dependabot-nuget 0.289.0 → 0.291.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 36551f131fff2d82f525e8eb3bd17f26da2d435f4c44484f2b91e0253f041e8f
-  data.tar.gz: c97b1b5899bfac76abd674bf58f8853b7790b5e90d74089f2f663dd12f82fd89
+  metadata.gz: c3d38c911d42c1014432f79bd79e560129291135bb6f5039ff09e2e9229db253
+  data.tar.gz: a7417d90f096fb3de7a6a142b2b42c7aac61f299ba57d49ddbe1a1359d4dba3f
 SHA512:
-  metadata.gz: '09e24d02174892b6d10f70bd7e26a200ff0f5d352ba3a69d826598a891d52990c3fd1e839088e4d797df0af6edb53fdb9f3ef9205352c2641cc818b3d603fb97'
-  data.tar.gz: 3d9b2b81fee8ff8791796f9d7453f82cdd72a79d2ba3a103303475378fd387d9fb6caedb57688b322dffdb019172ca03910ae6256f79c392d99a233f110e585e
+  metadata.gz: b3cb757cc8d4a2ba7c0e3bc1f22e6d53e06e6de5bae39e460b86f9c697aaef7e95c0f62bf6583a63376c5367a6ec6e820389546f78dc3d7a190a331a1db720c6
+  data.tar.gz: f51885f03309f8e8d0f7359fffc41305c98e26f00a3e20af3ac67681f20c7e7d3f018e8093f89fe1591ac22a8f22453b49bb427d5a377aedb0a23f1cdfd1bffc

data/helpers/lib/NuGetUpdater/Directory.Packages.props

@@ -16,7 +16,7 @@
     <PackageVersion Include="Microsoft.Build.Framework" Version="$(MSBuildPackageVersion)" />
     <PackageVersion Include="Microsoft.Build.Tasks.Core" Version="$(MSBuildPackageVersion)" />
     <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="$(MSBuildPackageVersion)" />
-    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="4.11.0" />
+    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="4.12.0" />
     <PackageVersion Include="Microsoft.CSharp" Version="4.7.0" />
     <PackageVersion Include="Microsoft.Extensions.FileProviders.Abstractions" Version="9.0.0" />
     <PackageVersion Include="Microsoft.Extensions.FileSystemGlobbing" Version="9.0.0" />

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/AnalyzeCommand.cs

@@ -7,6 +7,7 @@ namespace NuGetUpdater.Cli.Commands;
 
 internal static class AnalyzeCommand
 {
+    internal static readonly Option<FileInfo> JobPathOption = new("--job-path") { IsRequired = true };
     internal static readonly Option<DirectoryInfo> RepoRootOption = new("--repo-root") { IsRequired = true };
     internal static readonly Option<FileInfo> DependencyFilePathOption = new("--dependency-file-path") { IsRequired = true };
     internal static readonly Option<FileInfo> DiscoveryFilePathOption = new("--discovery-file-path") { IsRequired = true };
@@ -16,6 +17,7 @@ internal static class AnalyzeCommand
     {
         Command command = new("analyze", "Determines how to update a dependency based on the workspace discovery information.")
         {
+            JobPathOption,
             RepoRootOption,
             DependencyFilePathOption,
             DiscoveryFilePathOption,
@@ -24,11 +26,13 @@ internal static class AnalyzeCommand
 
         command.TreatUnmatchedTokensAsErrors = true;
 
-        command.SetHandler(async (repoRoot, discoveryPath, dependencyPath, analysisDirectory) =>
+        command.SetHandler(async (jobPath, repoRoot, discoveryPath, dependencyPath, analysisDirectory) =>
         {
-            var worker = new AnalyzeWorker(new ConsoleLogger());
+            var logger = new ConsoleLogger();
+            var experimentsManager = await ExperimentsManager.FromJobFileAsync(jobPath.FullName, logger);
+            var worker = new AnalyzeWorker(experimentsManager, logger);
             await worker.RunAsync(repoRoot.FullName, discoveryPath.FullName, dependencyPath.FullName, analysisDirectory.FullName);
-        }, RepoRootOption, DiscoveryFilePathOption, DependencyFilePathOption, AnalysisFolderOption);
+        }, JobPathOption, RepoRootOption, DiscoveryFilePathOption, DependencyFilePathOption, AnalysisFolderOption);
 
         return command;
     }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/RunCommand.cs

