dependabot-nuget 0.284.0 → 0.286.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0604d43cad05ef88f7471259b903ec56c1cf7d1bcf127b253bf6c0c2af8c66f0
-  data.tar.gz: 9e4b41b0d72f5989abb57bc18f39116a1a2f5c00f935c7a0c2858e61da6bcb75
+  metadata.gz: 01a6eb36ac3591d016d45ddfc4fc9dbb4068bda72e8560b6453461f5019362f7
+  data.tar.gz: 4db4968d74f3b9bfac17cbf32a8017635b07cf5338ad0f9db53dd9a16b188874
 SHA512:
-  metadata.gz: 6f4b7300174349f5a5c5a5ebdc461a18ea2c08a06b0229043216e2f3b19bc5a5c2523f43735f0aeafd95f0bffea693791f307165dbb22a1d58ab81f19e89496e
-  data.tar.gz: '0761288866aa1af50029cbd2f61d2423e06f51d090ed8ca4afb3b5afb9a4aa4b5389fa57a1fdad03b0de95895d3b43eb612cbb992660b44ca854bcc8303f1733'
+  metadata.gz: 1fce16345ed91813776f2b83b802212e466e15cf5784fcd239c8907ec3af683f0727b7a8e00df7fcb6b97035802c68023ddeb2481a28acce479db6fdfdb6674b
+  data.tar.gz: 59d4ac62296d157fbeb3870bcfc18313df3deac4e3f86c0c040ea0c2d2d3c73c1c8d0e84f05d32d83a9129583e6b6e38a1f5314e2cbd0df833c1657c5eb2d7f9

data/helpers/lib/NuGetUpdater/NuGetProjects/Directory.Build.props

@@ -3,7 +3,11 @@
   <PropertyGroup>
     <DefineConstants>$(DefineConstants);IS_CORECLR</DefineConstants>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
-    <NoWarn>$(NoWarn);NU1701</NoWarn>
+    <NoWarn>$(NoWarn);CA1305</NoWarn><!-- behavior of StringBuilder could vary based on user's locale -->
+    <NoWarn>$(NoWarn);CA2022</NoWarn><!-- avoid inexact Stream.Read() -->
+    <NoWarn>$(NoWarn);NU1701</NoWarn><!-- package target framework may not be compatible -->
+    <NoWarn>$(NoWarn);NU1903</NoWarn><!-- package has a known high severity vulnerability -->
+    <NoWarn>$(NoWarn);SYSLIB0014</NoWarn><!-- obsolete -->
     <NuGetSourceLocation>$(MSBuildThisFileDirectory)..\..\NuGet.Client</NuGetSourceLocation>
     <SharedDirectory>$(NuGetSourceLocation)\build\Shared</SharedDirectory>
     <Version>6.8.0</Version>

data/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/NuGet.CommandLine.csproj

@@ -3,6 +3,7 @@
   <PropertyGroup>
     <TargetFramework>$(CommonTargetFramework)</TargetFramework>
     <NoWarn>$(NoWarn);CA1416</NoWarn>
+    <NoWarn>$(NoWarn);SYSLIB0018</NoWarn><!-- ReflectionOnly loading is not supported -->
   </PropertyGroup>
 
   <ItemGroup>

data/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.Configuration/NuGet.Configuration.csproj

@@ -3,6 +3,7 @@
   <PropertyGroup>
     <TargetFramework>$(CommonTargetFramework)</TargetFramework>
     <NoWarn>$(NoWarn);CS1591;RS0041</NoWarn>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>

data/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.LibraryModel/NuGet.LibraryModel.csproj

@@ -3,6 +3,7 @@
   <PropertyGroup>
     <TargetFramework>$(CommonTargetFramework)</TargetFramework>
     <NoWarn>$(NoWarn);CS1591;RS0041</NoWarn>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>

data/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.Packaging/NuGet.Packaging.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>$(CommonTargetFramework)</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <NoWarn>$(NoWarn);CS0414;CS1591;CS1574;CS1573;CS1572;RS0041</NoWarn>
+    <NoWarn>$(NoWarn);CA1305;CS0414;CS1591;CS1574;CS1573;CS1572;RS0041</NoWarn>
   </PropertyGroup>
 
