dependabot-nuget 0.294.0 → 0.296.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97e76c69b2fed1672ebe1e9b3b890e8f445139f26729895c72a196d49cd43d63
-  data.tar.gz: 10ef8cb4d30c84e9e8f51fdc5bf4f529b451936ad8a34e905e69fbaa0b813cac
+  metadata.gz: 22109eb4de3c3d7317682ad493e6162a7af4328e07751a27c8dbb48978597ef3
+  data.tar.gz: 9a8afdc613b3313c7e08ac3967c4abd311a6eb66a662022677bed40229e52d3b
 SHA512:
-  metadata.gz: 73cdefd4ef762621a7142a040a747011ee4a390635379ee311deccaf6664062834a8e809b6203816e81f8ebb24ed10f68d04975e9bcde40e5ffd2d3720779c68
-  data.tar.gz: a8cde74fdb1b400ced101cac7132bb32c8dc6b3d36ff6c249908e33e9e8c719e63999c02982ba2bf7704b18007be0daac14dcdd6c39ba74c4a8c38ccad2ae11e
+  metadata.gz: fe8805919ec14b5bf6385d4bb4ff3a1dc00137fc08c1e002d8c3db0600c4e5c2e8e86319d3e40fe4c608d29229834c3c741fa8a262b3e8d9f9c8e21755cf9029
+  data.tar.gz: d0b247df044695e253e08ed9cabbdea0341ff9234ca601c61fc48d2f13ac138ffce51683ebf45ed37478190750a791bacbc3308ab0a69e3cff70e61cffb8576a

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs

@@ -262,7 +262,8 @@ public partial class DiscoveryWorker : IDiscoveryWorker
             }
         }
 
-        return expandedProjects.ToImmutableArray();
+        var result = expandedProjects.OrderBy(p => p).ToImmutableArray();
+        return result;
     }
 
     private static IEnumerable<string> ExpandItemGroupFilesFromProject(string projectPath, params string[] itemTypes)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs

@@ -114,7 +114,7 @@ internal static class SdkProjectDiscovery
                     var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory, experimentsManager);
                     return (exitCode, stdOut, stdErr);
                 }, logger, retainMSBuildSdks: true);
-                MSBuildHelper.ThrowOnUnauthenticatedFeed(stdOut);
+                MSBuildHelper.ThrowOnError(stdOut);
                 if (stdOut.Contains("""error MSB4057: The target "GenerateBuildDependencyFile" does not exist in the project."""))
                 {
                     // this can happen if it's a non-SDK-style project; totally normal, not worth examining the binlog

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/ExperimentsManager.cs

@@ -62,9 +62,13 @@ public record ExperimentsManager
             return false;
         }
 
-        if (experiments.TryGetValue(experimentName, out var value))
+        // prefer experiments named with underscores, but hyphens are also allowed as an alternate
+        object? experimentValue;
+        var experimentNameAlternate = experimentName.Replace("_", "-");
+        if (experiments.TryGetValue(experimentName, out experimentValue) ||
+            experiments.TryGetValue(experimentNameAlternate, out experimentValue))
         {
-            if ((value?.ToString() ?? "").Equals("true", StringComparison.OrdinalIgnoreCase))
+            if ((experimentValue?.ToString() ?? "").Equals("true", StringComparison.OrdinalIgnoreCase))
             {
                 return true;
             }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/RunWorker.cs

@@ -4,6 +4,8 @@ using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 
+using Microsoft.Extensions.FileSystemGlobbing;
+
 using NuGet.Versioning;
 
 using NuGetUpdater.Core.Analyze;
@@ -115,161 +117,145 @@ public class RunWorker
         await _apiHandler.UpdateDependencyList(discoveredUpdatedDependencies);
 
         // TODO: pull out relevant dependencies, then check each for updates and track the changes
-        // TODO: for each top-level dependency, _or_ specific dependency (if security, use transitive)
         var originalDependencyFileContents = new Dictionary<string, string>();
         var actualUpdatedDependencies = new List<ReportedDependency>();
-        if (job.AllowedUpdates.Any(a => a.UpdateType == UpdateType.All))
+        await _apiHandler.IncrementMetric(new()
         {
-            await _apiHandler.IncrementMetric(new()
-            {
-                Metric = "updater.started",
-                Tags = { ["operation"] = "group_update_all_versions" },
-            });
+            Metric = "updater.started",
+            Tags = { ["operation"] = "group_update_all_versions" },
+        });
+
+        // track original contents for later handling
+        async Task TrackOriginalContentsAsync(string directory, string fileName)
+        {
+            var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
+            var localFullPath = Path.Join(repoContentsPath.FullName, repoFullPath);
+            var content = await File.ReadAllTextAsync(localFullPath);
+            originalDependencyFileContents[repoFullPath] = content;
+        }
 
