dependabot-nuget 0.323.0 → 0.325.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26ba648681c32dbfe7954c99639f36e5821f0560fc4f635909948679d3a6f096
-  data.tar.gz: b60ee9bb959e0fd7f28cee03715ae92e44c95628ced1c0995031cc251cdf2248
+  metadata.gz: 0b306b27d54f03765dcb2aa3f7aa3a88d1d09e01c1cc38fbc7722753d83eeece
+  data.tar.gz: 0db65a955c849ec34d031dc2f27898e882b716e6ce461d6d6f5c7725d4670780
 SHA512:
-  metadata.gz: eb9f9dad2d2371cce1b482afcf3178ba465617e76dc1c616a5c7345b7c91717def61586f55aeb05afc04979c866f172ec5e82e64cc1de2722754d5301f6ce0bd
-  data.tar.gz: aaa8de59bd6a7741139c095f62527bdb64d76e23e64f1ab224ef8548d9847e72edf34e1dd6089ec7a0042798bcc1e51f63deb05b065267c96f4678aca6bdf8ab
+  metadata.gz: afa5e201c2798ff883e23e2d2473d137feb058d6e3b0f7f2c04f30f4ec5adc7ec8113510dd27839a8be81e7805cd4222734871ba98db1361c522f0cd42aac960
+  data.tar.gz: 2e8023ea7b48ede332ad91b2e94531e27bf5a64c6a5f3387a74eef9c83b5f161613b3eb78cc7d2c46145cf7666d62b17184e5d07096b7f5c66c425b97b96e295

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Program.cs

@@ -19,10 +19,6 @@ internal sealed class Program
         var command = new RootCommand
         {
             CloneCommand.GetCommand(setExitCode),
-            FrameworkCheckCommand.GetCommand(setExitCode),
-            DiscoverCommand.GetCommand(setExitCode),
-            AnalyzeCommand.GetCommand(setExitCode),
-            UpdateCommand.GetCommand(setExitCode),
             RunCommand.GetCommand(setExitCode),
         };
         command.TreatUnmatchedTokensAsErrors = true;

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs

@@ -143,7 +143,6 @@ public partial class AnalyzeWorker : IAnalyzeWorker
                     dependenciesToUpdate,
                     updatedVersion,
                     nugetContext,
-                    _experimentsManager,
                     _logger,
                     CancellationToken.None);
             }
@@ -238,6 +237,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
         var versionResult = await VersionFinder.GetVersionsAsync(
             projectFrameworks,
             dependencyInfo,
+            DateTimeOffset.UtcNow,
             nugetContext,
             logger,
             cancellationToken);
@@ -253,34 +253,6 @@ public partial class AnalyzeWorker : IAnalyzeWorker
             cancellationToken);
     }
 
-    internal static async Task<NuGetVersion?> FindUpdatedVersionAsync(
-        ImmutableHashSet<string> packageIds,
-        ImmutableArray<NuGetFramework> projectFrameworks,
-        NuGetVersion version,
-        bool findLowestVersion,
-        NuGetContext nugetContext,
-        ILogger logger,
-        CancellationToken cancellationToken)
-    {
-        var versionResult = await VersionFinder.GetVersionsAsync(
-            projectFrameworks,
-            packageIds.First(),
-            version,
-            nugetContext,
-            logger,
-            cancellationToken);
-
-        return await FindUpdatedVersionAsync(
-            packageIds,
-            version.ToNormalizedString(),
-            versionResult,
-            projectFrameworks,
-            findLowestVersion,
-            nugetContext,
-            logger,
-            cancellationToken);
-    }
-
     internal static async Task<NuGetVersion?> FindUpdatedVersionAsync(
         ImmutableHashSet<string> packageIds,
         string versionString,
@@ -397,7 +369,6 @@ public partial class AnalyzeWorker : IAnalyzeWorker
         ImmutableHashSet<string> packageIds,
         NuGetVersion updatedVersion,
         NuGetContext nugetContext,
-        ExperimentsManager experimentsManager,
         ILogger logger,
         CancellationToken cancellationToken)
     {
@@ -438,7 +409,6 @@ public partial class AnalyzeWorker : IAnalyzeWorker
             packageIds,
             updatedVersion,
             nugetContext,
-            experimentsManager,
             logger,
             cancellationToken);
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/DependencyFinder.cs

