `global.json` after MSBuild detection.");
+                    File.Move(tempGlobalJsonPath, globalJsonPath);
+                }
+            }
         }
     }
 
@@ -311,7 +331,7 @@ internal static partial class MSBuildHelper
         try
         {
             var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages);
-            var (exitCode, stdOut, stdErr) = await ProcessEx.RunAsync("dotnet", $"restore \"{tempProjectPath}\"");
+            var (exitCode, stdOut, stdErr) = await ProcessEx.RunAsync("dotnet", $"restore \"{tempProjectPath}\"", workingDirectory: tempDirectory.FullName);
 
             // NU1608: Detected package version outside of dependency constraint
 
@@ -451,7 +471,7 @@ internal static partial class MSBuildHelper
         {
             var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages);
 
-            var (exitCode, stdout, stderr) = await ProcessEx.RunAsync("dotnet", $"build \"{tempProjectPath}\" /t:_ReportDependencies");
+            var (exitCode, stdout, stderr) = await ProcessEx.RunAsync("dotnet", $"build \"{tempProjectPath}\" /t:_ReportDependencies", workingDirectory: tempDirectory.FullName);
 
             if (exitCode == 0)
             {
@@ -548,6 +568,7 @@ internal static partial class MSBuildHelper
         var repoRootPathPrefix = repoRootPath.NormalizePathToUnix() + "/";
         var buildFilesInRepo = buildFileList
             .Where(f => f.StartsWith(repoRootPathPrefix, StringComparison.OrdinalIgnoreCase))
+            .Where(File.Exists)
             .Distinct()
             .ToArray();
         var result = buildFilesInRepo

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.Sdk.cs

@@ -2497,5 +2497,36 @@ public partial class UpdateWorkerTests
                     """
                 );
         }
+
+        [Fact]
+        public async Task ProcessingProjectWithAspireDoesNotFailEvenThoughWorkloadIsNotInstalled()
+        {
+            // enumerating the build files will fail if the Aspire workload is not installed; this test ensures we can
+            // still process the update
+            await TestUpdateForProject("Newtonsoft.Json", "7.0.1", "13.0.1",
+                projectContents: """
+                    <Project Sdk="Microsoft.NET.Sdk">
+                      <PropertyGroup>
+                        <TargetFramework>net8.0</TargetFramework>
+                        <IsAspireHost>true</IsAspireHost>
+                      </PropertyGroup>
+                      <ItemGroup>
+                        <PackageReference Include="Newtonsoft.Json" Version="7.0.1" />
+                      </ItemGroup>
+                    </Project>
+                    """,
+                expectedProjectContents: """
+                    <Project Sdk="Microsoft.NET.Sdk">
+                      <PropertyGroup>
+                        <TargetFramework>net8.0</TargetFramework>
+                        <IsAspireHost>true</IsAspireHost>
+                      </PropertyGroup>
+                      <ItemGroup>
+                        <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+                      </ItemGroup>
+                    </Project>
+                    """
+            );
+        }
     }
 }

data/lib/dependabot/nuget/file_fetcher/import_paths_finder.rb

@@ -3,6 +3,7 @@
 
 require "nokogiri"
 require "pathname"
+require "sorbet-runtime"
 
 require "dependabot/nuget/file_fetcher"
 

data/lib/dependabot/nuget/file_fetcher/sln_project_paths_finder.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require "pathname"
+require "sorbet-runtime"
+
 require "dependabot/nuget/file_fetcher"
 
 module Dependabot

data/lib/dependabot/nuget/file_parser/dotnet_tools_json_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/global_json_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/packages_config_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"

data/lib/dependabot/nuget/file_parser/property_value_finder.rb

@@ -1,6 +1,8 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/nuget/file_fetcher/import_paths_finder"
 require "dependabot/nuget/file_parser"
 

data/lib/dependabot/nuget/file_parser.rb

@@ -63,9 +63,18 @@ module Dependabot
       def project_file_dependencies
         dependency_set = DependencySet.new
 
-        (project_files + project_import_files).each do |file|
-          parser = project_file_parser
-          dependency_set += parser.dependency_set(project_file: file)
+        project_files.each do |project_file|
+          tfms = project_file_parser.target_frameworks(project_file: project_file)
+          unless tfms.any?
+            Dependabot.logger.warn "Excluding project file '#{project_file.name}' due to unresolvable target framework"
+            next
+          end
+
+          dependency_set += project_file_parser.dependency_set(project_file: project_file)
+        end
+
+        proj_files.each do |proj_file|
+          dependency_set += project_file_parser.dependency_set(project_file: proj_file)
         end
 
         dependency_set
@@ -109,14 +118,21 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def proj_files
+        projfile = /\.proj$/
+
+        dependency_files.select do |df|
+          df.name.match?(projfile)
+        end
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
-        projfile = /\.([a-z]{2})?proj$/
-        packageprops = /[Dd]irectory.[Pp]ackages.props/
+        projectfile = /\.(cs|vb|fs)proj$/
 
         dependency_files.select do |df|
-          df.name.match?(projfile) ||
-            df.name.match?(packageprops)
+          df.name.match?(projectfile)
         end
       end
 