-            // track original contents for later handling
-            async Task TrackOriginalContentsAsync(string directory, string fileName)
+        foreach (var project in discoveryResult.Projects)
+        {
+            var projectDirectory = Path.GetDirectoryName(project.FilePath);
+            await TrackOriginalContentsAsync(discoveryResult.Path, project.FilePath);
+            foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
             {
-                var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
-                var localFullPath = Path.Join(repoContentsPath.FullName, repoFullPath);
-                var content = await File.ReadAllTextAsync(localFullPath);
-                originalDependencyFileContents[repoFullPath] = content;
+                var extraFilePath = Path.Join(projectDirectory, extraFile);
+                await TrackOriginalContentsAsync(discoveryResult.Path, extraFilePath);
             }
+            // TODO: include global.json, etc.
+        }
 
-            foreach (var project in discoveryResult.Projects)
+        // do update
+        _logger.Info($"Running update in directory {repoDirectory}");
+        foreach (var project in discoveryResult.Projects)
+        {
+            foreach (var dependency in project.Dependencies)
             {
-                var projectDirectory = Path.GetDirectoryName(project.FilePath);
-                await TrackOriginalContentsAsync(discoveryResult.Path, project.FilePath);
-                foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
+                if (!IsUpdateAllowed(job, dependency))
                 {
-                    var extraFilePath = Path.Join(projectDirectory, extraFile);
-                    await TrackOriginalContentsAsync(discoveryResult.Path, extraFilePath);
+                    continue;
                 }
-                // TODO: include global.json, etc.
-            }
 
-            // do update
-            _logger.Info($"Running update in directory {repoDirectory}");
-            foreach (var project in discoveryResult.Projects)
-            {
-                foreach (var dependency in project.Dependencies.Where(d => !d.IsTransitive))
+                var dependencyInfo = GetDependencyInfo(job, dependency);
+                var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
+                // TODO: log analysisResult
+                if (analysisResult.CanUpdate)
                 {
-                    if (dependency.Name == "Microsoft.NET.Sdk")
-                    {
-                        // this can't be updated
-                        // TODO: pull this out of discovery?
-                        continue;
-                    }
-
-                    if (dependency.Version is null)
-                    {
-                        // if we don't know the version, there's nothing we can do
-                        continue;
-                    }
+                    var dependencyLocation = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
 
-                    var dependencyInfo = GetDependencyInfo(job, dependency);
-                    var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
-                    // TODO: log analysisResult
-                    if (analysisResult.CanUpdate)
+                    // TODO: this is inefficient, but not likely causing a bottleneck
+                    var previousDependency = discoveredUpdatedDependencies.Dependencies
+                        .Single(d => d.Name == dependency.Name && d.Requirements.Single().File == dependencyLocation);
+                    var updatedDependency = new ReportedDependency()
                     {
-                        var dependencyLocation = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
-
-                        // TODO: this is inefficient, but not likely causing a bottleneck
-                        var previousDependency = discoveredUpdatedDependencies.Dependencies
-                            .Single(d => d.Name == dependency.Name && d.Requirements.Single().File == dependencyLocation);
-                        var updatedDependency = new ReportedDependency()
-                        {
-                            Name = dependency.Name,
-                            Version = analysisResult.UpdatedVersion,
-                            Requirements =
-                            [
-                                new ReportedRequirement()
-                                {
-                                    File = dependencyLocation,
-                                    Requirement = analysisResult.UpdatedVersion,
-                                    Groups = previousDependency.Requirements.Single().Groups,
-                                    Source = new RequirementSource()
-                                    {
-                                        SourceUrl = analysisResult.UpdatedDependencies.FirstOrDefault(d => d.Name == dependency.Name)?.InfoUrl,
-                                    },
-                                }
-                            ],
-                            PreviousVersion = dependency.Version,
-                            PreviousRequirements = previousDependency.Requirements,
-                        };
-
-                        var dependencyFilePath = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
-                        var updateResult = await _updaterWorker.RunAsync(repoContentsPath.FullName, dependencyFilePath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, isTransitive: false);
-                        // TODO: need to report if anything was actually updated
-                        if (updateResult.Error is null)
-                        {
-                            if (dependencyLocation != dependencyFilePath)
+                        Name = dependency.Name,
+                        Version = analysisResult.UpdatedVersion,
+                        Requirements =
+                        [
+                            new ReportedRequirement()
                             {
-                                updatedDependency.Requirements.All(r => r.File == dependencyFilePath);
+                                File = dependencyLocation,
+                                Requirement = analysisResult.UpdatedVersion,
+                                Groups = previousDependency.Requirements.Single().Groups,
+                                Source = new RequirementSource()
+                                {
+                                    SourceUrl = analysisResult.UpdatedDependencies.FirstOrDefault(d => d.Name == dependency.Name)?.InfoUrl,
+                                },
                             }
+                        ],
+                        PreviousVersion = dependency.Version,
+                        PreviousRequirements = previousDependency.Requirements,
+                    };
 
