dependabot-nuget 0.293.0 → 0.295.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 833b170b34a1cef53346970cdfc208b39f49899aaeeb1d2da285463eabf2aea3
-  data.tar.gz: aea74663e1ec787d2496c6d63f97c531d6ccd5415cdd810ce7d8518080b027cc
+  metadata.gz: 8ac3a95f5211adff79f8e7954308a4d3656b63c8be20b70a7b6f129f04402881
+  data.tar.gz: a79771c0cc6c0a08bfaa2a7cef8253902c7e8b92b868568c231064098ba77a1c
 SHA512:
-  metadata.gz: 889ab157302c7dbb0be345ca4e5204fe5518d6aafbd61d7992008404fa84200240e6f88655027ddb4a77611964cb97e2ea7857ad6453d33e498e4d6416b79eb8
-  data.tar.gz: 17f3003ef471825cf980d00da41c528bb051dc64285d6ca808ca84bea09a89b91a197a388d8f62c4e089427a52e77ba24d13b452ec9bc7231b46d18c9c84d697
+  metadata.gz: 800097bc4856927e983da508d16b4e6d0fd75cf40b5ca5ed25901fbb467f0f99e8f8dc724341c0da6cc6126303c6437a5bd8c7521132c3363ed752181402ee1b
+  data.tar.gz: c0a1675e7cdf06ec0314d58092de09d633fa46892ae8f01c20ec74553d756265fda431434babb6eb140184b3380b78576f6309c1ec010f41e0e09e6ad6b28adb

data/helpers/lib/NuGetUpdater/Directory.Packages.props

@@ -36,7 +36,7 @@
     <PackageVersion Include="System.Text.Json" Version="8.0.4" />
     <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
     <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="9.0.0" />
-    <PackageVersion Include="xunit" Version="2.9.2" />
+    <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.0" />
   </ItemGroup>
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/VersionFinder.cs

@@ -113,11 +113,22 @@ internal static class VersionFinder
             ? versionRange.MinVersion
             : null;
 
-        return version => (currentVersion is null || version > currentVersion)
-            && versionRange.Satisfies(version)
-            && (currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version)
-            && !dependencyInfo.IgnoredVersions.Any(r => r.IsSatisfiedBy(version))
-            && !dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
+        var safeVersions = dependencyInfo.Vulnerabilities.SelectMany(v => v.SafeVersions).ToList();
+        return version =>
+        {
+            var versionGreaterThanCurrent = currentVersion is null || version > currentVersion;
+            var rangeSatisfies = versionRange.Satisfies(version);
+            var prereleaseTypeMatches = currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version;
+            var isIgnoredVersion = dependencyInfo.IgnoredVersions.Any(i => i.IsSatisfiedBy(version));
+            var isVulnerableVersion = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
+            var isSafeVersion = !safeVersions.Any() || safeVersions.Any(s => s.IsSatisfiedBy(version));
+            return versionGreaterThanCurrent
+                && rangeSatisfies
+                && prereleaseTypeMatches
+                && !isIgnoredVersion
+                && !isVulnerableVersion
+                && isSafeVersion;
+        };
     }
 
     internal static Func<NuGetVersion, bool> CreateVersionFilter(NuGetVersion currentVersion)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs

@@ -262,7 +262,8 @@ public partial class DiscoveryWorker : IDiscoveryWorker
             }
         }
 
-        return expandedProjects.ToImmutableArray();
+        var result = expandedProjects.OrderBy(p => p).ToImmutableArray();
+        return result;
     }
 
     private static IEnumerable<string> ExpandItemGroupFilesFromProject(string projectPath, params string[] itemTypes)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs

@@ -114,7 +114,7 @@ internal static class SdkProjectDiscovery
                     var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory, experimentsManager);
                     return (exitCode, stdOut, stdErr);
                 }, logger, retainMSBuildSdks: true);
-                MSBuildHelper.ThrowOnUnauthenticatedFeed(stdOut);
+                MSBuildHelper.ThrowOnError(stdOut);
                 if (stdOut.Contains("""error MSB4057: The target "GenerateBuildDependencyFile" does not exist in the project."""))
                 {
                     // this can happen if it's a non-SDK-style project; totally normal, not worth examining the binlog