@@ -36,7 +36,7 @@ internal static class RunCommand
             var logger = new ConsoleLogger();
             var experimentsManager = await ExperimentsManager.FromJobFileAsync(jobPath.FullName, logger);
             var discoverWorker = new DiscoveryWorker(experimentsManager, logger);
-            var analyzeWorker = new AnalyzeWorker(logger);
+            var analyzeWorker = new AnalyzeWorker(experimentsManager, logger);
             var updateWorker = new UpdaterWorker(experimentsManager, logger);
             var worker = new RunWorker(apiHandler, discoverWorker, analyzeWorker, updateWorker, logger);
             await worker.RunAsync(jobPath, repoContentsPath, baseCommitSha, outputPath);

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Analyze.cs

@@ -26,6 +26,8 @@ public partial class EntryPointTests
             await RunAsync(path =>
                 [
                     "analyze",
+                    "--job-path",
+                    Path.Combine(path, "job.json"),
                     "--repo-root",
                     path,
                     "--discovery-file-path",
@@ -144,6 +146,8 @@ public partial class EntryPointTests
             await RunAsync(path =>
                 [
                     "analyze",
+                    "--job-path",
+                    Path.Combine(path, "job.json"),
                     "--repo-root",
                     path,
                     "--discovery-file-path",
@@ -231,6 +235,8 @@ public partial class EntryPointTests
             await RunAsync(path =>
                 [
                     "analyze",
+                    "--job-path",
+                    Path.Combine(path, "job.json"),
                     "--repo-root",
                     path,
                     "--discovery-file-path",
@@ -308,8 +314,16 @@ public partial class EntryPointTests
             );
         }
 
-        private static async Task RunAsync(Func<string, string[]> getArgs, string dependencyName, TestFile[] initialFiles, ExpectedAnalysisResult expectedResult, MockNuGetPackage[]? packages = null)
+        private static async Task RunAsync(
+            Func<string, string[]> getArgs,
+            string dependencyName,
+            TestFile[] initialFiles,
+            ExpectedAnalysisResult expectedResult,
+            MockNuGetPackage[]? packages = null,
+            ExperimentsManager? experimentsManager = null
+        )
         {
+            experimentsManager ??= new ExperimentsManager();
             var actualResult = await RunAnalyzerAsync(dependencyName, initialFiles, async path =>
             {
                 var sb = new StringBuilder();
@@ -322,8 +336,19 @@ public partial class EntryPointTests
 
                 try
                 {
+                    await UpdateWorkerTestBase.MockJobFileInDirectory(path, experimentsManager);
                     await UpdateWorkerTestBase.MockNuGetPackagesInDirectory(packages, path);
                     var args = getArgs(path);
+
+                    // manually pull out the experiments manager for the validate step below
+                    for (int i = 0; i < args.Length - 1; i++)
+                    {
+                        if (args[i] == "--job-path")
+                        {
+                            experimentsManager = await ExperimentsManager.FromJobFileAsync(args[i + 1], new TestLogger());
+                        }
+                    }
+
                     var result = await Program.Main(args);
                     if (result != 0)
                     {

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Discover.cs

@@ -393,7 +393,8 @@ public partial class EntryPointTests
             TestFile[] initialFiles,
             ExpectedWorkspaceDiscoveryResult expectedResult,
             MockNuGetPackage[]? packages = null,
-            ExperimentsManager? experimentsManager = null)
+            ExperimentsManager? experimentsManager = null
+        )
         {
             experimentsManager ??= new ExperimentsManager();
             var actualResult = await RunDiscoveryAsync(initialFiles, async path =>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Run.cs

