dependabot-nuget 0.263.0 → 0.264.0

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs

@@ -0,0 +1,441 @@
+using System.Collections.Immutable;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+using NuGet.Configuration;
+using NuGet.Frameworks;
+using NuGet.Versioning;
+
+using NuGetUpdater.Core.Discover;
+
+namespace NuGetUpdater.Core.Analyze;
+
+using MultiDependency = (string PropertyName, ImmutableArray<string> TargetFrameworks, ImmutableHashSet<string> DependencyNames);
+
+public partial class AnalyzeWorker
+{
+    public const string AnalysisDirectoryName = "./.dependabot/analysis";
+
+    private readonly Logger _logger;
+
+    internal static readonly JsonSerializerOptions SerializerOptions = new()
+    {
+        WriteIndented = true,
+        Converters = { new JsonStringEnumConverter(), new RequirementConverter() },
+    };
+
+    public AnalyzeWorker(Logger logger)
+    {
+        _logger = logger;
+    }
+
+    public async Task RunAsync(string repoRoot, string discoveryPath, string dependencyPath, string analysisDirectory)
+    {
+        var discovery = await DeserializeJsonFileAsync<WorkspaceDiscoveryResult>(discoveryPath, nameof(WorkspaceDiscoveryResult));
+        var dependencyInfo = await DeserializeJsonFileAsync<DependencyInfo>(dependencyPath, nameof(DependencyInfo));
+        var startingDirectory = PathHelper.JoinPath(repoRoot, discovery.Path);
+
+        _logger.Log($"Starting analysis of {dependencyInfo.Name}...");
+
+        // We need to find all projects which have the given dependency. Even in cases that they
+        // have it transitively may require that peer dependencies be updated in the project.
+        var projectsWithDependency = discovery.Projects
+            .Where(p => p.Dependencies.Any(d => d.Name.Equals(dependencyInfo.Name, StringComparison.OrdinalIgnoreCase)))
+            .ToImmutableArray();
+        var projectFrameworks = projectsWithDependency
+            .SelectMany(p => p.TargetFrameworks)
+            .Distinct()
+            .Select(NuGetFramework.Parse)
+            .ToImmutableArray();
+        var propertyBasedDependencies = discovery.Projects.SelectMany(p
+            => p.Dependencies.Where(d => !d.IsTransitive &&
+                d.EvaluationResult?.RootPropertyName is not null)
+            ).ToImmutableArray();
+
+        bool usesMultiDependencyProperty = false;
+        NuGetVersion? updatedVersion = null;
+        ImmutableArray<Dependency> updatedDependencies = [];
+
+        bool isUpdateNecessary = IsUpdateNecessary(dependencyInfo, projectsWithDependency);
+        if (isUpdateNecessary)
+        {
+            var nugetContext = new NuGetContext(startingDirectory);
+            if (!Directory.Exists(nugetContext.TempPackageDirectory))
+            {
+                Directory.CreateDirectory(nugetContext.TempPackageDirectory);
+            }
+
+            _logger.Log($"  Determining multi-dependency property.");
+            var multiDependencies = DetermineMultiDependencyDetails(
+                discovery,
+                dependencyInfo.Name,
+                propertyBasedDependencies);
+
+            usesMultiDependencyProperty = multiDependencies.Any(md => md.DependencyNames.Count > 1);
+            var dependenciesToUpdate = usesMultiDependencyProperty
+                ? multiDependencies
+                    .SelectMany(md => md.DependencyNames)
+                    .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase)
+                : [dependencyInfo.Name];
+            var applicableTargetFrameworks = usesMultiDependencyProperty
+                ? multiDependencies
+                    .SelectMany(md => md.TargetFrameworks)
+                    .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase)
+                    .Select(NuGetFramework.Parse)
+                    .ToImmutableArray()
+                : projectFrameworks;
+
+            _logger.Log($"  Finding updated version.");
+            updatedVersion = await FindUpdatedVersionAsync(
+                startingDirectory,
+                dependencyInfo,
+                dependenciesToUpdate,
+                applicableTargetFrameworks,
+                nugetContext,
+                _logger,
+                CancellationToken.None);
+
+            _logger.Log($"  Finding updated peer dependencies.");
+            updatedDependencies = updatedVersion is not null
+                ? await FindUpdatedDependenciesAsync(
+                    repoRoot,
+                    discovery,
+                    dependenciesToUpdate,
+                    updatedVersion,
+                    nugetContext,
+                    _logger,
+                    CancellationToken.None)
+                : [];
+
+            //TODO: At this point we should add the peer dependencies to a queue where
+            // we will analyze them one by one to see if they themselves are part of a
+            // multi-dependency property. Basically looping this if-body until we have
+            // emptied the queue and have a complete list of updated dependencies. We
+            // should track the dependenciesToUpdate as they have already been analyzed.