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Advisory.cs

@@ -10,4 +10,6 @@ public record Advisory
     public ImmutableArray<Requirement>? AffectedVersions { get; init; } = null;
     public ImmutableArray<Requirement>? PatchedVersions { get; init; } = null;
     public ImmutableArray<Requirement>? UnaffectedVersions { get; init; } = null;
+
+    public IEnumerable<Requirement> SafeVersions => (PatchedVersions ?? []).Concat(UnaffectedVersions ?? []);
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/RunWorker.cs

@@ -4,6 +4,10 @@ using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 
+using Microsoft.Extensions.FileSystemGlobbing;
+
+using NuGet.Versioning;
+
 using NuGetUpdater.Core.Analyze;
 using NuGetUpdater.Core.Discover;
 using NuGetUpdater.Core.Run.ApiModel;
@@ -113,169 +117,145 @@ public class RunWorker
         await _apiHandler.UpdateDependencyList(discoveredUpdatedDependencies);
 
         // TODO: pull out relevant dependencies, then check each for updates and track the changes
-        // TODO: for each top-level dependency, _or_ specific dependency (if security, use transitive)
         var originalDependencyFileContents = new Dictionary<string, string>();
         var actualUpdatedDependencies = new List<ReportedDependency>();
-        if (job.AllowedUpdates.Any(a => a.UpdateType == UpdateType.All))
+        await _apiHandler.IncrementMetric(new()
         {
-            await _apiHandler.IncrementMetric(new()
-            {
-                Metric = "updater.started",
-                Tags = { ["operation"] = "group_update_all_versions" },
-            });
+            Metric = "updater.started",
+            Tags = { ["operation"] = "group_update_all_versions" },
+        });
+
+        // track original contents for later handling
+        async Task TrackOriginalContentsAsync(string directory, string fileName)
+        {
+            var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
+            var localFullPath = Path.Join(repoContentsPath.FullName, repoFullPath);
+            var content = await File.ReadAllTextAsync(localFullPath);
+            originalDependencyFileContents[repoFullPath] = content;
+        }
 
-            // track original contents for later handling
-            async Task TrackOriginalContentsAsync(string directory, string fileName)
+        foreach (var project in discoveryResult.Projects)
+        {
+            var projectDirectory = Path.GetDirectoryName(project.FilePath);
+            await TrackOriginalContentsAsync(discoveryResult.Path, project.FilePath);
+            foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
             {
-                var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
-                var localFullPath = Path.Join(repoContentsPath.FullName, repoFullPath);
-                var content = await File.ReadAllTextAsync(localFullPath);
-                originalDependencyFileContents[repoFullPath] = content;
+                var extraFilePath = Path.Join(projectDirectory, extraFile);
+                await TrackOriginalContentsAsync(discoveryResult.Path, extraFilePath);
             }
+            // TODO: include global.json, etc.
+        }
 
-            foreach (var project in discoveryResult.Projects)
+        // do update
+        _logger.Info($"Running update in directory {repoDirectory}");
+        foreach (var project in discoveryResult.Projects)
+        {
+            foreach (var dependency in project.Dependencies)
             {
-                var projectDirectory = Path.GetDirectoryName(project.FilePath);
-                await TrackOriginalContentsAsync(discoveryResult.Path, project.FilePath);
-                foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
+                if (!IsUpdateAllowed(job, dependency))
                 {
-                    var extraFilePath = Path.Join(projectDirectory, extraFile);
-                    await TrackOriginalContentsAsync(discoveryResult.Path, extraFilePath);
+                    continue;
                 }
-                // TODO: include global.json, etc.
-            }
 