@@ -1,6 +1,5 @@
 using System.Collections.Immutable;
 
-using NuGet.Frameworks;
 using NuGet.Versioning;
 
 namespace NuGetUpdater.Core.Analyze;
@@ -14,7 +13,6 @@ internal static class DependencyFinder
         ImmutableHashSet<string> packageIds,
         NuGetVersion version,
         NuGetContext nugetContext,
-        ExperimentsManager experimentsManager,
         ILogger logger,
         CancellationToken cancellationToken)
     {
@@ -31,7 +29,6 @@ internal static class DependencyFinder
                 projectPath,
                 framework,
                 packages,
-                experimentsManager,
                 logger);
             var updatedDependencies = new List<Dependency>();
             foreach (var dependency in dependencies)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/DependencyInfo.cs

@@ -12,4 +12,5 @@ public sealed record DependencyInfo
     public ImmutableArray<Requirement> IgnoredVersions { get; init; }
     public ImmutableArray<SecurityVulnerability> Vulnerabilities { get; init; }
     public ImmutableArray<ConditionUpdateType> IgnoredUpdateTypes { get; init; } = [];
+    public Cooldown? Cooldown { get; init; } = null;
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/VersionFinder.cs

@@ -16,39 +16,67 @@ namespace NuGetUpdater.Core.Analyze;
 
 internal static class VersionFinder
 {
+    public static Task<VersionResult> GetVersionsByNameAsync(
+        ImmutableArray<NuGetFramework> projectTfms,
+        string dependencyName,
+        NuGetVersion currentVersion,
+        NuGetContext nugetContext,
+        ILogger logger,
+        CancellationToken cancellationToken
+    )
+    {
+        var dependencyInfo = new DependencyInfo()
+        {
+            Name = dependencyName,
+            Version = currentVersion.ToString(),
+            IsVulnerable = false,
+        };
+        return GetVersionsAsync(
+            projectTfms,
+            dependencyInfo,
+            currentVersion,
+            DateTime.UtcNow,
+            nugetContext,
+            logger,
+            cancellationToken
+        );
+    }
+
     public static Task<VersionResult> GetVersionsAsync(
         ImmutableArray<NuGetFramework> projectTfms,
-        string packageId,
+        DependencyInfo dependencyInfo,
         NuGetVersion currentVersion,
+        DateTimeOffset currentTime,
         NuGetContext nugetContext,
         ILogger logger,
         CancellationToken cancellationToken)
     {
         var versionFilter = CreateVersionFilter(currentVersion);
 
-        return GetVersionsAsync(projectTfms, packageId, currentVersion, versionFilter, nugetContext, logger, cancellationToken);
+        return GetVersionsAsync(projectTfms, dependencyInfo, currentVersion, versionFilter, currentTime, nugetContext, logger, cancellationToken);
     }
 
     public static Task<VersionResult> GetVersionsAsync(
         ImmutableArray<NuGetFramework> projectTfms,
         DependencyInfo dependencyInfo,
+        DateTimeOffset currentTime,
         NuGetContext nugetContext,
         ILogger logger,
         CancellationToken cancellationToken)
     {
-        var packageId = dependencyInfo.Name;
         var versionRange = VersionRange.Parse(dependencyInfo.Version);
         var currentVersion = versionRange.MinVersion!;
         var versionFilter = CreateVersionFilter(dependencyInfo, versionRange);
 