+        }
+
+        var result = new AnalysisResult
+        {
+            UpdatedVersion = updatedVersion?.ToNormalizedString() ?? dependencyInfo.Version,
+            CanUpdate = updatedVersion is not null,
+            VersionComesFromMultiDependencyProperty = usesMultiDependencyProperty,
+            UpdatedDependencies = updatedDependencies,
+        };
+
+        await WriteResultsAsync(analysisDirectory, dependencyInfo.Name, result, _logger);
+
+        _logger.Log($"Analysis complete.");
+    }
+
+    private static bool IsUpdateNecessary(DependencyInfo dependencyInfo, ImmutableArray<ProjectDiscoveryResult> projectsWithDependency)
+    {
+        if (projectsWithDependency.Length == 0)
+        {
+            return false;
+        }
+
+        // We will even attempt to update transitive dependencies if the dependency is vulnerable.
+        if (dependencyInfo.IsVulnerable)
+        {
+            return true;
+        }
+
+        // Since the dependency is not vulnerable, we only need to update if it is not transitive.
+        return projectsWithDependency.Any(p =>
+            p.Dependencies.Any(d =>
+                d.Name.Equals(dependencyInfo.Name, StringComparison.OrdinalIgnoreCase) &&
+                !d.IsTransitive));
+    }
+
+    internal static async Task<T> DeserializeJsonFileAsync<T>(string path, string fileType)
+    {
+        var json = File.Exists(path)
+            ? await File.ReadAllTextAsync(path)
+            : throw new FileNotFoundException($"{fileType} file not found.", path);
+
+        return JsonSerializer.Deserialize<T>(json, SerializerOptions)
+            ?? throw new InvalidOperationException($"{fileType} file is empty.");
+    }
+
+    internal static async Task<NuGetVersion?> FindUpdatedVersionAsync(
+        string startingDirectory,
+        DependencyInfo dependencyInfo,
+        ImmutableHashSet<string> packageIds,
+        ImmutableArray<NuGetFramework> projectFrameworks,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        var versionResult = await VersionFinder.GetVersionsAsync(
+            dependencyInfo,
+            nugetContext,
+            logger,
+            cancellationToken);
+
+        return await FindUpdatedVersionAsync(
+            packageIds,
+            dependencyInfo.Version,
+            versionResult,
+            projectFrameworks,
+            findLowestVersion: dependencyInfo.IsVulnerable,
+            nugetContext,
+            logger,
+            cancellationToken);
+    }
+
+    internal static async Task<NuGetVersion?> FindUpdatedVersionAsync(
+        ImmutableHashSet<string> packageIds,
+        ImmutableArray<NuGetFramework> projectFrameworks,
+        NuGetVersion version,
+        bool findLowestVersion,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        var versionResult = await VersionFinder.GetVersionsAsync(
+            packageIds.First(),
+            version,
+            nugetContext,
+            logger,
+            cancellationToken);
+
+        return await FindUpdatedVersionAsync(
+            packageIds,
+            version.ToNormalizedString(),
+            versionResult,
+            projectFrameworks,
+            findLowestVersion,
+            nugetContext,
+            logger,
+            cancellationToken);
+    }
+
+    internal static async Task<NuGetVersion?> FindUpdatedVersionAsync(
+        ImmutableHashSet<string> packageIds,
+        string versionString,
+        VersionResult versionResult,
+        ImmutableArray<NuGetFramework> projectFrameworks,
+        bool findLowestVersion,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        var versions = versionResult.GetVersions();
+        var orderedVersions = findLowestVersion
+            ? versions.OrderBy(v => v) // If we are fixing a vulnerability, then we want the lowest version that is safe.