@@ -41,12 +41,6 @@ public partial class EntryPointTests
                 ],
                 job: new Job()
                 {
-                    AllowedUpdates = [
-                        new()
-                        {
-                            UpdateType = "all"
-                        }
-                    ],
                     Source = new()
                     {
                         Provider = "github",

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Update.cs

@@ -382,7 +382,7 @@ public partial class EntryPointTests
                 workingDirectory = Path.Join(workingDirectory, workingDirectoryPath);
             }
 
-            var (exitCode, output, error) = await ProcessEx.RunAsync("dotnet", executableArgs, workingDirectory: workingDirectory);
+            var (exitCode, output, error) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(executableArgs, workingDirectory, new ExperimentsManager() { InstallDotnetSdks = false });
             Assert.True(exitCode == 0, $"Error running update on unsupported SDK.\nSTDOUT:\n{output}\nSTDERR:\n{error}");
 
             // verify project update

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs

@@ -16,6 +16,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
 {
     public const string AnalysisDirectoryName = "./.dependabot/analysis";
 
+    private readonly ExperimentsManager _experimentsManager;
     private readonly ILogger _logger;
 
     internal static readonly JsonSerializerOptions SerializerOptions = new()
@@ -24,8 +25,9 @@ public partial class AnalyzeWorker : IAnalyzeWorker
         Converters = { new JsonStringEnumConverter(), new RequirementArrayConverter() },
     };
 
-    public AnalyzeWorker(ILogger logger)
+    public AnalyzeWorker(ExperimentsManager experimentsManager, ILogger logger)
     {
+        _experimentsManager = experimentsManager;
         _logger = logger;
     }
 
@@ -140,6 +142,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
                     dependenciesToUpdate,
                     updatedVersion,
                     nugetContext,
+                    _experimentsManager,
                     _logger,
                     CancellationToken.None);
             }
@@ -391,6 +394,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
         ImmutableHashSet<string> packageIds,
         NuGetVersion updatedVersion,
         NuGetContext nugetContext,
+        ExperimentsManager experimentsManager,
         ILogger logger,
         CancellationToken cancellationToken)
     {
@@ -430,6 +434,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
             packageIds,
             updatedVersion,
             nugetContext,
+            experimentsManager,
             logger,
             cancellationToken);
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/CompatabilityChecker.cs

@@ -80,9 +80,9 @@ internal static class CompatibilityChecker
         NuGetContext nugetContext,
         CancellationToken cancellationToken)
     {
-        var tempPackagePath = GetTempPackagePath(package, nugetContext);
-        var readers = File.Exists(tempPackagePath)
-            ? ReadPackage(tempPackagePath)
+        var packagePath = GetPackagePath(package, nugetContext);
+        var readers = File.Exists(packagePath)
+            ? ReadPackage(packagePath)
             : await DownloadPackageAsync(package, nugetContext, cancellationToken);
         return readers;
     }
@@ -134,10 +134,10 @@ internal static class CompatibilityChecker
         return (isDevDependency, tfms.ToImmutableArray());
     }
 
-    internal static PackageReaders ReadPackage(string tempPackagePath)
+    internal static PackageReaders ReadPackage(string packagePath)
     {
         var stream = new FileStream(
-              tempPackagePath,
+              packagePath,
               FileMode.Open,
               FileAccess.Read,
               FileShare.Read,
@@ -194,8 +194,8 @@ internal static class CompatibilityChecker
                 context.Logger,
                 cancellationToken);
 
-            var tempPackagePath = GetTempPackagePath(package, context);
-            var isDownloaded = await downloader.CopyNupkgFileToAsync(tempPackagePath, cancellationToken);
+            var packagePath = GetPackagePath(package, context);
+            var isDownloaded = await downloader.CopyNupkgFileToAsync(packagePath, cancellationToken);
             if (!isDownloaded)
             {
                 continue;
@@ -207,6 +207,21 @@ internal static class CompatibilityChecker
         return null;
     }
 