-        return GetVersionsAsync(projectTfms, packageId, currentVersion, versionFilter, nugetContext, logger, cancellationToken);
+        return GetVersionsAsync(projectTfms, dependencyInfo, currentVersion, versionFilter, currentTime, nugetContext, logger, cancellationToken);
     }
 
     public static async Task<VersionResult> GetVersionsAsync(
         ImmutableArray<NuGetFramework> projectTfms,
-        string packageId,
+        DependencyInfo dependencyInfo,
         NuGetVersion currentVersion,
         Func<NuGetVersion, bool> versionFilter,
+        DateTimeOffset currentTime,
         NuGetContext nugetContext,
         ILogger logger,
         CancellationToken cancellationToken)
@@ -57,7 +85,7 @@ internal static class VersionFinder
         VersionResult result = new(currentVersion);
 
         var sourceMapping = PackageSourceMapping.GetPackageSourceMapping(nugetContext.Settings);
-        var packageSources = sourceMapping.GetConfiguredPackageSources(packageId).ToHashSet();
+        var packageSources = sourceMapping.GetConfiguredPackageSources(dependencyInfo.Name).ToHashSet();
         var sources = packageSources.Count == 0
             ? nugetContext.PackageSources
             : nugetContext.PackageSources
@@ -67,6 +95,7 @@ internal static class VersionFinder
         foreach (var source in sources)
         {
             MetadataResource? feed = null;
+            PackageMetadataResource? metadataResource = null;
             try
             {
                 var sourceRepository = Repository.Factory.GetCoreV3(source);
@@ -84,9 +113,19 @@ internal static class VersionFinder
                     continue;
                 }
 
+                if (dependencyInfo.Cooldown is not null)
+                {
+                    metadataResource = await sourceRepository.GetResourceAsync<PackageMetadataResource>();
+                    if (metadataResource is null)
+                    {
+                        logger.Warn($"Failed to get {nameof(PackageMetadataResource)} for [{source.Source}]");
+                        continue;
+                    }
+                }
+
                 // a non-compliant v2 API returning 404 can cause this to throw
                 var existsInFeed = await feed.Exists(
-                    packageId,
+                    dependencyInfo.Name,
                     includePrerelease,
                     includeUnlisted: false,
                     nugetContext.SourceCacheContext,
@@ -109,7 +148,7 @@ internal static class VersionFinder
             }
 
             var feedVersions = (await feed.GetVersions(
-                packageId,
+                dependencyInfo.Name,
                 includePrerelease,
                 includeUnlisted: false,
                 nugetContext.SourceCacheContext,
@@ -124,15 +163,30 @@ internal static class VersionFinder
             var versions = feedVersions.Where(versionFilter).ToArray();
             foreach (var version in versions)
             {
+                var packageIdentity = new PackageIdentity(dependencyInfo.Name, version);
+
+                // check tfm
                 var isTfmCompatible = await CompatibilityChecker.CheckAsync(
-                    new PackageIdentity(packageId, version),
+                    packageIdentity,
                     projectTfms,
                     nugetContext,
                     logger,
                     CancellationToken.None);
+
+                // dotnet-tools.json and global.json packages won't specify a TFM, so they're always compatible
                 if (isTfmCompatible || projectTfms.IsEmpty)
                 {
-                    // dotnet-tools.json and global.json packages won't specify a TFM, so they're always compatible
+                    // check date
+                    if (dependencyInfo.Cooldown is not null)
+                    {
+                        var metadata = await metadataResource!.GetMetadataAsync(packageIdentity, nugetContext.SourceCacheContext, NullLogger.Instance, CancellationToken.None);
+                        if (!dependencyInfo.Cooldown.IsVersionUpdateAllowed(currentTime, metadata?.Published, currentVersion, version))
+                        {
+                            logger.Info($"Skipping update of {dependencyInfo.Name} from {currentVersion} to {version} due to cooldown settings.  Package publish date: {metadata?.Published}");
+                            continue;
+                        }
+                    }
+
                     result.Add(source, version);
                 }
             }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Clone/CloneWorker.cs

@@ -170,7 +170,7 @@ public class CloneWorker
     {
         return job.Source.Provider switch
         {
-            "azure" when !string.IsNullOrWhiteSpace(job.Source.Hostname) => $"https://{job.Source.Hostname}/{job.Source.Repo}",
+            "azure" or "github" when !string.IsNullOrWhiteSpace(job.Source.Hostname) => $"https://{job.Source.Hostname}/{job.Source.Repo}",
             "azure" => $"https://dev.azure.com/{job.Source.Repo}",
             "github" => $"https://github.com/{job.Source.Repo}",
             _ => throw new ArgumentException($"Unknown provider: {job.Source.Provider}")