+            : versions.OrderByDescending(v => v); // If we are just updating versions, then we want the highest version possible.
+
+        return await FindFirstCompatibleVersion(
+            packageIds,
+            versionString,
+            versionResult,
+            orderedVersions,
+            projectFrameworks,
+            nugetContext,
+            logger,
+            cancellationToken);
+    }
+
+    internal static async Task<NuGetVersion?> FindFirstCompatibleVersion(
+        ImmutableHashSet<string> packageIds,
+        string versionString,
+        VersionResult versionResult,
+        IEnumerable<NuGetVersion> orderedVersions,
+        ImmutableArray<NuGetFramework> projectFrameworks,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        if (NuGetVersion.TryParse(versionString, out var currentVersion))
+        {
+            var isCompatible = await AreAllPackagesCompatibleAsync(
+                packageIds,
+                currentVersion,
+                projectFrameworks,
+                nugetContext,
+                logger,
+                cancellationToken);
+
+            if (!isCompatible)
+            {
+                // If the current package is incompatible, then don't check for compatibility.
+                return orderedVersions.First();
+            }
+        }
+
+        foreach (var version in orderedVersions)
+        {
+            var existsForAll = await VersionFinder.DoVersionsExistAsync(packageIds, version, nugetContext, logger, cancellationToken);
+            if (!existsForAll)
+            {
+                continue;
+            }
+
+            var isCompatible = await AreAllPackagesCompatibleAsync(
+                packageIds,
+                version,
+                projectFrameworks,
+                nugetContext,
+                logger,
+                cancellationToken);
+
+            if (isCompatible)
+            {
+                return version;
+            }
+        }
+
+        // Could not find a compatible version
+        return null;
+    }
+
+    internal static async Task<bool> AreAllPackagesCompatibleAsync(
+        ImmutableHashSet<string> packageIds,
+        NuGetVersion currentVersion,
+        ImmutableArray<NuGetFramework> projectFrameworks,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        foreach (var packageId in packageIds)
+        {
+            var isCompatible = await CompatibilityChecker.CheckAsync(
+                new(packageId, currentVersion),
+                projectFrameworks,
+                nugetContext,
+                logger,
+                cancellationToken);
+            if (!isCompatible)
+            {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    internal static async Task<ImmutableDictionary<NuGetFramework, ImmutableArray<Dependency>>> GetDependenciesAsync(
+        string workspacePath,
+        string projectPath,
+        IEnumerable<NuGetFramework> frameworks,
+        Dependency package,
+        Logger logger)
+    {
+        var result = ImmutableDictionary.CreateBuilder<NuGetFramework, ImmutableArray<Dependency>>();
+        foreach (var framework in frameworks)
+        {
+            var dependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(
+                workspacePath,
+                projectPath,
+                framework.ToString(),
+                [package],
+                logger);
+            result.Add(framework, [.. dependencies]);
+        }
+        return result.ToImmutable();
+    }
+
+    internal static async Task<ImmutableArray<Dependency>> FindUpdatedDependenciesAsync(
+        string repoRoot,
+        WorkspaceDiscoveryResult discovery,
+        ImmutableHashSet<string> packageIds,
+        NuGetVersion updatedVersion,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        // We need to find all projects which have the given dependency. Even in cases that they
+        // have it transitively may require that peer dependencies be updated in the project.
+        var projectsWithDependency = discovery.Projects
+            .Where(p => p.Dependencies.Any(d => packageIds.Contains(d.Name)))
+            .ToImmutableArray();
+        if (projectsWithDependency.Length == 0)
+        {
+            return [];
+        }
+
+        var projectFrameworks = projectsWithDependency
+            .SelectMany(p => p.TargetFrameworks)
+            .Distinct()
+            .Select(NuGetFramework.Parse)
+            .ToImmutableArray();
+
+        // When updating peer dependencies, we only need to consider top-level dependencies.