-    internal static string GetTempPackagePath(PackageIdentity package, NuGetContext context)
-        => Path.Combine(context.TempPackageDirectory, package.Id + "." + package.Version + ".nupkg");
+    internal static string GetPackagePath(PackageIdentity package, NuGetContext context)
+    {
+        // https://learn.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders
+        var nugetPackagesPath = Environment.GetEnvironmentVariable("NUGET_PACKAGES");
+        if (nugetPackagesPath is null)
+        {
+            // n.b., this path should never be hit during a unit test
+            nugetPackagesPath = Path.Join(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".nuget", "packages");
+        }
+
+        var normalizedName = package.Id.ToLowerInvariant();
+        var normalizedVersion = package.Version.ToNormalizedString().ToLowerInvariant();
+        var packageDirectory = Path.Join(nugetPackagesPath, normalizedName, normalizedVersion);
+        Directory.CreateDirectory(packageDirectory);
+        var packagePath = Path.Join(packageDirectory, $"{normalizedName}.{normalizedVersion}.nupkg");
+        return packagePath;
+    }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/DependencyFinder.cs

@@ -14,6 +14,7 @@ internal static class DependencyFinder
         ImmutableHashSet<string> packageIds,
         NuGetVersion version,
         NuGetContext nugetContext,
+        ExperimentsManager experimentsManager,
         ILogger logger,
         CancellationToken cancellationToken)
     {
@@ -30,6 +31,7 @@ internal static class DependencyFinder
                 projectPath,
                 framework.ToString(),
                 packages,
+                experimentsManager,
                 logger);
             var updatedDependencies = new List<Dependency>();
             foreach (var dependency in dependencies)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/NuGetContext.cs

@@ -20,7 +20,6 @@ internal record NuGetContext : IDisposable
     public IMachineWideSettings MachineWideSettings { get; }
     public ImmutableArray<PackageSource> PackageSources { get; }
     public NuGet.Common.ILogger Logger { get; }
-    public string TempPackageDirectory { get; }
 
     public NuGetContext(string? currentDirectory = null, NuGet.Common.ILogger? logger = null)
     {
@@ -37,23 +36,11 @@ internal record NuGetContext : IDisposable
             .Where(p => p.IsEnabled)
             .ToImmutableArray();
         Logger = logger ?? NullLogger.Instance;
-        TempPackageDirectory = Path.Combine(Path.GetTempPath(), $"dependabot-packages_{Guid.NewGuid():d}");
-        Directory.CreateDirectory(TempPackageDirectory);
     }
 
     public void Dispose()
     {
         SourceCacheContext.Dispose();
-        if (Directory.Exists(TempPackageDirectory))
-        {
-            try
-            {
-                Directory.Delete(TempPackageDirectory, recursive: true);
-            }
-            catch
-            {
-            }
-        }
     }
 
     private readonly Dictionary<PackageIdentity, string?> _packageInfoUrlCache = new();

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/RequirementConverter.cs

@@ -0,0 +1,17 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace NuGetUpdater.Core.Analyze;
+
+public class RequirementConverter : JsonConverter<Requirement>
+{
+    public override Requirement? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+    {
+        return Requirement.Parse(reader.GetString()!);
+    }
+
+    public override void Write(Utf8JsonWriter writer, Requirement value, JsonSerializerOptions options)
+    {
+        writer.WriteStringValue(value.ToString());
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs

@@ -6,6 +6,7 @@ using System.Text.Json.Serialization;
 using Microsoft.Build.Construction;
 using Microsoft.Build.Definition;
 using Microsoft.Build.Evaluation;
+using Microsoft.Build.Exceptions;
 
 using NuGetUpdater.Core.Analyze;
 using NuGetUpdater.Core.Utilities;
@@ -93,13 +94,31 @@ public partial class DiscoveryWorker : IDiscoveryWorker
             }
 