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/DependencySolver/MSBuildDependencySolver.cs

@@ -1,31 +1,37 @@
 using System.Collections.Immutable;
 
+using NuGetUpdater.Core.Updater.FileWriters;
+
 namespace NuGetUpdater.Core.DependencySolver;
 
 public class MSBuildDependencySolver : IDependencySolver
 {
     private readonly DirectoryInfo _repoContentsPath;
     private readonly FileInfo _projectPath;
-    private readonly ExperimentsManager _experimentsManager;
     private readonly ILogger _logger;
 
-    public MSBuildDependencySolver(DirectoryInfo repoContentsPath, FileInfo projectPath, ExperimentsManager experimentsManager, ILogger logger)
+    public MSBuildDependencySolver(DirectoryInfo repoContentsPath, FileInfo projectPath, ILogger logger)
     {
         _repoContentsPath = repoContentsPath;
         _projectPath = projectPath;
-        _experimentsManager = experimentsManager;
         _logger = logger;
     }
 
     public async Task<ImmutableArray<Dependency>?> SolveAsync(ImmutableArray<Dependency> existingTopLevelDependencies, ImmutableArray<Dependency> desiredDependencies, string targetFramework)
     {
+        var projectExtension = _projectPath.Extension.ToLowerInvariant();
+        if (!XmlFileWriter.SupportedProjectFileExtensions.Contains(projectExtension))
+        {
+            // not a real project, nothing to solve.
+            return null;
+        }
+
         var result = await MSBuildHelper.ResolveDependencyConflicts(
             _repoContentsPath.FullName,
             _projectPath.FullName,
             targetFramework,
             existingTopLevelDependencies,
             desiredDependencies,
-            _experimentsManager,
             _logger);
         return result;
     }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs

@@ -160,7 +160,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
 
         _logger.Info($"  Restoring MSBuild SDKs: {string.Join(", ", keys)}");
 
-        return await NuGetHelper.DownloadNuGetPackagesAsync(repoRootPath, workspacePath, msbuildSdks, _experimentsManager, logger);
+        return await NuGetHelper.DownloadNuGetPackagesAsync(repoRootPath, workspacePath, msbuildSdks, logger);
     }
 
     private async Task<ImmutableArray<ProjectDiscoveryResult>> RunForDirectoryAsync(string repoRootPath, string workspacePath)
@@ -335,8 +335,8 @@ public partial class DiscoveryWorker : IDiscoveryWorker
                 _processedProjectPaths.Add(projectPath);
 
                 var relativeProjectPath = Path.GetRelativePath(workspacePath, projectPath).NormalizePathToUnix();
-                var packagesConfigResult = await PackagesConfigDiscovery.Discover(repoRootPath, workspacePath, projectPath, _experimentsManager, _logger);
-                var projectResults = await SdkProjectDiscovery.DiscoverAsync(repoRootPath, workspacePath, projectPath, _experimentsManager, _logger);
+                var packagesConfigResult = await PackagesConfigDiscovery.Discover(repoRootPath, workspacePath, projectPath, _logger);
+                var projectResults = await SdkProjectDiscovery.DiscoverAsync(repoRootPath, workspacePath, projectPath, _logger);
 
                 // Determine if there were unrestored MSBuildSdks
                 var msbuildSdks = projectResults.SelectMany(p => p.Dependencies.Where(d => d.Type == DependencyType.MSBuildSdk)).ToImmutableArray();
@@ -345,7 +345,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
                     // If new SDKs were restored, then we need to rerun SdkProjectDiscovery.
                     if (await TryRestoreMSBuildSdksAsync(repoRootPath, workspacePath, msbuildSdks, _logger))
                     {
-                        projectResults = await SdkProjectDiscovery.DiscoverAsync(repoRootPath, workspacePath, projectPath, _experimentsManager, _logger);
+                        projectResults = await SdkProjectDiscovery.DiscoverAsync(repoRootPath, workspacePath, projectPath, _logger);
                     }
                 }
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/PackagesConfigDiscovery.cs