+        var projectDependencyNames = projectsWithDependency
+            .SelectMany(p => p.Dependencies)
+            .Where(d => !d.IsTransitive)
+            .Select(d => d.Name)
+            .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase);
+
+        // Determine updated peer dependencies
+        var workspacePath = PathHelper.JoinPath(repoRoot, discovery.Path);
+        // We need any project path so the dependency finder can locate the nuget.config
+        var projectPath = Path.Combine(workspacePath, projectsWithDependency.First().FilePath);
+
+        // Create distinct list of dependencies taking the highest version of each
+        var dependencyResult = await DependencyFinder.GetDependenciesAsync(
+            workspacePath,
+            projectPath,
+            projectFrameworks,
+            packageIds,
+            updatedVersion,
+            nugetContext,
+            logger,
+            cancellationToken);
+
+        // Filter dependencies by whether any project references them
+        var dependencies = dependencyResult.GetDependencies()
+            .Where(d => projectDependencyNames.Contains(d.Name))
+            .ToImmutableArray();
+
+        return dependencies;
+    }
+
+    internal static ImmutableArray<MultiDependency> DetermineMultiDependencyDetails(
+        WorkspaceDiscoveryResult discovery,
+        string packageId,
+        ImmutableArray<Dependency> propertyBasedDependencies)
+    {
+        var packageDeclarationsUsingProperty = discovery.Projects
+            .SelectMany(p =>
+                p.Dependencies.Where(d => !d.IsTransitive &&
+                    d.Name.Equals(packageId, StringComparison.OrdinalIgnoreCase) &&
+                    d.EvaluationResult?.RootPropertyName is not null)
+            ).ToImmutableArray();
+
+        return packageDeclarationsUsingProperty
+            .Select(d => d.EvaluationResult!.RootPropertyName!)
+            .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase)
+            .Select(property =>
+            {
+                // Find all dependencies that use the same property
+                var packages = propertyBasedDependencies
+                    .Where(d => property.Equals(d.EvaluationResult?.RootPropertyName, StringComparison.OrdinalIgnoreCase));
+
+                // Combine all their target frameworks
+                var tfms = packages.SelectMany(d => d.TargetFrameworks ?? [])
+                    .Distinct()
+                    .ToImmutableArray();
+
+                var packageIds = packages.Select(d => d.Name)
+                    .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase);
+
+                return (property, tfms, packageIds);
+            }).ToImmutableArray();
+    }
+
+    internal static async Task WriteResultsAsync(string analysisDirectory, string dependencyName, AnalysisResult result, Logger logger)
+    {
+        if (!Directory.Exists(analysisDirectory))
+        {
+            Directory.CreateDirectory(analysisDirectory);
+        }
+
+        var resultPath = Path.Combine(analysisDirectory, $"{dependencyName}.json");
+
+        logger.Log($"  Writing analysis result to [{resultPath}].");
+
+        var resultJson = JsonSerializer.Serialize(result, SerializerOptions);
+        await File.WriteAllTextAsync(path: resultPath, resultJson);
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/CompatabilityChecker.cs

@@ -0,0 +1,177 @@
+using System.Collections.Immutable;
+
+using NuGet.Common;
+using NuGet.Configuration;
+using NuGet.Frameworks;
+using NuGet.Packaging;
+using NuGet.Packaging.Core;
+using NuGet.Protocol;
+using NuGet.Protocol.Core.Types;
+
+using NuGetUpdater.Core.FrameworkChecker;
+
+namespace NuGetUpdater.Core.Analyze;
+