   <ItemGroup>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/RunCommand.cs

@@ -1,6 +1,8 @@
 using System.CommandLine;
 
 using NuGetUpdater.Core;
+using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Discover;
 using NuGetUpdater.Core.Run;
 
 namespace NuGetUpdater.Cli.Commands;
@@ -31,7 +33,12 @@ internal static class RunCommand
         command.SetHandler(async (jobPath, repoContentsPath, apiUrl, jobId, outputPath, baseCommitSha) =>
         {
             var apiHandler = new HttpApiHandler(apiUrl.ToString(), jobId);
-            var worker = new RunWorker(apiHandler, new ConsoleLogger());
+            var logger = new ConsoleLogger();
+            var experimentsManager = await ExperimentsManager.FromJobFileAsync(jobPath.FullName, logger);
+            var discoverWorker = new DiscoveryWorker(logger);
+            var analyzeWorker = new AnalyzeWorker(logger);
+            var updateWorker = new UpdaterWorker(experimentsManager, logger);
+            var worker = new RunWorker(apiHandler, discoverWorker, analyzeWorker, updateWorker, logger);
             await worker.RunAsync(jobPath, repoContentsPath, baseCommitSha, outputPath);
         }, JobPathOption, RepoContentsPathOption, ApiUrlOption, JobIdOption, OutputPathOption, BaseCommitShaOption);
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/UpdateCommand.cs

@@ -6,6 +6,7 @@ namespace NuGetUpdater.Cli.Commands;
 
 internal static class UpdateCommand
 {
+    internal static readonly Option<FileInfo> JobPathOption = new("--job-path") { IsRequired = true };
     internal static readonly Option<DirectoryInfo> RepoRootOption = new("--repo-root", () => new DirectoryInfo(Environment.CurrentDirectory)) { IsRequired = false };
     internal static readonly Option<FileInfo> SolutionOrProjectFileOption = new("--solution-or-project") { IsRequired = true };
     internal static readonly Option<string> DependencyNameOption = new("--dependency") { IsRequired = true };
@@ -18,6 +19,7 @@ internal static class UpdateCommand
     {
         Command command = new("update", "Applies the changes from an analysis report to update a dependency.")
         {
+            JobPathOption,
             RepoRootOption,
             SolutionOrProjectFileOption,
             DependencyNameOption,
@@ -29,12 +31,14 @@ internal static class UpdateCommand
 
         command.TreatUnmatchedTokensAsErrors = true;
 
-        command.SetHandler(async (repoRoot, solutionOrProjectFile, dependencyName, newVersion, previousVersion, isTransitive, resultOutputPath) =>
+        command.SetHandler(async (jobPath, repoRoot, solutionOrProjectFile, dependencyName, newVersion, previousVersion, isTransitive, resultOutputPath) =>
         {
-            var worker = new UpdaterWorker(new ConsoleLogger());
+            var logger = new ConsoleLogger();
+            var experimentsManager = await ExperimentsManager.FromJobFileAsync(jobPath.FullName, logger);
+            var worker = new UpdaterWorker(experimentsManager, logger);
             await worker.RunAsync(repoRoot.FullName, solutionOrProjectFile.FullName, dependencyName, previousVersion, newVersion, isTransitive, resultOutputPath);
             setExitCode(0);
-        }, RepoRootOption, SolutionOrProjectFileOption, DependencyNameOption, NewVersionOption, PreviousVersionOption, IsTransitiveOption, ResultOutputPathOption);
+        }, JobPathOption, RepoRootOption, SolutionOrProjectFileOption, DependencyNameOption, NewVersionOption, PreviousVersionOption, IsTransitiveOption, ResultOutputPathOption);
 
         return command;
     }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Update.cs