             // this next line should throw or something
-            projectResults = await RunForDirectoryAsnyc(repoRootPath, workspacePath);
+            projectResults = await RunForDirectoryAsync(repoRootPath, workspacePath);
         }
         else
         {
             _logger.Info($"Workspace path [{workspacePath}] does not exist.");
         }
 
+        //if any projectResults are not successful, return a failed result
+        if (projectResults.Any(p => p.IsSuccess == false))
+        {
+            var failedProjectResult = projectResults.Where(p => p.IsSuccess == false).First();
+            var failedDiscoveryResult = new WorkspaceDiscoveryResult
+            {
+                Path = initialWorkspacePath,
+                DotNetToolsJson = null,
+                GlobalJson = null,
+                Projects = projectResults.Where(p => p.IsSuccess).OrderBy(p => p.FilePath).ToImmutableArray(),
+                ErrorType = failedProjectResult.ErrorType,
+                ErrorDetails = failedProjectResult.FilePath,
+                IsSuccess = false,
+            };
+
+            return failedDiscoveryResult;
+        }
+
         result = new WorkspaceDiscoveryResult
         {
             Path = initialWorkspacePath,
@@ -137,14 +156,34 @@ public partial class DiscoveryWorker : IDiscoveryWorker
 
         _logger.Info($"  Restoring MSBuild SDKs: {string.Join(", ", keys)}");
 
-        return await NuGetHelper.DownloadNuGetPackagesAsync(repoRootPath, workspacePath, msbuildSdks, logger);
+        return await NuGetHelper.DownloadNuGetPackagesAsync(repoRootPath, workspacePath, msbuildSdks, _experimentsManager, logger);
     }
 
-    private async Task<ImmutableArray<ProjectDiscoveryResult>> RunForDirectoryAsnyc(string repoRootPath, string workspacePath)
+    private async Task<ImmutableArray<ProjectDiscoveryResult>> RunForDirectoryAsync(string repoRootPath, string workspacePath)
     {
         _logger.Info($"  Discovering projects beneath [{Path.GetRelativePath(repoRootPath, workspacePath)}].");
         var entryPoints = FindEntryPoints(workspacePath);
-        var projects = ExpandEntryPointsIntoProjects(entryPoints);
+        ImmutableArray<string> projects;
+        try
+        {
+            projects = ExpandEntryPointsIntoProjects(entryPoints);
+        }
+        catch (InvalidProjectFileException e)
+        {
+            var invalidProjectFile = Path.GetRelativePath(workspacePath, e.ProjectFile).NormalizePathToUnix();
+
+            _logger.Info("Error encountered during discovery: " + e.Message);
+            return [new ProjectDiscoveryResult
+            {
+                FilePath = invalidProjectFile,
+                Dependencies = ImmutableArray<Dependency>.Empty,
+                ImportedFiles = ImmutableArray<string>.Empty,
+                AdditionalFiles = ImmutableArray<string>.Empty,
+                IsSuccess = false,
+                ErrorType = ErrorType.DependencyFileNotParseable,
+                ErrorDetails = "Failed to parse project file found at " + invalidProjectFile,
+            }];
+        }
         if (projects.IsEmpty)
         {
             _logger.Info("  No project files found.");
@@ -286,7 +325,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
                 _processedProjectPaths.Add(actualProjectPath);
 
                 var relativeProjectPath = Path.GetRelativePath(workspacePath, actualProjectPath).NormalizePathToUnix();
-                var packagesConfigResult = await PackagesConfigDiscovery.Discover(repoRootPath, workspacePath, actualProjectPath, _logger);
+                var packagesConfigResult = await PackagesConfigDiscovery.Discover(repoRootPath, workspacePath, actualProjectPath, _experimentsManager, _logger);
                 var projectResults = await SdkProjectDiscovery.DiscoverAsync(repoRootPath, workspacePath, actualProjectPath, _experimentsManager, _logger);
 
