dependabot-nuget 0.335.0 → 0.337.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f1deccb0621282a4b2882ed1237135a26ce637d3b275a9e6c8387fcf63d7ff7d
4
- data.tar.gz: adc18fffb9a39e742ddacfa761693070290b0b0679fa9c2ca5193694e02d9f47
3
+ metadata.gz: b3834da603ac2d16ff1fc26047883d8847ffc755e78d0b1f6ee59eec0dfec2b4
4
+ data.tar.gz: 5bf10dd5fe3cece122ff6036c1bd3edec248bd3d7577cbb755f0a66b7bba1cf1
5
5
  SHA512:
6
- metadata.gz: 53b727c49055af04f7af96ad075141493a08fc76895e6a82dcab8bce27680a785ce5e9f501463406ce66131a7baf14dea4004d58e38e3d5e45f633f36fd1b04b
7
- data.tar.gz: c39e5e3021996dad4a12616f79beb0493e47fa81baa75e23aaf192d9acfc0dc067720137184b22088d0ea7e7e2e35108f8ba50717e4393b9a21f2547b21485c7
6
+ metadata.gz: 763c6cf7fc5c16c74141d9192b1e0efb20d4998b3572a16126ca07d7cadd870f1319c7baa6c4c15f7201b39f7bf9005277e0c5f606d3c8459b027e047a77fea4
7
+ data.tar.gz: a53e743e86f5b4830a19d58c610f40a3686bdf5d80b05a2d2eab062710a677ec09a8f9eaa2683667370b7d2e6f510983bfb89806adf5c79a3c3c0ae450e1fb58
@@ -635,6 +635,14 @@ internal static class SdkProjectDiscovery
635
635
 
636
636
  if (doAddOperation)
637
637
  {
638
+ var isImplicitlyDefined = GetChildMetadataBooleanValue(child, "IsImplicitlyDefined");
639
+ if (isImplicitlyDefined)
640
+ {
641
+ // packages with `IsImplicitlyDefined="true"` aren't to be treated as top-level packages and shouldn't be candidates for regular update operations
642
+ // they should still appear in the discovery list, though, so security jobs can update them as necessary
643
+ continue;
644
+ }
645
+
638
646
  topLevelPackagesPerTfm.Add(packageName);
639
647
  var packageVersion = GetChildMetadataValue(child, "Version");
640
648
  if (packageVersion is not null)
@@ -727,6 +735,13 @@ internal static class SdkProjectDiscovery
727
735
  return metadataValue;
728
736
  }
729
737
 
738
+ private static bool GetChildMetadataBooleanValue(TreeNode node, string metadataItemName)
739
+ {
740
+ var metadataString = GetChildMetadataValue(node, metadataItemName);
741
+ var metadataBooleanValue = bool.TryParse(metadataString, out var parsedMetadataValue) && parsedMetadataValue;
742
+ return metadataBooleanValue;
743
+ }
744
+
730
745
  private static ProjectEvaluation? GetNearestProjectEvaluation(BaseNode node)
731
746
  {
732
747
  // we need to find the containing project evaluation
@@ -20,15 +20,17 @@ public class DiscoveryWorkerTestBase : TestBase
20
20
  ExpectedWorkspaceDiscoveryResult expectedResult,
21
21
  MockNuGetPackage[]? packages = null,
22
22
  bool includeCommonPackages = true,
23
- ExperimentsManager? experimentsManager = null)
23
+ ExperimentsManager? experimentsManager = null,
24
+ string? repoContentsPath = null)
24
25
  {
25
26
  experimentsManager ??= new ExperimentsManager();
26
27
  var actualResult = await RunDiscoveryAsync(files, async directoryPath =>
27
28
  {
28
29
  await UpdateWorkerTestBase.MockNuGetPackagesInDirectory(packages, directoryPath, includeCommonPackages: includeCommonPackages);
29
30
 
31
+ repoContentsPath ??= directoryPath;
30
32
  var worker = new DiscoveryWorker("TEST-JOB-ID", experimentsManager, new TestLogger());
31
- var result = await worker.RunWithErrorHandlingAsync(directoryPath, workspacePath);
33
+ var result = await worker.RunWithErrorHandlingAsync(repoContentsPath, workspacePath);
32
34
  return result;
33
35
  });
34
36
 
@@ -1462,4 +1462,53 @@ public partial class DiscoveryWorkerTests : DiscoveryWorkerTestBase
1462
1462
  }
1463
1463
  );
1464
1464
  }
1465
+
1466
+ [Fact]
1467
+ public async Task ImplicitlyDefinedPackagesAreMarkedAsIndirect()
1468
+ {
1469
+ // packages auto-added by the SDK have extra metadata IsImplicitlyDefined=true, but for the sake of a unit test we can fake it
1470
+ await TestDiscoveryAsync(
1471
+ packages: [
1472
+ MockNuGetPackage.CreateSimplePackage("Package.A", "1.0.0", "net9.0"),
1473
+ MockNuGetPackage.CreateSimplePackage("Package.B", "2.0.0", "net9.0"),
1474
+ ],
1475
+ workspacePath: "src",
1476
+ files: [
1477
+ ("src/project.csproj", """
1478
+ <Project Sdk="Microsoft.NET.Sdk">
1479
+ <PropertyGroup>
1480
+ <TargetFramework>net9.0</TargetFramework>
1481
+ </PropertyGroup>
1482
+ <ItemGroup>
1483
+ <PackageReference Include="Package.A" Version="1.0.0" />
1484
+
1485
+ <!-- this package fakes the IsImplicitlyDefined metadata to appear like it came from the SDK -->
1486
+ <PackageReference Include="Package.B" Version="2.0.0" IsImplicitlyDefined="true" />
1487
+ </ItemGroup>
1488
+ </Project>
1489
+ """)
1490
+ ],
1491
+ expectedResult: new()
1492
+ {
1493
+ Path = "src",
1494
+ Projects = [
1495
+ new()
1496
+ {
1497
+ FilePath = "project.csproj",
1498
+ TargetFrameworks = ["net9.0"],
1499
+ Dependencies = [
1500
+ new("Package.A", "1.0.0", DependencyType.PackageReference, TargetFrameworks: ["net9.0"], IsDirect: true),
1501
+ new("Package.B", "2.0.0", DependencyType.Unknown, TargetFrameworks: ["net9.0"], IsDirect: false, IsTransitive: true),
1502
+ ],
1503
+ Properties = [
1504
+ new("TargetFramework", "net9.0", "src/project.csproj"),
1505
+ ],
1506
+ ReferencedProjectPaths = [],
1507
+ ImportedFiles = [],
1508
+ AdditionalFiles = [],
1509
+ }
1510
+ ]
1511
+ }
1512
+ );
1513
+ }
1465
1514
  }
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-nuget
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.335.0
4
+ version: 0.337.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.335.0
18
+ version: 0.337.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.335.0
25
+ version: 0.337.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -551,7 +551,7 @@ licenses:
551
551
  - MIT
552
552
  metadata:
553
553
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
554
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.335.0
554
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.337.0
555
555
  rdoc_options: []
556
556
  require_paths:
557
557
  - lib