-            // do update
-            _logger.Info($"Running update in directory {repoDirectory}");
-            foreach (var project in discoveryResult.Projects)
-            {
-                foreach (var dependency in project.Dependencies.Where(d => !d.IsTransitive))
+                var dependencyInfo = GetDependencyInfo(job, dependency);
+                var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
+                // TODO: log analysisResult
+                if (analysisResult.CanUpdate)
                 {
-                    if (dependency.Name == "Microsoft.NET.Sdk")
-                    {
-                        // this can't be updated
-                        // TODO: pull this out of discovery?
-                        continue;
-                    }
+                    var dependencyLocation = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
 
-                    if (dependency.Version is null)
-                    {
-                        // if we don't know the version, there's nothing we can do
-                        continue;
-                    }
-
-                    var ignoredVersions = GetIgnoredRequirementsForDependency(job, dependency.Name);
-                    var dependencyInfo = new DependencyInfo()
+                    // TODO: this is inefficient, but not likely causing a bottleneck
+                    var previousDependency = discoveredUpdatedDependencies.Dependencies
+                        .Single(d => d.Name == dependency.Name && d.Requirements.Single().File == dependencyLocation);
+                    var updatedDependency = new ReportedDependency()
                     {
                         Name = dependency.Name,
-                        Version = dependency.Version!,
-                        IsVulnerable = false,
-                        IgnoredVersions = ignoredVersions,
-                        Vulnerabilities = [],
-                    };
-                    var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
-                    // TODO: log analysisResult
-                    if (analysisResult.CanUpdate)
-                    {
-                        var dependencyLocation = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
-
-                        // TODO: this is inefficient, but not likely causing a bottleneck
-                        var previousDependency = discoveredUpdatedDependencies.Dependencies
-                            .Single(d => d.Name == dependency.Name && d.Requirements.Single().File == dependencyLocation);
-                        var updatedDependency = new ReportedDependency()
-                        {
-                            Name = dependency.Name,
-                            Version = analysisResult.UpdatedVersion,
-                            Requirements =
-                            [
-                                new ReportedRequirement()
-                                {
-                                    File = dependencyLocation,
-                                    Requirement = analysisResult.UpdatedVersion,
-                                    Groups = previousDependency.Requirements.Single().Groups,
-                                    Source = new RequirementSource()
-                                    {
-                                        SourceUrl = analysisResult.UpdatedDependencies.FirstOrDefault(d => d.Name == dependency.Name)?.InfoUrl,
-                                    },
-                                }
-                            ],
-                            PreviousVersion = dependency.Version,
-                            PreviousRequirements = previousDependency.Requirements,
-                        };
-
-                        var dependencyFilePath = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
-                        var updateResult = await _updaterWorker.RunAsync(repoContentsPath.FullName, dependencyFilePath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, isTransitive: false);
-                        // TODO: need to report if anything was actually updated
-                        if (updateResult.Error is null)
-                        {
-                            if (dependencyLocation != dependencyFilePath)
+                        Version = analysisResult.UpdatedVersion,
+                        Requirements =
+                        [
+                            new ReportedRequirement()
                             {
-                                updatedDependency.Requirements.All(r => r.File == dependencyFilePath);
+                                File = dependencyLocation,
+                                Requirement = analysisResult.UpdatedVersion,
+                                Groups = previousDependency.Requirements.Single().Groups,
+                                Source = new RequirementSource()
+                                {
+                                    SourceUrl = analysisResult.UpdatedDependencies.FirstOrDefault(d => d.Name == dependency.Name)?.InfoUrl,
+                                },
                             }
+                        ],
+                        PreviousVersion = dependency.Version,
+                        PreviousRequirements = previousDependency.Requirements,
+                    };
 