-                            actualUpdatedDependencies.Add(updatedDependency);
+                    var dependencyFilePath = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
+                    var updateResult = await _updaterWorker.RunAsync(repoContentsPath.FullName, dependencyFilePath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, isTransitive: dependency.IsTransitive);
+                    // TODO: need to report if anything was actually updated
+                    if (updateResult.Error is null)
+                    {
+                        if (dependencyLocation != dependencyFilePath)
+                        {
+                            updatedDependency.Requirements.All(r => r.File == dependencyFilePath);
                         }
+
+                        actualUpdatedDependencies.Add(updatedDependency);
                     }
                 }
             }
+        }
 
-            // create PR - we need to manually check file contents; we can't easily use `git status` in tests
-            var updatedDependencyFiles = new Dictionary<string, DependencyFile>();
-            async Task AddUpdatedFileIfDifferentAsync(string directory, string fileName)
+        // create PR - we need to manually check file contents; we can't easily use `git status` in tests
+        var updatedDependencyFiles = new Dictionary<string, DependencyFile>();
+        async Task AddUpdatedFileIfDifferentAsync(string directory, string fileName)
+        {
+            var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
+            var localFullPath = Path.GetFullPath(Path.Join(repoContentsPath.FullName, repoFullPath));
+            var originalContent = originalDependencyFileContents[repoFullPath];
+            var updatedContent = await File.ReadAllTextAsync(localFullPath);
+            if (updatedContent != originalContent)
             {
-                var repoFullPath = Path.Join(directory, fileName).FullyNormalizedRootedPath();
-                var localFullPath = Path.GetFullPath(Path.Join(repoContentsPath.FullName, repoFullPath));
-                var originalContent = originalDependencyFileContents[repoFullPath];
-                var updatedContent = await File.ReadAllTextAsync(localFullPath);
-                if (updatedContent != originalContent)
+                updatedDependencyFiles[localFullPath] = new DependencyFile()
                 {
-                    updatedDependencyFiles[localFullPath] = new DependencyFile()
-                    {
-                        Name = Path.GetFileName(repoFullPath),
-                        Directory = Path.GetDirectoryName(repoFullPath)!.NormalizePathToUnix(),
-                        Content = updatedContent,
-                    };
-                }
+                    Name = Path.GetFileName(repoFullPath),
+                    Directory = Path.GetDirectoryName(repoFullPath)!.NormalizePathToUnix(),
+                    Content = updatedContent,
+                };
             }
+        }
 
-            foreach (var project in discoveryResult.Projects)
+        foreach (var project in discoveryResult.Projects)
+        {
+            await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, project.FilePath);
+            var projectDirectory = Path.GetDirectoryName(project.FilePath);
+            foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
             {
-                await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, project.FilePath);
-                var projectDirectory = Path.GetDirectoryName(project.FilePath);
-                foreach (var extraFile in project.ImportedFiles.Concat(project.AdditionalFiles))
-                {
-                    var extraFilePath = Path.Join(projectDirectory, extraFile);
-                    await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, extraFilePath);
-                }
-                // TODO: handle global.json, etc.
+                var extraFilePath = Path.Join(projectDirectory, extraFile);
+                await AddUpdatedFileIfDifferentAsync(discoveryResult.Path, extraFilePath);
             }
+            // TODO: handle global.json, etc.
+        }
 