@@ -1,3 +1,4 @@
+using System.IO;
 using System.Text;
 
 using NuGetUpdater.Core;
@@ -18,6 +19,8 @@ public partial class EntryPointTests
             await Run(path =>
                 [
                     "update",
+                    "--job-path",
+                    Path.Combine(path, "job.json"),
                     "--repo-root",
                     path,
                     "--solution-or-project",
@@ -119,6 +122,8 @@ public partial class EntryPointTests
             await Run(path =>
                 [
                     "update",
+                    "--job-path",
+                    Path.Combine(path, "job.json"),
                     "--repo-root",
                     path,
                     "--solution-or-project",
@@ -197,6 +202,8 @@ public partial class EntryPointTests
             await Run(path =>
                 [
                     "update",
+                    "--job-path",
+                    Path.Combine(path, "job.json"),
                     "--repo-root",
                     path,
                     "--solution-or-project",
@@ -325,6 +332,7 @@ public partial class EntryPointTests
                 MockNuGetPackage.CreateSimplePackage("Some.Package", "13.0.1", "net8.0"),
             ];
             await MockNuGetPackagesInDirectory(testPackages, tempDir.DirectoryPath);
+            await MockJobFileInDirectory(tempDir.DirectoryPath);
 
             var globalJsonPath = Path.Join(tempDir.DirectoryPath, "global.json");
             var srcGlobalJsonPath = Path.Join(tempDir.DirectoryPath, "src", "global.json");
@@ -353,6 +361,8 @@ public partial class EntryPointTests
             IEnumerable<string> executableArgs = [
                 executableName,
                 "update",
+                "--job-path",
+                Path.Combine(tempDir.DirectoryPath, "job.json"),
                 "--repo-root",
                 tempDir.DirectoryPath,
                 "--solution-or-project",
@@ -402,6 +412,7 @@ public partial class EntryPointTests
 
                 try
                 {
+                    await MockJobFileInDirectory(path);
                     await MockNuGetPackagesInDirectory(packages, path);
 
                     var args = getArgs(path);

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs

@@ -12,7 +12,7 @@ namespace NuGetUpdater.Core.Analyze;
 
 using MultiDependency = (string PropertyName, ImmutableArray<string> TargetFrameworks, ImmutableHashSet<string> DependencyNames);
 
-public partial class AnalyzeWorker
+public partial class AnalyzeWorker : IAnalyzeWorker
 {
     public const string AnalysisDirectoryName = "./.dependabot/analysis";
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs

@@ -12,7 +12,7 @@ using NuGetUpdater.Core.Utilities;
 
 namespace NuGetUpdater.Core.Discover;
 
-public partial class DiscoveryWorker
+public partial class DiscoveryWorker : IDiscoveryWorker
 {
     public const string DiscoveryResultFileName = "./.dependabot/discovery.json";
 
@@ -58,7 +58,7 @@ public partial class DiscoveryWorker
         return result;
     }
 
-    internal async Task<WorkspaceDiscoveryResult> RunAsync(string repoRootPath, string workspacePath)
+    public async Task<WorkspaceDiscoveryResult> RunAsync(string repoRootPath, string workspacePath)
     {
         MSBuildHelper.RegisterMSBuild(Environment.CurrentDirectory, repoRootPath);
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/ExperimentsManager.cs

@@ -0,0 +1,52 @@
+using System.Text.Json;
+
+using NuGetUpdater.Core.Run;
+
+namespace NuGetUpdater.Core;
+
+public record ExperimentsManager
+{
+    public bool UseLegacyDependencySolver { get; init; } = false;
+
+    public static ExperimentsManager GetExperimentsManager(Dictionary<string, object>? experiments)
+    {
+        return new ExperimentsManager()
+        {
+            UseLegacyDependencySolver = IsEnabled(experiments, "nuget_legacy_dependency_solver"),
+        };
+    }
+
+    public static async Task<ExperimentsManager> FromJobFileAsync(string jobFilePath, ILogger logger)
+    {
+        var jobFileContent = await File.ReadAllTextAsync(jobFilePath);
+        try
+        {
+            var jobWrapper = RunWorker.Deserialize(jobFileContent);
+            return GetExperimentsManager(jobWrapper.Job.Experiments);
+        }
+        catch (JsonException ex)
+        {
+            // the following message has been specifically designed to match the format of `Dependabot.logger.info(...)` from Ruby
+            logger.Log($"{DateTime.UtcNow:yyyy/MM/dd HH:mm:ss} INFO Error deserializing job file: {ex.ToString()}: {jobFileContent}");
+            return new ExperimentsManager();
+        }
+    }
+
+    private static bool IsEnabled(Dictionary<string, object>? experiments, string experimentName)
+    {
+        if (experiments is null)
+        {
+            return false;
+        }
+
+        if (experiments.TryGetValue(experimentName, out var value))
+        {
+            if ((value?.ToString() ?? "").Equals("true", StringComparison.OrdinalIgnoreCase))
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/IAnalyzeWorker.cs