                 // Determine if there were unrestored MSBuildSdks

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/PackagesConfigDiscovery.cs

@@ -6,7 +6,7 @@ namespace NuGetUpdater.Core.Discover;
 
 internal static class PackagesConfigDiscovery
 {
-    public static async Task<PackagesConfigDiscoveryResult?> Discover(string repoRootPath, string workspacePath, string projectPath, ILogger logger)
+    public static async Task<PackagesConfigDiscoveryResult?> Discover(string repoRootPath, string workspacePath, string projectPath, ExperimentsManager experimentsManager, ILogger logger)
     {
         var projectDirectory = Path.GetDirectoryName(projectPath)!;
         var additionalFiles = ProjectHelper.GetAllAdditionalFilesFromProject(projectPath, ProjectHelper.PathFormat.Full);
@@ -27,7 +27,7 @@ internal static class PackagesConfigDiscovery
             .ToImmutableArray();
 
         // generate `$(TargetFramework)` via MSBuild
-        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, projectPath, logger);
+        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, projectPath, experimentsManager, logger);
 
         var additionalFilesRelative = additionalFiles.Select(p => Path.GetRelativePath(projectDirectory, p).NormalizePathToUnix()).ToImmutableArray();
         return new()

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/ProjectDiscoveryResult.cs

@@ -8,6 +8,8 @@ public record ProjectDiscoveryResult : IDiscoveryResultWithDependencies
     public required string FilePath { get; init; }
     public required ImmutableArray<Dependency> Dependencies { get; init; }
     public bool IsSuccess { get; init; } = true;
+    public string? ErrorDetails { get; init; }
+    public ErrorType? ErrorType { get; init; }
     public ImmutableArray<Property> Properties { get; init; } = [];
     public ImmutableArray<string> TargetFrameworks { get; init; } = [];
     public ImmutableArray<string> ReferencedProjectPaths { get; init; } = [];

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs

@@ -48,15 +48,15 @@ internal static class SdkProjectDiscovery
     {
         if (experimentsManager.UseDirectDiscovery)
         {
-            return await DiscoverWithBinLogAsync(repoRootPath, workspacePath, startingProjectPath, logger);
+            return await DiscoverWithBinLogAsync(repoRootPath, workspacePath, startingProjectPath, experimentsManager, logger);
         }
         else
         {
-            return await DiscoverWithTempProjectAsync(repoRootPath, workspacePath, startingProjectPath, logger);
+            return await DiscoverWithTempProjectAsync(repoRootPath, workspacePath, startingProjectPath, experimentsManager, logger);
         }
     }
 
-    public static async Task<ImmutableArray<ProjectDiscoveryResult>> DiscoverWithBinLogAsync(string repoRootPath, string workspacePath, string startingProjectPath, ILogger logger)
+    public static async Task<ImmutableArray<ProjectDiscoveryResult>> DiscoverWithBinLogAsync(string repoRootPath, string workspacePath, string startingProjectPath, ExperimentsManager experimentsManager, ILogger logger)
     {
         // N.b., there are many paths used in this function.  The MSBuild binary log always reports fully qualified paths, so that's what will be used
         // throughout until the very end when the appropriate kind of relative path is returned.
@@ -84,7 +84,7 @@ internal static class SdkProjectDiscovery
         Dictionary<string, HashSet<string>> additionalFiles = new(PathComparer.Instance);
         //         projectPath, additionalFiles
 