-            if (updatedDependencyFiles.Count > 0)
-            {
-                var updatedDependencyFileList = updatedDependencyFiles
-                    .OrderBy(kvp => kvp.Key)
-                    .Select(kvp => kvp.Value)
-                    .ToArray();
-                var createPullRequest = new CreatePullRequest()
-                {
-                    Dependencies = actualUpdatedDependencies.ToArray(),
-                    UpdatedDependencyFiles = updatedDependencyFileList,
-                    BaseCommitSha = baseCommitSha,
-                    CommitMessage = "TODO: message",
-                    PrTitle = "TODO: title",
-                    PrBody = "TODO: body",
-                };
-                await _apiHandler.CreatePullRequest(createPullRequest);
-                // TODO: log updated dependencies to console
-            }
-            else
+        if (updatedDependencyFiles.Count > 0)
+        {
+            var updatedDependencyFileList = updatedDependencyFiles
+                .OrderBy(kvp => kvp.Key)
+                .Select(kvp => kvp.Value)
+                .ToArray();
+            var createPullRequest = new CreatePullRequest()
             {
-                // TODO: log or throw if nothing was updated, but was expected to be
-            }
+                Dependencies = actualUpdatedDependencies.ToArray(),
+                UpdatedDependencyFiles = updatedDependencyFileList,
+                BaseCommitSha = baseCommitSha,
+                CommitMessage = "TODO: message",
+                PrTitle = "TODO: title",
+                PrBody = "TODO: body",
+            };
+            await _apiHandler.CreatePullRequest(createPullRequest);
+            // TODO: log updated dependencies to console
         }
         else
         {
-            // TODO: throw if no updates performed
+            // TODO: log or throw if nothing was updated, but was expected to be
         }
 
         var result = new RunResult()
@@ -289,6 +275,62 @@ public class RunWorker
         return result;
     }
 
+    internal static bool IsUpdateAllowed(Job job, Dependency dependency)
+    {
+        if (dependency.Name.Equals("Microsoft.NET.Sdk", StringComparison.OrdinalIgnoreCase))
+        {
+            // this can't be updated
+            // TODO: pull this out of discovery?
+            return false;
+        }
+
+        if (dependency.Version is null)
+        {
+            // if we don't know the version, there's nothing we can do
+            // TODO: pull this out of discovery?
+            return false;
+        }
+
+        var version = NuGetVersion.Parse(dependency.Version);
+        var dependencyInfo = GetDependencyInfo(job, dependency);
+        var isVulnerable = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
+        var allowed = job.AllowedUpdates.Any(allowedUpdate =>
+        {
+            // check name restriction, if any
+            if (allowedUpdate.DependencyName is not null)
+            {
+                var matcher = new Matcher(StringComparison.OrdinalIgnoreCase)
+                    .AddInclude(allowedUpdate.DependencyName);
+                var result = matcher.Match(dependency.Name);
+                if (!result.HasMatches)
+                {
+                    return false;
+                }
+            }
+
+            var isSecurityUpdate = allowedUpdate.UpdateType == UpdateType.Security || job.SecurityUpdatesOnly;
+            if (isSecurityUpdate)
+            {
+                // only update if it's vulnerable
+                return isVulnerable;
+            }
+            else
+            {
+                // not a security update, so only update if...
+                // ...we've been explicitly asked to update this
+                if ((job.Dependencies ?? []).Any(d => d.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase)))
+                {
+                    return true;
+                }
+
+                // ...no specific update being performed, do it if it's not transitive
+                return !dependency.IsTransitive;
+            }
+        });
+
+        return allowed;
+    }
+
     internal static ImmutableArray<Requirement> GetIgnoredRequirementsForDependency(Job job, string dependencyName)
     {
         var ignoreConditions = job.IgnoreConditions
@@ -375,7 +417,7 @@ public class RunWorker
                     new ReportedDependency()
                     {
                         Name = d.Name,
-                        Requirements = d.IsTransitive ? [] : [new ReportedRequirement()
+                        Requirements = [new ReportedRequirement()
                         {
                             File = GetFullRepoPath(p.FilePath),
                             Requirement = d.Version!,

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackageReferenceUpdater.cs

@@ -347,7 +347,7 @@ internal static class PackageReferenceUpdater
                 projectDirectory,
                 experimentsManager
             );
-            MSBuildHelper.ThrowOnUnauthenticatedFeed(stdout);
+            MSBuildHelper.ThrowOnError(stdout);
             if (exitCode != 0)
             {
                 logger.Warn($"    Transitive dependency [{dependencyName}/{newDependencyVersion}] was not added.\nSTDOUT:\n{stdout}\nSTDERR:\n{stderr}");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackagesConfigUpdater.cs

@@ -148,18 +148,15 @@ internal static partial class PackagesConfigUpdater
 
                     if (exitCodeAgain != 0)
                     {
-                        MSBuildHelper.ThrowOnMissingFile(fullOutput);
-                        MSBuildHelper.ThrowOnMissingFile(restoreOutput);
-                        MSBuildHelper.ThrowOnMissingPackages(restoreOutput);
+                        MSBuildHelper.ThrowOnError(fullOutput);
+                        MSBuildHelper.ThrowOnError(restoreOutput);
                         throw new Exception($"Unable to restore.\nOutput:\n${restoreOutput}\n");
                     }
 
                     goto doRestore;
                 }
 
-                MSBuildHelper.ThrowOnUnauthenticatedFeed(fullOutput);
-                MSBuildHelper.ThrowOnMissingFile(fullOutput);
-                MSBuildHelper.ThrowOnMissingPackages(fullOutput);
+                MSBuildHelper.ThrowOnError(fullOutput);
                 throw new Exception(fullOutput);
             }
         }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs

@@ -903,21 +903,6 @@ internal static partial class MSBuildHelper
         }
     }
 
-    internal static void ThrowOnUnauthenticatedFeed(string stdout)
-    {
-        var unauthorizedMessageSnippets = new string[]
-        {
-            "The plugin credential provider could not acquire credentials",
-            "401 (Unauthorized)",
-            "error NU1301: Unable to load the service index for source",
-            "Response status code does not indicate success: 403",
-        };
-        if (unauthorizedMessageSnippets.Any(stdout.Contains))
-        {
-            throw new HttpRequestException(message: stdout, inner: null, statusCode: System.Net.HttpStatusCode.Unauthorized);
-        }
-    }
-
     internal static string? GetMissingFile(string output)
     {
         var missingFilePatterns = new[]
@@ -934,7 +919,30 @@ internal static partial class MSBuildHelper
         return null;
     }
 
-    internal static void ThrowOnMissingFile(string output)
+    internal static void ThrowOnError(string output)
+    {
+        ThrowOnUnauthenticatedFeed(output);
+        ThrowOnMissingFile(output);
+        ThrowOnMissingPackages(output);
+        ThrowOnUpdateNotPossible(output);
+    }
+
+    private static void ThrowOnUnauthenticatedFeed(string stdout)
+    {
+        var unauthorizedMessageSnippets = new string[]
+        {
+            "The plugin credential provider could not acquire credentials",
+            "401 (Unauthorized)",
+            "error NU1301: Unable to load the service index for source",
+            "Response status code does not indicate success: 403",
+        };
+        if (unauthorizedMessageSnippets.Any(stdout.Contains))
+        {
+            throw new HttpRequestException(message: stdout, inner: null, statusCode: System.Net.HttpStatusCode.Unauthorized);
+        }
+    }
+
+    private static void ThrowOnMissingFile(string output)
     {
         var missingFile = GetMissingFile(output);
         if (missingFile is not null)
@@ -943,9 +951,9 @@ internal static partial class MSBuildHelper
         }
     }
 
-    internal static void ThrowOnMissingPackages(string output)
+    private static void ThrowOnMissingPackages(string output)
     {
-        var missingPackagesPattern = new Regex(@"Package '(?<PackageName>[^'].*)' is not found on source");
+        var missingPackagesPattern = new Regex(@"Package '(?<PackageName>[^']*)' is not found on source");
         var matchCollection = missingPackagesPattern.Matches(output);
         var missingPackages = matchCollection.Select(m => m.Groups["PackageName"].Value).Distinct().ToArray();
         if (missingPackages.Length > 0)
@@ -954,6 +962,23 @@ internal static partial class MSBuildHelper
         }
     }
 
+    private static void ThrowOnUpdateNotPossible(string output)
+    {
+        var patterns = new[]
+        {
+            new Regex(@"Unable to resolve dependencies\. '(?<PackageName>[^ ]+) (?<PackageVersion>[^']+)'"),
+            new Regex(@"Could not install package '(?<PackageName>[^ ]+) (?<PackageVersion>[^']+)'. You are trying to install this package"),
+            new Regex(@"Unable to find a version of '[^']+' that is compatible with '[^ ]+ [^ ]+ constraint: (?<PackageName>[^ ]+) \([^ ]+ (?<PackageVersion>[^)]+)\)'"),
+            new Regex(@"the following error\(s\) may be blocking the current package operation: '(?<PackageName>[^ ]+) (?<PackageVersion>[^ ]+) constraint:"),
+        };
+        var matches = patterns.Select(p => p.Match(output)).Where(m => m.Success);
+        if (matches.Any())
+        {
+            var packages = matches.Select(m => $"{m.Groups["PackageName"].Value}.{m.Groups["PackageVersion"].Value}").Distinct().ToArray();
+            throw new UpdateNotPossibleException(packages);
+        }
+    }
+
     internal static bool TryGetGlobalJsonPath(string repoRootPath, string workspacePath, [NotNullWhen(returnValue: true)] out string? globalJsonPath)
     {
         globalJsonPath = PathHelper.GetFileInDirectoryOrParent(workspacePath, repoRootPath, "global.json", caseSensitive: false);