@@ -0,0 +1,9 @@
+using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Discover;
+
+namespace NuGetUpdater.Core;
+
+public interface IAnalyzeWorker
+{
+    Task<AnalysisResult> RunAsync(string repoRoot, WorkspaceDiscoveryResult discovery, DependencyInfo dependencyInfo);
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/IDiscoveryWorker.cs

@@ -0,0 +1,8 @@
+using NuGetUpdater.Core.Discover;
+
+namespace NuGetUpdater.Core;
+
+public interface IDiscoveryWorker
+{
+    Task<WorkspaceDiscoveryResult> RunAsync(string repoRootPath, string workspacePath);
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/IUpdaterWorker.cs

@@ -0,0 +1,9 @@
+
+using NuGetUpdater.Core.Updater;
+
+namespace NuGetUpdater.Core;
+
+public interface IUpdaterWorker
+{
+    Task<UpdateOperationResult> RunAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTransitive);
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/RunWorker.cs

@@ -13,6 +13,9 @@ public class RunWorker
 {
     private readonly IApiHandler _apiHandler;
     private readonly ILogger _logger;
+    private readonly IDiscoveryWorker _discoveryWorker;
+    private readonly IAnalyzeWorker _analyzeWorker;
+    private readonly IUpdaterWorker _updaterWorker;
 
     internal static readonly JsonSerializerOptions SerializerOptions = new()
     {
@@ -21,10 +24,13 @@ public class RunWorker
         Converters = { new JsonStringEnumConverter() },
     };
 
-    public RunWorker(IApiHandler apiHandler, ILogger logger)
+    public RunWorker(IApiHandler apiHandler, IDiscoveryWorker discoverWorker, IAnalyzeWorker analyzeWorker, IUpdaterWorker updateWorker, ILogger logger)
     {
         _apiHandler = apiHandler;
         _logger = logger;
+        _discoveryWorker = discoverWorker;
+        _analyzeWorker = analyzeWorker;
+        _updaterWorker = updateWorker;
     }
 
     public async Task RunAsync(FileInfo jobFilePath, DirectoryInfo repoContentsPath, string baseCommitSha, FileInfo outputFilePath)
@@ -55,15 +61,17 @@ public class RunWorker
         {
             MSBuildHelper.RegisterMSBuild(repoContentsPath.FullName, repoContentsPath.FullName);
 
+            var experimentsManager = ExperimentsManager.GetExperimentsManager(job.Experiments);
             var allDependencyFiles = new Dictionary<string, DependencyFile>();
             foreach (var directory in job.GetAllDirectories())
             {
                 var localPath = PathHelper.JoinPath(repoContentsPath.FullName, directory);
                 lastUsedPackageSourceUrls = NuGetContext.GetPackageSourceUrls(localPath);
-                var result = await RunForDirectory(job, repoContentsPath, directory, baseCommitSha);
+                var result = await RunForDirectory(job, repoContentsPath, directory, baseCommitSha, experimentsManager);
                 foreach (var dependencyFile in result.Base64DependencyFiles)
                 {
-                    allDependencyFiles[dependencyFile.Name] = dependencyFile;
+                    var uniqueKey = Path.GetFullPath(Path.Join(dependencyFile.Directory, dependencyFile.Name)).NormalizePathToUnix().EnsurePrefix("/");
+                    allDependencyFiles[uniqueKey] = dependencyFile;
                 }
             }
 
@@ -101,16 +109,15 @@ public class RunWorker
         return runResult;
     }
 
-    private async Task<RunResult> RunForDirectory(Job job, DirectoryInfo repoContentsPath, string repoDirectory, string baseCommitSha)
+    private async Task<RunResult> RunForDirectory(Job job, DirectoryInfo repoContentsPath, string repoDirectory, string baseCommitSha, ExperimentsManager experimentsManager)
     {
-        var discoveryWorker = new DiscoveryWorker(_logger);
-        var discoveryResult = await discoveryWorker.RunAsync(repoContentsPath.FullName, repoDirectory);
+        var discoveryResult = await _discoveryWorker.RunAsync(repoContentsPath.FullName, repoDirectory);
 