-        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, startingProjectPath, logger);
+        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, startingProjectPath, experimentsManager, logger);
         foreach (var tfm in tfms)
         {
             // create a binlog
@@ -92,7 +92,7 @@ internal static class SdkProjectDiscovery
             try
             {
                 // TODO: once the updater image has all relevant SDKs installed, we won't have to sideline global.json anymore
-                var (exitCode, stdOut, stdErr) = await MSBuildHelper.SidelineGlobalJsonAsync(startingProjectDirectory, repoRootPath, async () =>
+                var (exitCode, stdOut, stdErr) = await MSBuildHelper.HandleGlobalJsonAsync(startingProjectDirectory, repoRootPath, experimentsManager, async () =>
                 {
                     // the built-in target `GenerateBuildDependencyFile` forces resolution of all NuGet packages, but doesn't invoke a full build
                     var dependencyDiscoveryTargetsPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)!, "DependencyDiscovery.targets");
@@ -102,10 +102,11 @@ internal static class SdkProjectDiscovery
                         startingProjectPath,
                         "/t:_DiscoverDependencies",
                         $"/p:TargetFramework={tfm}",
-                        $"/p:CustomAfterMicrosoftCommonCrossTargetingTargets={dependencyDiscoveryTargetsPath};CustomAfterMicrosoftCommonTargets={dependencyDiscoveryTargetsPath}",
+                        $"/p:CustomAfterMicrosoftCommonCrossTargetingTargets={dependencyDiscoveryTargetsPath}",
+                        $"/p:CustomAfterMicrosoftCommonTargets={dependencyDiscoveryTargetsPath}",
                         $"/bl:{binLogPath}"
                     };
-                    var (exitCode, stdOut, stdErr) = await ProcessEx.RunAsync("dotnet", args, workingDirectory: startingProjectDirectory);
+                    var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory, experimentsManager);
                     return (exitCode, stdOut, stdErr);
                 }, logger, retainMSBuildSdks: true);
                 MSBuildHelper.ThrowOnUnauthenticatedFeed(stdOut);
@@ -411,7 +412,7 @@ internal static class SdkProjectDiscovery
         return property.Value;
     }
 
-    public static async Task<ImmutableArray<ProjectDiscoveryResult>> DiscoverWithTempProjectAsync(string repoRootPath, string workspacePath, string projectPath, ILogger logger)
+    public static async Task<ImmutableArray<ProjectDiscoveryResult>> DiscoverWithTempProjectAsync(string repoRootPath, string workspacePath, string projectPath, ExperimentsManager experimentsManager, ILogger logger)
     {
         // Determine which targets and props files contribute to the build.
         var (buildFiles, projectTargetFrameworks) = await MSBuildHelper.LoadBuildFilesAndTargetFrameworksAsync(repoRootPath, projectPath);
@@ -476,7 +477,7 @@ internal static class SdkProjectDiscovery
                     dependencies = dependencies
                         .Select(d => d with { TargetFrameworks = tfms })
                         .ToImmutableArray();
-                    var transitiveDependencies = await GetTransitiveDependencies(repoRootPath, projectPath, tfms, dependencies, logger);
+                    var transitiveDependencies = await GetTransitiveDependencies(repoRootPath, projectPath, tfms, dependencies, experimentsManager, logger);
                     ImmutableArray<Dependency> allDependencies = dependencies.Concat(transitiveDependencies).Concat(sdkDependencies)
                         .OrderBy(d => d.Name)
                         .ToImmutableArray();
@@ -514,12 +515,19 @@ internal static class SdkProjectDiscovery
         return results.ToImmutable();
     }
 
-    private static async Task<ImmutableArray<Dependency>> GetTransitiveDependencies(string repoRootPath, string projectPath, ImmutableArray<string> tfms, ImmutableArray<Dependency> directDependencies, ILogger logger)
+    private static async Task<ImmutableArray<Dependency>> GetTransitiveDependencies(
+        string repoRootPath,
+        string projectPath,
+        ImmutableArray<string> tfms,
+        ImmutableArray<Dependency> directDependencies,
+        ExperimentsManager experimentsManager,
+        ILogger logger
+    )
     {
         Dictionary<string, Dependency> transitiveDependencies = new(StringComparer.OrdinalIgnoreCase);
         foreach (var tfm in tfms)
         {
-            var tfmDependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(repoRootPath, projectPath, tfm, directDependencies, logger);
+            var tfmDependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(repoRootPath, projectPath, tfm, directDependencies, experimentsManager, logger);
             foreach (var dependency in tfmDependencies.Where(d => d.IsTransitive))
             {
                 if (!transitiveDependencies.TryGetValue(dependency.Name, out var existingDependency))