@@ -6,7 +6,7 @@ namespace NuGetUpdater.Core.Discover;
 
 internal static class PackagesConfigDiscovery
 {
-    public static async Task<PackagesConfigDiscoveryResult?> Discover(string repoRootPath, string workspacePath, string projectPath, ExperimentsManager experimentsManager, ILogger logger)
+    public static async Task<PackagesConfigDiscoveryResult?> Discover(string repoRootPath, string workspacePath, string projectPath, ILogger logger)
     {
         var projectDirectory = Path.GetDirectoryName(projectPath)!;
         var additionalFiles = ProjectHelper.GetAllAdditionalFilesFromProject(projectPath, ProjectHelper.PathFormat.Full);
@@ -27,7 +27,7 @@ internal static class PackagesConfigDiscovery
             .ToImmutableArray();
 
         // generate `$(TargetFramework)` via MSBuild
-        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, projectPath, experimentsManager, logger);
+        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, projectPath, logger);
 
         var additionalFilesRelative = additionalFiles.Select(p => Path.GetRelativePath(projectDirectory, p).NormalizePathToUnix()).ToImmutableArray();
         return new()

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs

@@ -53,7 +53,7 @@ internal static class SdkProjectDiscovery
         "web.config",
     };
 
-    public static async Task<ImmutableArray<ProjectDiscoveryResult>> DiscoverAsync(string repoRootPath, string workspacePath, string startingProjectPath, ExperimentsManager experimentsManager, ILogger logger)
+    public static async Task<ImmutableArray<ProjectDiscoveryResult>> DiscoverAsync(string repoRootPath, string workspacePath, string startingProjectPath, ILogger logger)
     {
         // N.b., there are many paths used in this function.  The MSBuild binary log always reports fully qualified paths, so that's what will be used
         // throughout until the very end when the appropriate kind of relative path is returned.
@@ -91,45 +91,40 @@ internal static class SdkProjectDiscovery
         //    projectPath  additionalFiles
 