+using PackageInfo = (bool IsDevDependency, ImmutableArray<NuGetFramework> Frameworks);
+using PackageReaders = (IAsyncPackageCoreReader CoreReader, IAsyncPackageContentReader ContentReader);
+
+internal static class CompatibilityChecker
+{
+    public static async Task<bool> CheckAsync(
+        PackageIdentity package,
+        ImmutableArray<NuGetFramework> projectFrameworks,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        var (isDevDependency, packageFrameworks) = await GetPackageInfoAsync(
+            package,
+            nugetContext,
+            cancellationToken);
+
+        return PerformCheck(package, projectFrameworks, isDevDependency, packageFrameworks, logger);
+    }
+
+    internal static bool PerformCheck(
+        PackageIdentity package,
+        ImmutableArray<NuGetFramework> projectFrameworks,
+        bool isDevDependency,
+        ImmutableArray<NuGetFramework> packageFrameworks,
+        Logger logger)
+    {
+        // development dependencies are packages such as analyzers which need to be compatible with the compiler not the
+        // project itself, but some packages that report themselves as development dependencies still contain target
+        // framework dependencies and should be checked for compatibility through the regular means
+        if (isDevDependency && packageFrameworks.Length == 0)
+        {
+            return true;
+        }
+
+        if (packageFrameworks.Length == 0 || projectFrameworks.Length == 0)
+        {
+            return false;
+        }
+
+        var compatibilityService = new FrameworkCompatibilityService();
+        var compatibleFrameworks = compatibilityService.GetCompatibleFrameworks(packageFrameworks);
+
+        var incompatibleFrameworks = projectFrameworks.Where(f => !compatibleFrameworks.Contains(f)).ToArray();
+        if (incompatibleFrameworks.Length > 0)
+        {
+            logger.Log($"The package {package} is not compatible. Incompatible project frameworks: {string.Join(", ", incompatibleFrameworks.Select(f => f.GetShortFolderName()))}");
+            return false;
+        }
+
+        return true;
+    }
+
+    internal static async Task<PackageInfo> GetPackageInfoAsync(
+        PackageIdentity package,
+        NuGetContext nugetContext,
+        CancellationToken cancellationToken)
+    {
+        var tempPackagePath = GetTempPackagePath(package, nugetContext);
+        var readers = File.Exists(tempPackagePath)
+            ? ReadPackage(tempPackagePath)
+            : await DownloadPackageAsync(package, nugetContext, cancellationToken);
+
+        var nuspecStream = await readers.CoreReader.GetNuspecAsync(cancellationToken);
+        var reader = new NuspecReader(nuspecStream);
+
+        var isDevDependency = reader.GetDevelopmentDependency();
+
+        var tfms = reader.GetDependencyGroups()
+            .Select(d => d.TargetFramework)
+            .ToImmutableArray();
+        if (tfms.Length == 0)
+        {
+            // If the nuspec doesn't have any dependency groups,
+            // try to get the TargetFramework from files in the lib folder.
+            var libItems = (await readers.ContentReader.GetLibItemsAsync(cancellationToken)).ToList();
+            if (libItems.Count == 0)
+            {
+                // If there is no lib folder in this package, then assume it is a dev dependency.
+                isDevDependency = true;
+            }
+
+            tfms = libItems.Select(item => item.TargetFramework)
+                .Distinct()
+                .ToImmutableArray();
+        }
+
+        // The interfaces we given are not disposable but the underlying type can be.
+        // This will ensure we dispose of any resources that need to be cleaned up.