@@ -144,19 +160,24 @@ module Dependabot
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
-        dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
+        dependency_files.find { |f| f.name.casecmp?("global.json") }
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
-        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
+        dependency_files.find { |f| f.name.casecmp?(".config/dotnet-tools.json") }
       end
 
       sig { override.void }
       def check_required_files
-        return if project_files.any? || packages_config_files.any?
+        if project_files.any? || proj_files.any? || packages_config_files.any? || global_json || dotnet_tools_json
+          return
+        end
 
-        raise "No project file or packages.config!"
+        raise Dependabot::DependencyFileNotFound.new(
+          "*.(cs|vb|fs)proj, *.proj, packages.config, global.json, dotnet-tools.json",
+          "No project file, *.proj, packages.config, global.json, or dotnet-tools.json!"
+        )
       end
     end
   end

data/lib/dependabot/nuget/file_updater/property_value_updater.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 
 require "dependabot/dependency_file"
 require "dependabot/nuget/file_updater"

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -1,22 +1,34 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/update_checkers/base"
 
 module Dependabot
   module Nuget
     class CompatibilityChecker
+      extend T::Sig
+
       require_relative "nuspec_fetcher"
       require_relative "nupkg_fetcher"
       require_relative "tfm_finder"
       require_relative "tfm_comparer"
 
+      sig do
+        params(
+          dependency_urls: T::Array[T::Hash[Symbol, String]],
+          dependency: Dependabot::Dependency,
+          tfm_finder: Dependabot::Nuget::TfmFinder
+        ).void
+      end
       def initialize(dependency_urls:, dependency:, tfm_finder:)
         @dependency_urls = dependency_urls
         @dependency = dependency
         @tfm_finder = tfm_finder
       end
 
+      sig { params(version: String).returns(T::Boolean) }
       def compatible?(version)
         nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, dependency.name, version)
         return false unless nuspec_xml
@@ -32,15 +44,23 @@ module Dependabot
         return true if package_tfms.nil?
         return false if package_tfms.empty?
 
-        return false if project_tfms.nil? || project_tfms.empty?
+        return false if project_tfms.nil? || project_tfms&.empty?
 
-        TfmComparer.are_frameworks_compatible?(project_tfms, package_tfms)
+        TfmComparer.are_frameworks_compatible?(T.must(project_tfms), package_tfms)
       end
 
       private
 
-      attr_reader :dependency_urls, :dependency, :tfm_finder
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
+      attr_reader :dependency_urls
 
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+
+      sig { returns(Dependabot::Nuget::TfmFinder) }
+      attr_reader :tfm_finder
+
+      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Boolean) }
       def pure_development_dependency?(nuspec_xml)
         contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
         return false unless contents # no `developmentDependency` element
@@ -55,16 +75,17 @@ module Dependabot
         dependency_groups_with_target_framework.to_a.empty?
       end
 
+      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[String]) }
       def parse_package_tfms(nuspec_xml)
         nuspec_xml.xpath("//dependencies/group").filter_map { |group| group.attribute("targetFramework") }
       end
 
+      sig { returns(T.nilable(T::Array[String])) }
       def project_tfms
-        return @project_tfms if defined?(@project_tfms)
-
-        @project_tfms = tfm_finder.frameworks(dependency)
+        @project_tfms ||= T.let(tfm_finder.frameworks(dependency), T.nilable(T::Array[String]))
       end
 
+      sig { params(dependency_version: String).returns(T.nilable(T::Array[String])) }
       def fetch_package_tfms(dependency_version)
         cache = CacheManager.cache("compatibility_checker_tfms_cache")
         key = "#{dependency.name}::#{dependency_version}"

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -1,9 +1,11 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
-require "zip"
+require "sorbet-runtime"
 require "stringio"
+require "zip"
+
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
 
@@ -11,21 +13,34 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class DependencyFinder
+        extend T::Sig
+
         require_relative "requirements_updater"
         require_relative "nuspec_fetcher"
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def self.transitive_dependencies_cache
           CacheManager.cache("dependency_finder_transitive_dependencies")
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def self.updated_peer_dependencies_cache
           CacheManager.cache("dependency_finder_updated_peer_dependencies")
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def self.fetch_dependencies_cache
           CacheManager.cache("dependency_finder_fetch_dependencies")
         end
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            repo_contents_path: T.nilable(String)
+          ).void
+        end
         def initialize(dependency:, dependency_files:, credentials:, repo_contents_path:)
           @dependency             = dependency
           @dependency_files       = dependency_files
@@ -33,6 +48,7 @@ module Dependabot
           @repo_contents_path     = repo_contents_path
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def transitive_dependencies
           key = "#{dependency.name.downcase}::#{dependency.version}"
           cache = DependencyFinder.transitive_dependencies_cache
@@ -44,7 +60,7 @@ module Dependabot
 