         var requiresManualPackageResolution = false;
-        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, startingProjectPath, experimentsManager, logger);
+        var tfms = await MSBuildHelper.GetTargetFrameworkValuesFromProject(repoRootPath, startingProjectPath, logger);
         foreach (var tfm in tfms)
         {
             // create a binlog
             var binLogPath = Path.Combine(Path.GetTempPath(), $"msbuild_{Guid.NewGuid():d}.binlog");
             try
             {
-                // TODO: once the updater image has all relevant SDKs installed, we won't have to sideline global.json anymore
-                var (exitCode, stdOut, stdErr) = await MSBuildHelper.HandleGlobalJsonAsync(startingProjectDirectory, repoRootPath, experimentsManager, async () =>
+                // the built-in target `GenerateBuildDependencyFile` forces resolution of all NuGet packages, but doesn't invoke a full build
+                var dependencyDiscoveryTargetingPacksPropsPath = MSBuildHelper.GetFileFromRuntimeDirectory("DependencyDiscoveryTargetingPacks.props");
+                var dependencyDiscoveryTargetsPath = MSBuildHelper.GetFileFromRuntimeDirectory("DependencyDiscovery.targets");
+                var args = new List<string>()
                 {
-                    // the built-in target `GenerateBuildDependencyFile` forces resolution of all NuGet packages, but doesn't invoke a full build
-                    var dependencyDiscoveryTargetingPacksPropsPath = MSBuildHelper.GetFileFromRuntimeDirectory("DependencyDiscoveryTargetingPacks.props");
-                    var dependencyDiscoveryTargetsPath = MSBuildHelper.GetFileFromRuntimeDirectory("DependencyDiscovery.targets");
-                    var args = new List<string>()
-                    {
-                        "build",
-                        startingProjectPath,
-                        "/t:_DiscoverDependencies",
-                        $"/p:TargetFramework={tfm}",
-                        $"/p:CustomBeforeMicrosoftCommonProps={dependencyDiscoveryTargetingPacksPropsPath}",
-                        $"/p:CustomAfterMicrosoftCommonCrossTargetingTargets={dependencyDiscoveryTargetsPath}",
-                        $"/p:CustomAfterMicrosoftCommonTargets={dependencyDiscoveryTargetsPath}",
-                        "/p:TreatWarningsAsErrors=false", // if using CPM and a project also sets TreatWarningsAsErrors to true, this can cause discovery to fail; explicitly don't allow that
-                        "/p:MSBuildTreatWarningsAsErrors=false",
-                        $"/bl:{binLogPath}"
-                    };
-                    var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory, experimentsManager);
-                    if (exitCode != 0 && stdOut.Contains("error : Object reference not set to an instance of an object."))
-                    {
-                        // https://github.com/NuGet/Home/issues/11761#issuecomment-1105218996
-                        // Due to a bug in NuGet, there can be a null reference exception thrown and adding this command line argument will work around it,
-                        // but this argument can't always be added; it can cause problems in other instances, so we're taking the approach of not using it
-                        // unless we have to.
-                        args.Add("/RestoreProperty:__Unused__=__Unused__");
-                        (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory, experimentsManager);
-                    }
+                    "build",
+                    startingProjectPath,
+                    "/t:_DiscoverDependencies",
+                    $"/p:TargetFramework={tfm}",
+                    $"/p:CustomBeforeMicrosoftCommonProps={dependencyDiscoveryTargetingPacksPropsPath}",
+                    $"/p:CustomAfterMicrosoftCommonCrossTargetingTargets={dependencyDiscoveryTargetsPath}",
+                    $"/p:CustomAfterMicrosoftCommonTargets={dependencyDiscoveryTargetsPath}",
+                    "/p:TreatWarningsAsErrors=false", // if using CPM and a project also sets TreatWarningsAsErrors to true, this can cause discovery to fail; explicitly don't allow that
+                    "/p:MSBuildTreatWarningsAsErrors=false",
+                    $"/bl:{binLogPath}"
+                };
+                var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory);
+                if (exitCode != 0 && stdOut.Contains("error : Object reference not set to an instance of an object."))
+                {
+                    // https://github.com/NuGet/Home/issues/11761#issuecomment-1105218996
+                    // Due to a bug in NuGet, there can be a null reference exception thrown and adding this command line argument will work around it,
+                    // but this argument can't always be added; it can cause problems in other instances, so we're taking the approach of not using it
+                    // unless we have to.
+                    args.Add("/RestoreProperty:__Unused__=__Unused__");
+                    (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory);
+                }
 
-                    return (exitCode, stdOut, stdErr);
-                }, logger, retainMSBuildSdks: true);
                 MSBuildHelper.ThrowOnError(stdOut);
                 if (stdOut.Contains("_DependencyDiscovery_LegacyProjects::UseTemporaryProject"))
                 {
@@ -185,7 +180,7 @@ internal static class SdkProjectDiscovery
                             }
                             break;
                         case NamedNode namedNode when namedNode is AddItem or RemoveItem:
-                            ProcessResolvedPackageReference(namedNode, packagesPerProject, topLevelPackagesPerProject, explicitPackageVersionsPerProject, experimentsManager);
+                            ProcessResolvedPackageReference(namedNode, packagesPerProject, topLevelPackagesPerProject, explicitPackageVersionsPerProject);
 