-                            actualUpdatedDependencies.Add(updatedDependency);
+                    var dependencyFilePath = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
+                    var updateResult = await _updaterWorker.RunAsync(repoContentsPath.FullName, dependencyFilePath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, isTransitive: dependency.IsTransitive);
+                    // TODO: need to report if anything was actually updated
+                    if (updateResult.Error is null)
+                    {
+                        if (dependencyLocation != dependencyFilePath)
+                        {
+                            updatedDependency.Requirements.All(r => r.File == dependencyFilePath);
                         }
+
+                        actualUpdatedDependencies.Add(updatedDependency);
                     }
                 }
             }
+        }
 
-            // create PR - we need to manually check file contents; we can't easily use `git status` in tests
-            var updatedDependencyFiles = new Dictionary<string, DependencyFile>();
-            async Task AddUpdatedFileIfDifferentAsync(string directory, string fileName)
+        // create PR - we need to manually check file contents; we can't easily use `git status` in tests
+        var updatedDependencyFiles = new Dictionary<string, DependencyFile>();
+        async Task AddUpdatedFileIfDifferentAsync(string directory, string fileName)
+        {
+            var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
+            var localFullPath = Path.GetFullPath(Path.Join(repoContentsPath.FullName, repoFullPath));
+            var originalContent = originalDependencyFileContents[repoFullPath];
+            var updatedContent = await File.ReadAllTextAsync(localFullPath);
+            if (updatedContent != originalContent)
             {
-                var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
-                var localFullPath = Path.GetFullPath(Path.Join(repoContentsPath.FullName, repoFullPath));
-                var originalContent = originalDependencyFileContents[repoFullPath];
-                var updatedContent = await File.ReadAllTextAsync(localFullPath);
-                if (updatedContent != originalContent)
+                updatedDependencyFiles[localFullPath] = new DependencyFile()
                 {
-                    updatedDependencyFiles[localFullPath] = new DependencyFile()
-                    {
-                        Name = Path.GetFileName(repoFullPath),
-                        Directory = Path.GetDirectoryName(repoFullPath)!.NormalizePathToUnix(),
-                        Content = updatedContent,
-                    };
-                }
+                    Name = Path.GetFileName(repoFullPath),
+                    Directory = Path.GetDirectoryName(repoFullPath)!.NormalizePathToUnix(),
+                    Content = updatedContent,
+                };
             }
+        }
 
-            foreach (var project in discoveryResult.Projects)
+        foreach (var project in discoveryResult.Projects)
+        {
+            await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, project.FilePath);
+            var projectDirectory = Path.GetDirectoryName(project.FilePath);
+            foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
             {
-                await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, project.FilePath);
-                var projectDirectory = Path.GetDirectoryName(project.FilePath);
-                foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
-                {
-                    var extraFilePath = Path.Join(projectDirectory, extraFile);
-                    await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, extraFilePath);
-                }
-                // TODO: handle global.json, etc.
+                var extraFilePath = Path.Join(projectDirectory, extraFile);
+                await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, extraFilePath);
             }
+            // TODO: handle global.json, etc.
+        }
 
-            if (updatedDependencyFiles.Count > 0)
-            {
-                var updatedDependencyFileList = updatedDependencyFiles
-                    .OrderBy(kvp => kvp.Key)
-                    .Select(kvp => kvp.Value)
-                    .ToArray();
-                var createPullRequest = new CreatePullRequest()
-                {
-                    Dependencies = actualUpdatedDependencies.ToArray(),
-                    UpdatedDependencyFiles = updatedDependencyFileList,
-                    BaseCommitSha = baseCommitSha,
-                    CommitMessage = "TODO: message",
-                    PrTitle = "TODO: title",
-                    PrBody = "TODO: body",
-                };
-                await _apiHandler.CreatePullRequest(createPullRequest);
-                // TODO: log updated dependencies to console
-            }
-            else
+        if (updatedDependencyFiles.Count > 0)
+        {
+            var updatedDependencyFileList = updatedDependencyFiles
+                .OrderBy(kvp => kvp.Key)
+                .Select(kvp => kvp.Value)
+                .ToArray();
+            var createPullRequest = new CreatePullRequest()
             {
-                // TODO: log or throw if nothing was updated, but was expected to be
-            }
+                Dependencies = actualUpdatedDependencies.ToArray(),
+                UpdatedDependencyFiles = updatedDependencyFileList,
+                BaseCommitSha = baseCommitSha,
+                CommitMessage = "TODO: message",
+                PrTitle = "TODO: title",
+                PrBody = "TODO: body",
+            };
+            await _apiHandler.CreatePullRequest(createPullRequest);
+            // TODO: log updated dependencies to console
         }
         else
         {
-            // TODO: throw if no updates performed
+            // TODO: log or throw if nothing was updated, but was expected to be
         }
 