               cache[key] = fetch_transitive_dependencies(
                 @dependency.name,
-                @dependency.version
+                T.must(@dependency.version)
               ).map do |dependency_info|
                 package_name = dependency_info["packageName"]
                 target_version = dependency_info["version"]
@@ -65,13 +81,14 @@ module Dependabot
           cache[key]
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def updated_peer_dependencies
           key = "#{dependency.name.downcase}::#{dependency.version}"
           cache = DependencyFinder.updated_peer_dependencies_cache
 
           cache[key] ||= fetch_transitive_dependencies(
             @dependency.name,
-            @dependency.version
+            T.must(@dependency.version)
           ).filter_map do |dependency_info|
             package_name = dependency_info["packageName"]
             target_version = dependency_info["version"]
@@ -104,48 +121,79 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :dependency_files, :credentials, :repo_contents_path
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
 
+        sig { returns(T.nilable(String)) }
+        attr_reader :repo_contents_path
+
+        sig do
+          params(
+            dep: Dependabot::Dependency,
+            target_version_details: T::Hash[Symbol, T.untyped]
+          )
+            .returns(T::Array[T::Hash[String, T.untyped]])
+        end
         def updated_requirements(dep, target_version_details)
-          @updated_requirements ||= {}
+          @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T.untyped]))
           @updated_requirements[dep.name] ||=
             RequirementsUpdater.new(
               requirements: dep.requirements,
               latest_version: target_version_details.fetch(:version).to_s,
-              source_details: target_version_details
-                          &.slice(:nuspec_url, :repo_url, :source_url)
+              source_details: target_version_details.slice(:nuspec_url, :repo_url, :source_url)
             ).updated_requirements
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def top_level_dependencies
           @top_level_dependencies ||=
-            Nuget::FileParser.new(
-              dependency_files: dependency_files,
-              source: nil
-            ).parse.select(&:top_level?)
+            T.let(
+              Nuget::FileParser.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse.select(&:top_level?),
+              T.nilable(T::Array[Dependabot::Dependency])
+            )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def nuget_configs
           @nuget_configs ||=
-            @dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
+            T.let(
+              @dependency_files.select { |f| f.name.match?(/nuget\.config$/i) },
+              T.nilable(T::Array[Dependabot::DependencyFile])
+            )
         end
 
+        sig { returns(T::Array[T::Hash[Symbol, String]]) }
         def dependency_urls
           @dependency_urls ||=
-            RepositoryFinder.new(
-              dependency: @dependency,
-              credentials: @credentials,
-              config_files: nuget_configs
-            ).dependency_urls
-                            .select { |url| url.fetch(:repository_type) == "v3" }
+            T.let(
+              RepositoryFinder.new(
+                dependency: @dependency,
+                credentials: @credentials,
+                config_files: nuget_configs
+              )
+              .dependency_urls
+              .select { |url| url.fetch(:repository_type) == "v3" },
+              T.nilable(T::Array[T::Hash[Symbol, String]])
+            )
         end
 
+        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
         def fetch_transitive_dependencies(package_id, package_version)
           all_dependencies = {}
           fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
           all_dependencies.map { |_, dependency_info| dependency_info }
         end
 
+        sig { params(package_id: String, package_version: String, all_dependencies: T::Hash[String, T.untyped]).void }
         def fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
           dependencies = fetch_dependencies(package_id, package_version)
           return unless dependencies.any?
@@ -175,6 +223,7 @@ module Dependabot
           end
         end
 
+        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
         def fetch_dependencies(package_id, package_version)
           key = "#{package_id.downcase}::#{package_version}"
           cache = DependencyFinder.fetch_dependencies_cache
@@ -191,6 +240,7 @@ module Dependabot
           cache[key]
         end
 
+        sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[T::Hash[String, String]]) }
         def read_dependencies_from_nuspec(nuspec_xml) # rubocop:disable Metrics/PerceivedComplexity
           # we want to exclude development dependencies from the lookup
           allowed_attributes = %w(all compile native runtime)
@@ -223,6 +273,7 @@ module Dependabot
           dependency_list
         end
 
+        sig { params(dep: Dependabot::Dependency).returns(Dependabot::Nuget::UpdateChecker::VersionFinder) }
         def version_finder(dep)
           VersionFinder.new(
             dependency: dep,

data/lib/dependabot/nuget/update_checker/nuspec_fetcher.rb

@@ -18,7 +18,7 @@ module Dependabot
         params(
           dependency_urls: T::Array[T::Hash[Symbol, String]],
           package_id: String,
-          package_version: String
+          package_version: T.nilable(String)
         )
           .returns(T.nilable(Nokogiri::XML::Document))
       end