                             if (namedNode is AddItem addItem)
                             {
@@ -247,8 +242,6 @@ internal static class SdkProjectDiscovery
                             }
                             break;
                         case Target target when target.Name == "_HandlePackageFileConflicts":
-                            // this only works if we've installed the exact SDK required
-                            if (experimentsManager.InstallDotnetSdks)
                             {
                                 var projectEvaluation = GetNearestProjectEvaluation(target);
                                 if (projectEvaluation is null)
@@ -340,7 +333,6 @@ internal static class SdkProjectDiscovery
                 tfms,
                 packagesPerProject,
                 explicitPackageVersionsPerProject,
-                experimentsManager,
                 logger
             );
         }
@@ -565,7 +557,6 @@ internal static class SdkProjectDiscovery
         ImmutableArray<string> targetFrameworks,
         Dictionary<string, Dictionary<string, Dictionary<string, string>>> packagesPerProject,
         Dictionary<string, Dictionary<string, Dictionary<string, string>>> explicitPackageVersionsPerProject,
-        ExperimentsManager experimentsManager,
         ILogger logger
     )
     {
@@ -580,9 +571,9 @@ internal static class SdkProjectDiscovery
                 .Select(kvp => new Dependency(kvp.Key, kvp.Value, DependencyType.PackageReference, TargetFrameworks: targetFrameworks))
                 .ToImmutableArray();
 
-            var tempProjectPath = await MSBuildHelper.CreateTempProjectAsync(tempDirectory, repoRootPath, projectPath, targetFrameworks, topLevelDependencies, experimentsManager, logger);
+            var tempProjectPath = await MSBuildHelper.CreateTempProjectAsync(tempDirectory, repoRootPath, projectPath, targetFrameworks, topLevelDependencies, logger);
             var tempProjectDirectory = Path.GetDirectoryName(tempProjectPath)!;
-            var rediscoveredDependencies = await DiscoverAsync(tempProjectDirectory, tempProjectDirectory, tempProjectPath, experimentsManager, logger);
+            var rediscoveredDependencies = await DiscoverAsync(tempProjectDirectory, tempProjectDirectory, tempProjectPath, logger);
             var rediscoveredDependenciesForThisProject = rediscoveredDependencies.Single(); // we started with a single temp project, this will be the only result
 
             // re-build packagesPerProject
@@ -612,8 +603,7 @@ internal static class SdkProjectDiscovery
         NamedNode node,
         Dictionary<string, Dictionary<string, Dictionary<string, string>>> packagesPerProject, // projectPath -> tfm -> (packageName, packageVersion)
         Dictionary<string, Dictionary<string, HashSet<string>>> topLevelPackagesPerProject, // projectPath -> tfm -> packageName
-        Dictionary<string, Dictionary<string, Dictionary<string, string>>> packageVersionsPerProject, // projectPath -> tfm -> (packageName, packageVersion)
-        ExperimentsManager experimentsManager
+        Dictionary<string, Dictionary<string, Dictionary<string, string>>> packageVersionsPerProject // projectPath -> tfm -> (packageName, packageVersion)
     )
     {
         var doRemoveOperation = node is RemoveItem;

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/ExperimentsManager.cs

@@ -7,17 +7,15 @@ namespace NuGetUpdater.Core;
 
 public record ExperimentsManager
 {
+    public bool EnableCooldown { get; init; } = false;
     public bool GenerateSimplePrBody { get; init; } = false;
-    public bool InstallDotnetSdks { get; init; } = false;
-    public bool NativeUpdater { get; init; } = false;
 
     public Dictionary<string, object> ToDictionary()
     {
         return new()
         {
+            ["enable_cooldown_for_nuget"] = EnableCooldown,
             ["nuget_generate_simple_pr_body"] = GenerateSimplePrBody,
-            ["nuget_install_dotnet_sdks"] = InstallDotnetSdks,
-            ["nuget_native_updater"] = NativeUpdater,
         };
     }
 
@@ -25,9 +23,8 @@ public record ExperimentsManager
     {
         return new ExperimentsManager()
         {
+            EnableCooldown = IsEnabled(experiments, "enable_cooldown_for_nuget"),
             GenerateSimplePrBody = IsEnabled(experiments, "nuget_generate_simple_pr_body"),
-            InstallDotnetSdks = IsEnabled(experiments, "nuget_install_dotnet_sdks"),
-            NativeUpdater = IsEnabled(experiments, "nuget_native_updater"),
         };
     }
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Cooldown.cs