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/ErrorType.cs

@@ -6,5 +6,6 @@ public enum ErrorType
     AuthenticationFailure,
     MissingFile,
     UpdateNotPossible,
+    DependencyFileNotParseable,
     Unknown,
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/ExperimentsManager.cs

@@ -6,6 +6,7 @@ namespace NuGetUpdater.Core;
 
 public record ExperimentsManager
 {
+    public bool InstallDotnetSdks { get; init; } = false;
     public bool UseLegacyDependencySolver { get; init; } = false;
     public bool UseDirectDiscovery { get; init; } = false;
 
@@ -13,6 +14,7 @@ public record ExperimentsManager
     {
         return new()
         {
+            ["nuget_install_dotnet_sdks"] = InstallDotnetSdks,
             ["nuget_legacy_dependency_solver"] = UseLegacyDependencySolver,
             ["nuget_use_direct_discovery"] = UseDirectDiscovery,
         };
@@ -22,6 +24,7 @@ public record ExperimentsManager
     {
         return new ExperimentsManager()
         {
+            InstallDotnetSdks = IsEnabled(experiments, "nuget_install_dotnet_sdks"),
             UseLegacyDependencySolver = IsEnabled(experiments, "nuget_legacy_dependency_solver"),
             UseDirectDiscovery = IsEnabled(experiments, "nuget_use_direct_discovery"),
         };

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Advisory.cs

@@ -0,0 +1,13 @@
+using System.Collections.Immutable;
+
+using NuGetUpdater.Core.Analyze;
+
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record Advisory
+{
+    public required string DependencyName { get; init; }
+    public ImmutableArray<Requirement>? AffectedVersions { get; init; } = null;
+    public ImmutableArray<Requirement>? PatchedVersions { get; init; } = null;
+    public ImmutableArray<Requirement>? UnaffectedVersions { get; init; } = null;
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/AllowedUpdate.cs

@@ -2,5 +2,22 @@ namespace NuGetUpdater.Core.Run.ApiModel;
 
 public sealed record AllowedUpdate
 {
-    public string UpdateType { get; init; } = "all";
+    public DependencyType DependencyType { get; init; } = DependencyType.All;
+    public string? DependencyName { get; init; } = null;
+    public UpdateType UpdateType { get; init; } = UpdateType.All;
+}
+
+public enum DependencyType
+{
+    All,
+    Direct,
+    Indirect,
+    Development,
+    Production,
+}
+
+public enum UpdateType
+{
+    All,
+    Security,
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/CommitOptions.cs

@@ -0,0 +1,8 @@
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record CommitOptions
+{
+    public string? Prefix { get; init; } = null;
+    public string? PrefixDevelopment { get; init; } = null;
+    public string? IncludeScope { get; init; } = null;
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Condition.cs

@@ -0,0 +1,19 @@
+using System.Text.Json.Serialization;
+
+using NuGetUpdater.Core.Analyze;
+
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public sealed record Condition
+{
+    [JsonPropertyName("dependency-name")]
+    public required string DependencyName { get; init; }
+    [JsonPropertyName("source")]
+    public string? Source { get; init; } = null;
+    [JsonPropertyName("update-types")]
+    public string[] UpdateTypes { get; init; } = [];
+    [JsonPropertyName("updated-at")]
+    public DateTime? UpdatedAt { get; init; } = null;
+    [JsonPropertyName("version-requirement")]
+    public Requirement? VersionRequirement { get; init; } = null;
+}