         var result = new RunResult()
@@ -295,6 +275,62 @@ public class RunWorker
         return result;
     }
 
+    internal static bool IsUpdateAllowed(Job job, Dependency dependency)
+    {
+        if (dependency.Name.Equals("Microsoft.NET.Sdk", StringComparison.OrdinalIgnoreCase))
+        {
+            // this can't be updated
+            // TODO: pull this out of discovery?
+            return false;
+        }
+
+        if (dependency.Version is null)
+        {
+            // if we don't know the version, there's nothing we can do
+            // TODO: pull this out of discovery?
+            return false;
+        }
+
+        var version = NuGetVersion.Parse(dependency.Version);
+        var dependencyInfo = GetDependencyInfo(job, dependency);
+        var isVulnerable = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
+        var allowed = job.AllowedUpdates.Any(allowedUpdate =>
+        {
+            // check name restriction, if any
+            if (allowedUpdate.DependencyName is not null)
+            {
+                var matcher = new Matcher(StringComparison.OrdinalIgnoreCase)
+                    .AddInclude(allowedUpdate.DependencyName);
+                var result = matcher.Match(dependency.Name);
+                if (!result.HasMatches)
+                {
+                    return false;
+                }
+            }
+
+            var isSecurityUpdate = allowedUpdate.UpdateType == UpdateType.Security || job.SecurityUpdatesOnly;
+            if (isSecurityUpdate)
+            {
+                // only update if it's vulnerable
+                return isVulnerable;
+            }
+            else
+            {
+                // not a security update, so only update if...
+                // ...we've been explicitly asked to update this
+                if ((job.Dependencies ?? []).Any(d => d.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase)))
+                {
+                    return true;
+                }
+
+                // ...no specific update being performed, do it if it's not transitive
+                return !dependency.IsTransitive;
+            }
+        });
+
+        return allowed;
+    }
+
     internal static ImmutableArray<Requirement> GetIgnoredRequirementsForDependency(Job job, string dependencyName)
     {
         var ignoreConditions = job.IgnoreConditions
@@ -314,6 +350,30 @@ public class RunWorker
         return ignoredVersions;
     }
 
+    internal static DependencyInfo GetDependencyInfo(Job job, Dependency dependency)
+    {
+        var dependencyVersion = NuGetVersion.Parse(dependency.Version!);
+        var securityAdvisories = job.SecurityAdvisories.Where(s => s.DependencyName.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase)).ToArray();
+        var isVulnerable = securityAdvisories.Any(s => (s.AffectedVersions ?? []).Any(v => v.IsSatisfiedBy(dependencyVersion)));
+        var ignoredVersions = GetIgnoredRequirementsForDependency(job, dependency.Name);
+        var vulnerabilities = securityAdvisories.Select(s => new SecurityVulnerability()
+        {
+            DependencyName = dependency.Name,
+            PackageManager = "nuget",
+            VulnerableVersions = s.AffectedVersions ?? [],
+            SafeVersions = s.SafeVersions.ToImmutableArray(),
+        }).ToImmutableArray();
+        var dependencyInfo = new DependencyInfo()
+        {
+            Name = dependency.Name,
+            Version = dependencyVersion.ToString(),
+            IsVulnerable = isVulnerable,
+            IgnoredVersions = ignoredVersions,
+            Vulnerabilities = vulnerabilities,
+        };
+        return dependencyInfo;
+    }
+
     internal static UpdatedDependencyList GetUpdatedDependencyListFromDiscovery(WorkspaceDiscoveryResult discoveryResult, string pathToContents)
     {
         string GetFullRepoPath(string path)
@@ -357,7 +417,7 @@ public class RunWorker
                     new ReportedDependency()
                     {
                         Name = d.Name,
-                        Requirements = d.IsTransitive ? [] : [new ReportedRequirement()
+                        Requirements = [new ReportedRequirement()
                         {
                             File = GetFullRepoPath(p.FilePath),
                             Requirement = d.Version!,