         _logger.Log("Discovery JSON content:");
         _logger.Log(JsonSerializer.Serialize(discoveryResult, DiscoveryWorker.SerializerOptions));
 
         // report dependencies
-        var discoveredUpdatedDependencies = GetUpdatedDependencyListFromDiscovery(discoveryResult);
+        var discoveredUpdatedDependencies = GetUpdatedDependencyListFromDiscovery(discoveryResult, repoContentsPath.FullName);
         await _apiHandler.UpdateDependencyList(discoveredUpdatedDependencies);
 
         // TODO: pull out relevant dependencies, then check each for updates and track the changes
@@ -127,13 +134,31 @@ public class RunWorker
             });
 
             // track original contents for later handling
+            async Task TrackOriginalContentsAsync(string directory, string fileName, string? replacementFileName = null)
+            {
+                var repoFullPath = Path.Join(directory, fileName);
+                if (replacementFileName is not null)
+                {
+                    repoFullPath = Path.Join(Path.GetDirectoryName(repoFullPath)!, replacementFileName);
+                }
+
+                repoFullPath = repoFullPath.FullyNormalizedRootedPath();
+                var localFullPath = Path.Join(repoContentsPath.FullName, repoFullPath);
+
+                if (!File.Exists(localFullPath))
+                {
+                    return;
+                }
+
+                var content = await File.ReadAllTextAsync(localFullPath);
+                originalDependencyFileContents[repoFullPath] = content;
+            }
+
             foreach (var project in discoveryResult.Projects)
             {
+                await TrackOriginalContentsAsync(discoveryResult.Path, project.FilePath);
+                await TrackOriginalContentsAsync(discoveryResult.Path, project.FilePath, replacementFileName: "packages.config");
                 // TODO: include global.json, etc.
-                var path = Path.Join(discoveryResult.Path, project.FilePath).NormalizePathToUnix().EnsurePrefix("/");
-                var localPath = Path.Join(repoContentsPath.FullName, discoveryResult.Path, project.FilePath);
-                var content = await File.ReadAllTextAsync(localPath);
-                originalDependencyFileContents[path] = content;
             }
 
             // do update
@@ -155,7 +180,6 @@ public class RunWorker
                         continue;
                     }
 
-                    var analyzeWorker = new AnalyzeWorker(_logger);
                     var dependencyInfo = new DependencyInfo()
                     {
                         Name = dependency.Name,
@@ -164,13 +188,21 @@ public class RunWorker
                         IgnoredVersions = [],
                         Vulnerabilities = [],
                     };
-                    var analysisResult = await analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
+                    var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
                     // TODO: log analysisResult
                     if (analysisResult.CanUpdate)
                     {
+                        var dependencyLocation = Path.Join(discoveryResult.Path, project.FilePath);
+                        if (dependency.Type == DependencyType.PackagesConfig)
+                        {
+                            dependencyLocation = Path.Join(Path.GetDirectoryName(dependencyLocation)!, "packages.config");
+                        }
+
+                        dependencyLocation = dependencyLocation.FullyNormalizedRootedPath();
+
                         // TODO: this is inefficient, but not likely causing a bottleneck
                         var previousDependency = discoveredUpdatedDependencies.Dependencies
-                            .Single(d => d.Name == dependency.Name && d.Requirements.Single().File == Path.Join(discoveryResult.Path, project.FilePath).NormalizePathToUnix().EnsurePrefix("/"));
+                            .Single(d => d.Name == dependency.Name && d.Requirements.Single().File == dependencyLocation);
                         var updatedDependency = new ReportedDependency()
                         {
                             Name = dependency.Name,
@@ -179,12 +211,12 @@ public class RunWorker
                             [
                                 new ReportedRequirement()
                                 {
-                                    File = Path.Join(discoveryResult.Path, project.FilePath).NormalizePathToUnix().EnsurePrefix("/"),
+                                    File = dependencyLocation,
                                     Requirement = analysisResult.UpdatedVersion,
                                     Groups = previousDependency.Requirements.Single().Groups,
                                     Source = new RequirementSource()
                                     {
-                                        SourceUrl = analysisResult.UpdatedDependencies.Single(d => d.Name == dependency.Name).InfoUrl,
+                                        SourceUrl = analysisResult.UpdatedDependencies.FirstOrDefault(d => d.Name == dependency.Name)?.InfoUrl,
                                     },
                                 }
                             ],
@@ -192,12 +224,16 @@ public class RunWorker
                             PreviousRequirements = previousDependency.Requirements,
                         };
 