+        (readers.CoreReader as IDisposable)?.Dispose();
+        (readers.ContentReader as IDisposable)?.Dispose();
+
+        return (isDevDependency, tfms);
+    }
+
+    internal static PackageReaders ReadPackage(string tempPackagePath)
+    {
+        var stream = new FileStream(
+              tempPackagePath,
+              FileMode.Open,
+              FileAccess.Read,
+              FileShare.Read,
+              bufferSize: 4096);
+        PackageArchiveReader archiveReader = new(stream);
+        return (archiveReader, archiveReader);
+    }
+
+    internal static async Task<PackageReaders> DownloadPackageAsync(
+        PackageIdentity package,
+        NuGetContext context,
+        CancellationToken cancellationToken)
+    {
+        var sourceMapping = PackageSourceMapping.GetPackageSourceMapping(context.Settings);
+        var packageSources = sourceMapping.GetConfiguredPackageSources(package.Id).ToHashSet();
+        var sources = packageSources.Count == 0
+            ? context.PackageSources
+            : context.PackageSources
+                .Where(p => packageSources.Contains(p.Name))
+                .ToImmutableArray();
+
+        foreach (var source in sources)
+        {
+            var sourceRepository = Repository.Factory.GetCoreV3(source);
+            var feed = await sourceRepository.GetResourceAsync<FindPackageByIdResource>();
+            if (feed is null)
+            {
+                throw new NotSupportedException($"Failed to get FindPackageByIdResource for {source.SourceUri}");
+            }
+
+            var exists = await feed.DoesPackageExistAsync(
+                package.Id,
+                package.Version,
+                context.SourceCacheContext,
+                NullLogger.Instance,
+                cancellationToken);
+
+            if (!exists)
+            {
+                continue;
+            }
+
+            var downloader = await feed.GetPackageDownloaderAsync(
+                package,
+                context.SourceCacheContext,
+                context.Logger,
+                cancellationToken);
+
+            var tempPackagePath = GetTempPackagePath(package, context);
+            var isDownloaded = await downloader.CopyNupkgFileToAsync(tempPackagePath, cancellationToken);
+            if (!isDownloaded)
+            {
+                throw new Exception($"Failed to download package [{package.Id}/{package.Version}] from [${source.SourceUri}]");
+            }
+
+            return (downloader.CoreReader, downloader.ContentReader);
+        }
+
+        throw new Exception($"Package [{package.Id}/{package.Version}] does not exist in any of the configured sources.");
+    }
+
+    internal static string GetTempPackagePath(PackageIdentity package, NuGetContext context)
+        => Path.Combine(context.TempPackageDirectory, package.Id + "." + package.Version + ".nupkg");
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/DependencyFinder.cs

@@ -0,0 +1,47 @@
+using System.Collections.Immutable;
+
+using NuGet.Frameworks;
+using NuGet.Versioning;
+
+namespace NuGetUpdater.Core.Analyze;
+
+internal static class DependencyFinder
+{
+    public static async Task<ImmutableDictionary<NuGetFramework, ImmutableArray<Dependency>>> GetDependenciesAsync(
+        string workspacePath,
+        string projectPath,
+        IEnumerable<NuGetFramework> frameworks,
+        ImmutableHashSet<string> packageIds,
+        NuGetVersion version,
+        NuGetContext nugetContext,
+        Logger logger,
+        CancellationToken cancellationToken)
+    {
+        var versionString = version.ToNormalizedString();
+        var packages = packageIds
+            .Select(id => new Dependency(id, versionString, DependencyType.Unknown))
+            .ToImmutableArray();
+
+        var result = ImmutableDictionary.CreateBuilder<NuGetFramework, ImmutableArray<Dependency>>();
+        foreach (var framework in frameworks)
+        {
+            var dependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(
+                workspacePath,
+                projectPath,
+                framework.ToString(),
+                packages,
+                logger);
+            var updatedDependencies = new List<Dependency>();
+            foreach (var dependency in dependencies)
+            {
+                var infoUrl = await nugetContext.GetPackageInfoUrlAsync(dependency.Name, dependency.Version!, cancellationToken);
+                var updatedDependency = dependency with { IsTransitive = false, InfoUrl = infoUrl };
+                updatedDependencies.Add(updatedDependency);
+            }
+
+            result.Add(framework, updatedDependencies.ToImmutableArray());
+        }
+
+        return result.ToImmutable();
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/DependencyInfo.cs

@@ -0,0 +1,12 @@
+using System.Collections.Immutable;
+
+namespace NuGetUpdater.Core.Analyze;
+
+public sealed record DependencyInfo
+{
+    public required string Name { get; init; }
+    public required string Version { get; init; }
+    public required bool IsVulnerable { get; init; }
+    public ImmutableArray<Requirement> IgnoredVersions { get; init; }
+    public ImmutableArray<SecurityVulnerability> Vulnerabilities { get; init; }
+}