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackageReferenceUpdater.cs

@@ -347,7 +347,7 @@ internal static class PackageReferenceUpdater
                 projectDirectory,
                 experimentsManager
             );
-            MSBuildHelper.ThrowOnUnauthenticatedFeed(stdout);
+            MSBuildHelper.ThrowOnError(stdout);
             if (exitCode != 0)
             {
                 logger.Warn($"    Transitive dependency [{dependencyName}/{newDependencyVersion}] was not added.\nSTDOUT:\n{stdout}\nSTDERR:\n{stderr}");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackagesConfigUpdater.cs

@@ -148,18 +148,15 @@ internal static partial class PackagesConfigUpdater
 
                     if (exitCodeAgain != 0)
                     {
-                        MSBuildHelper.ThrowOnMissingFile(fullOutput);
-                        MSBuildHelper.ThrowOnMissingFile(restoreOutput);
-                        MSBuildHelper.ThrowOnMissingPackages(restoreOutput);
+                        MSBuildHelper.ThrowOnError(fullOutput);
+                        MSBuildHelper.ThrowOnError(restoreOutput);
                         throw new Exception($"Unable to restore.\nOutput:\n${restoreOutput}\n");
                     }
 
                     goto doRestore;
                 }
 
-                MSBuildHelper.ThrowOnUnauthenticatedFeed(fullOutput);
-                MSBuildHelper.ThrowOnMissingFile(fullOutput);
-                MSBuildHelper.ThrowOnMissingPackages(fullOutput);
+                MSBuildHelper.ThrowOnError(fullOutput);
                 throw new Exception(fullOutput);
             }
         }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs

@@ -903,21 +903,6 @@ internal static partial class MSBuildHelper
         }
     }
 
-    internal static void ThrowOnUnauthenticatedFeed(string stdout)
-    {
-        var unauthorizedMessageSnippets = new string[]
-        {
-            "The plugin credential provider could not acquire credentials",
-            "401 (Unauthorized)",
-            "error NU1301: Unable to load the service index for source",
-            "Response status code does not indicate success: 403",
-        };
-        if (unauthorizedMessageSnippets.Any(stdout.Contains))
-        {
-            throw new HttpRequestException(message: stdout, inner: null, statusCode: System.Net.HttpStatusCode.Unauthorized);
-        }
-    }
-
     internal static string? GetMissingFile(string output)
     {
         var missingFilePatterns = new[]
@@ -934,7 +919,30 @@ internal static partial class MSBuildHelper
         return null;
     }
 
-    internal static void ThrowOnMissingFile(string output)
+    internal static void ThrowOnError(string output)
+    {
+        ThrowOnUnauthenticatedFeed(output);
+        ThrowOnMissingFile(output);
+        ThrowOnMissingPackages(output);
+        ThrowOnUnresolvableDependencies(output);
+    }
+
+    private static void ThrowOnUnauthenticatedFeed(string stdout)
+    {
+        var unauthorizedMessageSnippets = new string[]
+        {
+            "The plugin credential provider could not acquire credentials",
+            "401 (Unauthorized)",
+            "error NU1301: Unable to load the service index for source",
+            "Response status code does not indicate success: 403",
+        };
+        if (unauthorizedMessageSnippets.Any(stdout.Contains))
+        {
+            throw new HttpRequestException(message: stdout, inner: null, statusCode: System.Net.HttpStatusCode.Unauthorized);
+        }
+    }
+
+    private static void ThrowOnMissingFile(string output)
     {
         var missingFile = GetMissingFile(output);
         if (missingFile is not null)
@@ -943,9 +951,9 @@ internal static partial class MSBuildHelper
         }
     }
 