-                        var updateWorker = new UpdaterWorker(_logger);
-                        var dependencyFilePath = Path.Join(discoveryResult.Path, project.FilePath).NormalizePathToUnix();
-                        var updateResult = await updateWorker.RunAsync(repoContentsPath.FullName, dependencyFilePath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, isTransitive: false);
+                        var dependencyFilePath = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
+                        var updateResult = await _updaterWorker.RunAsync(repoContentsPath.FullName, dependencyFilePath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, isTransitive: false);
                         // TODO: need to report if anything was actually updated
                         if (updateResult.ErrorType is null || updateResult.ErrorType == ErrorType.None)
                         {
+                            if (dependencyLocation != dependencyFilePath)
+                            {
+                                updatedDependency.Requirements.All(r => r.File == dependencyFilePath);
+                            }
+
                             actualUpdatedDependencies.Add(updatedDependency);
                         }
                     }
@@ -206,23 +242,41 @@ public class RunWorker
 
             // create PR - we need to manually check file contents; we can't easily use `git status` in tests
             var updatedDependencyFiles = new List<DependencyFile>();
-            foreach (var project in discoveryResult.Projects)
+            async Task AddUpdatedFileIfDifferentAsync(string directory, string fileName, string? replacementFileName = null)
             {
-                var path = Path.Join(discoveryResult.Path, project.FilePath).NormalizePathToUnix().EnsurePrefix("/");
-                var localPath = Path.Join(repoContentsPath.FullName, discoveryResult.Path, project.FilePath);
-                var updatedContent = await File.ReadAllTextAsync(localPath);
-                var originalContent = originalDependencyFileContents[path];
+                var repoFullPath = Path.Join(directory, fileName);
+                if (replacementFileName is not null)
+                {
+                    repoFullPath = Path.Join(Path.GetDirectoryName(repoFullPath)!, replacementFileName);
+                }
+
+                repoFullPath = repoFullPath.FullyNormalizedRootedPath();
+                var localFullPath = Path.Join(repoContentsPath.FullName, repoFullPath);
+
+                if (!File.Exists(localFullPath))
+                {
+                    return;
+                }
+
+                var originalContent = originalDependencyFileContents[repoFullPath];
+                var updatedContent = await File.ReadAllTextAsync(localFullPath);
                 if (updatedContent != originalContent)
                 {
                     updatedDependencyFiles.Add(new DependencyFile()
                     {
-                        Name = project.FilePath,
+                        Name = Path.GetFileName(repoFullPath),
+                        Directory = Path.GetDirectoryName(repoFullPath)!.NormalizePathToUnix(),
                         Content = updatedContent,
-                        Directory = discoveryResult.Path,
                     });
                 }
             }
 
+            foreach (var project in discoveryResult.Projects)
+            {
+                await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, project.FilePath);
+                await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, project.FilePath, replacementFileName: "packages.config");
+            }
+
             if (updatedDependencyFiles.Count > 0)
             {
                 var createPullRequest = new CreatePullRequest()
@@ -249,23 +303,27 @@ public class RunWorker
 
         var result = new RunResult()
         {
-            Base64DependencyFiles = originalDependencyFileContents.Select(kvp => new DependencyFile()
+            Base64DependencyFiles = originalDependencyFileContents.Select(kvp =>
             {
-                Name = Path.GetFileName(kvp.Key),
-                Content = Convert.ToBase64String(Encoding.UTF8.GetBytes(kvp.Value)),
-                Directory = Path.GetDirectoryName(kvp.Key)!.NormalizePathToUnix(),
+                var fullPath = kvp.Key.FullyNormalizedRootedPath();
+                return new DependencyFile()
+                {
+                    Name = Path.GetFileName(fullPath),
+                    Content = Convert.ToBase64String(Encoding.UTF8.GetBytes(kvp.Value)),
+                    Directory = Path.GetDirectoryName(fullPath)!.NormalizePathToUnix(),
+                };
             }).ToArray(),
             BaseCommitSha = baseCommitSha,
         };
         return result;
     }
 