@@ -0,0 +1,83 @@
+using System.Collections.Immutable;
+using System.IO.Enumeration;
+using System.Text.Json.Serialization;
+
+using NuGet.Versioning;
+
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record Cooldown
+{
+    [JsonPropertyName("default-days")]
+    public int DefaultDays { get; init; } = 0;
+
+    [JsonPropertyName("semver-major-days")]
+    public int SemVerMajorDays { get; init; } = 0;
+
+    [JsonPropertyName("semver-minor-days")]
+    public int SemVerMinorDays { get; init; } = 0;
+
+    [JsonPropertyName("semver-patch-days")]
+    public int SemVerPatchDays { get; init; } = 0;
+
+    [JsonPropertyName("include")]
+    public ImmutableArray<string>? Include { get; init; } = null;
+
+    [JsonPropertyName("exclude")]
+    public ImmutableArray<string>? Exclude { get; init; } = null;
+
+    public bool AppliesToPackage(string packageName)
+    {
+        var isExcluded = Exclude?.Any(exclude => FileSystemName.MatchesSimpleExpression(exclude, packageName)) ?? false;
+        if (isExcluded)
+        {
+            return false;
+        }
+
+        var isIncluded = Include is null ||
+            Include.Value.Length == 0 ||
+            Include.Value.Any(include => FileSystemName.MatchesSimpleExpression(include, packageName));
+        return isIncluded;
+    }
+
+    public int GetCooldownDays(NuGetVersion currentPackageVersion, NuGetVersion candidateUpdateVersion)
+    {
+        var majorDays = SemVerMajorDays > 0 ? SemVerMajorDays : DefaultDays;
+        var minorDays = SemVerMinorDays > 0 ? SemVerMinorDays : DefaultDays;
+        var patchDays = SemVerPatchDays > 0 ? SemVerPatchDays : DefaultDays;
+
+        var isMajorBump = candidateUpdateVersion.Major > currentPackageVersion.Major;
+        var isMinorBump = candidateUpdateVersion.Major == currentPackageVersion.Major && candidateUpdateVersion.Minor > currentPackageVersion.Minor;
+        var isPatchBump = candidateUpdateVersion.Major == currentPackageVersion.Major && candidateUpdateVersion.Minor == currentPackageVersion.Minor && candidateUpdateVersion.Patch > currentPackageVersion.Patch;
+
+        if (isMajorBump)
+        {
+            return majorDays;
+        }
+        else if (isMinorBump)
+        {
+            return minorDays;
+        }
+        else if (isPatchBump)
+        {
+            return patchDays;
+        }
+
+        // possible if it's a change in pre-release version
+        return DefaultDays;
+    }
+
+    public bool IsVersionUpdateAllowed(DateTimeOffset currentTime, DateTimeOffset? packagePublishTime, NuGetVersion currentPackageVersion, NuGetVersion candidateUpdateVersion)
+    {
+        if (packagePublishTime is null)
+        {
+            // default to allow it
+            return true;
+        }
+
+        var daysSincePublish = (currentTime - packagePublishTime.Value).TotalDays;
+        var requiredCooldownDays = GetCooldownDays(currentPackageVersion, candidateUpdateVersion);
+        var isUpdateAllowed = daysSincePublish >= requiredCooldownDays;
+        return isUpdateAllowed;
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Job.cs

@@ -40,6 +40,7 @@ public sealed record Job
     public CommitOptions? CommitMessageOptions { get; init; } = null;
     public ImmutableArray<Dictionary<string, object>>? CredentialsMetadata { get; init; } = null;
     public int MaxUpdaterRunTime { get; init; } = 0;
+    public Cooldown? Cooldown { get; init; } = null;
 
     public ImmutableArray<string> GetAllDirectories()
     {
@@ -120,7 +121,7 @@ public sealed record Job
         }
 
         var version = NuGetVersion.Parse(dependency.Version);
-        var dependencyInfo = RunWorker.GetDependencyInfo(this, dependency);
+        var dependencyInfo = RunWorker.GetDependencyInfo(this, dependency, allowCooldown: false);
         var isVulnerable = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
 
         bool IsAllowed(AllowedUpdate allowedUpdate)