-    internal static void ThrowOnMissingPackages(string output)
+    private static void ThrowOnMissingPackages(string output)
     {
-        var missingPackagesPattern = new Regex(@"Package '(?<PackageName>[^'].*)' is not found on source");
+        var missingPackagesPattern = new Regex(@"Package '(?<PackageName>[^']*)' is not found on source");
         var matchCollection = missingPackagesPattern.Matches(output);
         var missingPackages = matchCollection.Select(m => m.Groups["PackageName"].Value).Distinct().ToArray();
         if (missingPackages.Length > 0)
@@ -954,6 +962,16 @@ internal static partial class MSBuildHelper
         }
     }
 
+    private static void ThrowOnUnresolvableDependencies(string output)
+    {
+        var unresolvablePackagePattern = new Regex(@"Unable to resolve dependencies\. '(?<PackageName>[^ ]+) (?<PackageVersion>[^']+)'");
+        var match = unresolvablePackagePattern.Match(output);
+        if (match.Success)
+        {
+            throw new UpdateNotPossibleException([$"{match.Groups["PackageName"].Value}.{match.Groups["PackageVersion"].Value}"]);
+        }
+    }
+
     internal static bool TryGetGlobalJsonPath(string repoRootPath, string workspacePath, [NotNullWhen(returnValue: true)] out string? globalJsonPath)
     {
         globalJsonPath = PathHelper.GetFileInDirectoryOrParent(workspacePath, repoRootPath, "global.json", caseSensitive: false);

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs

@@ -478,6 +478,61 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
         );
     }
 
+    [Fact]
+    public async Task SafeVersionsPropertyIsHonored()
+    {
+        await TestAnalyzeAsync(
+            packages:
+            [
+                MockNuGetPackage.CreateSimplePackage("Some.Package", "1.0.0", "net8.0"), // initially this
+                MockNuGetPackage.CreateSimplePackage("Some.Package", "1.1.0", "net8.0"), // should update to this due to `SafeVersions`
+                MockNuGetPackage.CreateSimplePackage("Some.Package", "1.2.0", "net8.0"), // this should not be considered
+            ],
+            discovery: new()
+            {
+                Path = "/",
+                Projects = [
+                    new()
+                    {
+                        FilePath = "./project.csproj",
+                        TargetFrameworks = ["net8.0"],
+                        Dependencies = [
+                            new("Some.Package", "1.0.0", DependencyType.PackageReference),
+                        ],
+                        ReferencedProjectPaths = [],
+                        ImportedFiles = [],
+                        AdditionalFiles = [],
+                    },
+                ],
+            },
+            dependencyInfo: new()
+            {
+                Name = "Some.Package",
+                Version = "1.0.0",
+                IgnoredVersions = [],
+                IsVulnerable = false,
+                Vulnerabilities = [
+                    new()
+                    {
+                        DependencyName = "Some.Package",
+                        PackageManager = "nuget",
+                        VulnerableVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
+                        SafeVersions = [Requirement.Parse("= 1.1.0")]
+                    }
+                ],
+            },
+            expectedResult: new()
+            {
+                UpdatedVersion = "1.1.0",
+                CanUpdate = true,
+                VersionComesFromMultiDependencyProperty = false,
+                UpdatedDependencies = [
+                    new("Some.Package", "1.1.0", DependencyType.Unknown, TargetFrameworks: ["net8.0"]),
+                ],
+            }
+        );
+    }
+
     [Fact]
     public async Task VersionFinderCanHandle404FromPackageSource_V2()
     {