-    internal static UpdatedDependencyList GetUpdatedDependencyListFromDiscovery(WorkspaceDiscoveryResult discoveryResult)
+    internal static UpdatedDependencyList GetUpdatedDependencyListFromDiscovery(WorkspaceDiscoveryResult discoveryResult, string pathToContents)
     {
         string GetFullRepoPath(string path)
         {
             // ensures `path\to\file` is `/path/to/file`
-            return Path.Join(discoveryResult.Path, path).NormalizePathToUnix().NormalizeUnixPathParts().EnsurePrefix("/");
+            return Path.Join(discoveryResult.Path, path).FullyNormalizedRootedPath();
         }
 
         var auxiliaryFiles = new List<string>();
@@ -282,6 +340,17 @@ public class RunWorker
             auxiliaryFiles.Add(GetFullRepoPath(discoveryResult.DirectoryPackagesProps.FilePath));
         }
 
+        foreach (var project in discoveryResult.Projects)
+        {
+            var projectDirectory = Path.GetDirectoryName(project.FilePath);
+            var pathToPackagesConfig = Path.Join(pathToContents, discoveryResult.Path, projectDirectory, "packages.config");
+
+            if (File.Exists(pathToPackagesConfig))
+            {
+                auxiliaryFiles.Add(GetFullRepoPath(Path.Join(projectDirectory, "packages.config")));
+            }
+        }
+
         var updatedDependencyList = new UpdatedDependencyList()
         {
             Dependencies = discoveryResult.Projects.SelectMany(p =>
@@ -292,7 +361,9 @@ public class RunWorker
                         Name = d.Name,
                         Requirements = d.IsTransitive ? [] : [new ReportedRequirement()
                         {
-                            File = GetFullRepoPath(p.FilePath),
+                            File = d.Type == DependencyType.PackagesConfig
+                                ? Path.Join(Path.GetDirectoryName(GetFullRepoPath(p.FilePath))!, "packages.config").FullyNormalizedRootedPath()
+                                : GetFullRepoPath(p.FilePath),
                             Requirement = d.Version!,
                             Groups = ["dependencies"],
                         }],

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackageReferenceUpdater.cs

@@ -26,6 +26,7 @@ internal static class PackageReferenceUpdater
         string previousDependencyVersion,
         string newDependencyVersion,
         bool isTransitive,
+        ExperimentsManager experimentsManager,
         ILogger logger)
     {
         // PackageReference project; modify the XML directly
@@ -42,11 +43,7 @@ internal static class PackageReferenceUpdater
         }
 
         var peerDependencies = await GetUpdatedPeerDependenciesAsync(repoRootPath, projectPath, tfms, dependencyName, newDependencyVersion, logger);
-        if (MSBuildHelper.UseNewDependencySolver())
-        {
-            await UpdateDependencyWithConflictResolution(repoRootPath, buildFiles, tfms, projectPath, dependencyName, previousDependencyVersion, newDependencyVersion, isTransitive, peerDependencies, logger);
-        }
-        else
+        if (experimentsManager.UseLegacyDependencySolver)
         {
             if (isTransitive)
             {
@@ -62,6 +59,10 @@ internal static class PackageReferenceUpdater
                 await UpdateTopLevelDepdendency(repoRootPath, buildFiles, tfms, dependencyName, previousDependencyVersion, newDependencyVersion, peerDependencies, logger);
             }
         }
+        else
+        {
+            await UpdateDependencyWithConflictResolution(repoRootPath, buildFiles, tfms, projectPath, dependencyName, previousDependencyVersion, newDependencyVersion, isTransitive, peerDependencies, logger);
+        }
 
         if (!await AreDependenciesCoherentAsync(repoRootPath, projectPath, dependencyName, logger, buildFiles, tfms))
         {