dependabot-nuget 0.372.0 → 0.374.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a058182c9ce909abc8398d444a3cba984f43528a7655fd5ee96cc8c607bbfd76
-  data.tar.gz: ffd8f02946da91739938e89ca13e3beb4e6b3ef157bb23083251df98cf45930f
+  metadata.gz: 44fba281ef6f7ae5edcc476e8c7776c0eb7f67f34c0fc88fd97a5b2bb0fd9ecd
+  data.tar.gz: 58769e2284c8cc3c71fa27ad89f5121985d5050afa2d8354359246507049025e
 SHA512:
-  metadata.gz: 4d9d90b837aa4ebd014a46c1dc0a89ae29689f30bbe84fc49c16deec4c260625e263aa731f100d0ef909ad2da00a48c131e9086393866f54e83e48e6678a77f8
-  data.tar.gz: d8c27b9ff9c1837c191ce89ae005e3071f5fc5cd09d76d8c1e0ecc3ea1bd511ed1cd544bac6bdd0ea17aef43dc49747b2c87cc8cbe0f3e3645f6977582ec3394
+  metadata.gz: 0343710df6bb80e64d5e19c48d02bbc78b930338516e5951e3909e622ea2bd692ece05dd89b884103ef86467d8cb29bd7dfdb5e4b17127c264040950e3ebf81e
+  data.tar.gz: de4e648b06eb7bd4a13a17fe544600bc7d4e5ea3477935e06941e378668fccdc60efceabe6b6c78e9c13da9fec8a69109eec00068a922559b92b8b5b1f9b472d

data/helpers/lib/NuGetUpdater/Directory.Build.props

@@ -6,6 +6,7 @@
     <Nullable>enable</Nullable>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
+    <NuGetAudit>false</NuGetAudit>
   </PropertyGroup>
 
   <Import Project="Directory.Common.props" />

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs

@@ -84,7 +84,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
             .Select(NuGetFramework.Parse)
             .ToImmutableArray();
         var propertyBasedDependencies = discovery.Projects.SelectMany(p
-            => p.Dependencies.Where(d => !d.IsTransitive &&
+            => p.Dependencies.Where(d => d.IsTopLevel &&
                 d.EvaluationResult?.RootPropertyName is not null)
             ).ToImmutableArray();
         var dotnetToolsHasDependency = discovery.DotNetToolsJson?.Dependencies.Any(d => d.Name.Equals(dependencyInfo.Name, StringComparison.OrdinalIgnoreCase)) == true;
@@ -149,12 +149,12 @@ public partial class AnalyzeWorker : IAnalyzeWorker
             else if (dotnetToolsHasDependency)
             {
                 var infoUrl = await nugetContext.GetPackageInfoUrlAsync(dependencyInfo.Name, updatedVersion.ToNormalizedString(), CancellationToken.None);
-                updatedDependencies = [new Dependency(dependencyInfo.Name, updatedVersion.ToNormalizedString(), DependencyType.DotNetTool, IsDirect: true, InfoUrl: infoUrl)];
+                updatedDependencies = [new Dependency(dependencyInfo.Name, updatedVersion.ToNormalizedString(), DependencyType.DotNetTool, InfoUrl: infoUrl)];
             }
             else if (globalJsonHasDependency)
             {
                 var infoUrl = await nugetContext.GetPackageInfoUrlAsync(dependencyInfo.Name, updatedVersion.ToNormalizedString(), CancellationToken.None);
-                updatedDependencies = [new Dependency(dependencyInfo.Name, updatedVersion.ToNormalizedString(), DependencyType.MSBuildSdk, IsDirect: true, InfoUrl: infoUrl)];
+                updatedDependencies = [new Dependency(dependencyInfo.Name, updatedVersion.ToNormalizedString(), DependencyType.MSBuildSdk, InfoUrl: infoUrl)];
             }
             else
             {
@@ -193,11 +193,11 @@ public partial class AnalyzeWorker : IAnalyzeWorker
             return true;
         }
 
-        // Since the dependency is not vulnerable, we only need to update if it is not transitive.
+        // Since the dependency is not vulnerable, we only need to update if it is a top-level dependency.
         return projectsWithDependency.Any(p =>
             p.Dependencies.Any(d =>
                 d.Name.Equals(dependencyInfo.Name, StringComparison.OrdinalIgnoreCase) &&
-                !d.IsTransitive));
+                d.IsTopLevel));
     }
 
     private static Task<WorkspaceDiscoveryResult> DeserializeWorkspaceDiscoveryResultFileAsync(string path)
@@ -392,7 +392,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
         // When updating peer dependencies, we only need to consider top-level dependencies.
         var projectDependencyNames = projectsWithDependency
             .SelectMany(p => p.Dependencies)
-            .Where(d => !d.IsTransitive)
+            .Where(d => d.IsTopLevel)
             .Select(d => d.Name)
             .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase);
 
@@ -427,7 +427,7 @@ public partial class AnalyzeWorker : IAnalyzeWorker
     {
         var packageDeclarationsUsingProperty = discovery.Projects
             .SelectMany(p =>
-                p.Dependencies.Where(d => !d.IsTransitive &&
+                p.Dependencies.Where(d => d.IsTopLevel &&
                     d.Name.Equals(packageId, StringComparison.OrdinalIgnoreCase) &&
                     d.EvaluationResult?.RootPropertyName is not null)
             ).ToImmutableArray();

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/DependencyFinder.cs

@@ -34,7 +34,7 @@ internal static class DependencyFinder
             foreach (var dependency in dependencies)
             {
                 var infoUrl = await nugetContext.GetPackageInfoUrlAsync(dependency.Name, dependency.Version!, cancellationToken);
-                var updatedDependency = dependency with { IsTransitive = false, InfoUrl = infoUrl };
+                var updatedDependency = dependency with { IsTopLevel = true, InfoUrl = infoUrl };
                 updatedDependencies.Add(updatedDependency);
             }
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Dependency.cs

@@ -10,10 +10,7 @@ public sealed record Dependency(
     DependencyType Type,
     EvaluationResult? EvaluationResult = null,
     ImmutableArray<string>? TargetFrameworks = null,
-    bool IsDevDependency = false,
-    bool IsDirect = false,
-    bool IsTransitive = false,
-    bool IsOverride = false,
+    bool IsTopLevel = true,
     bool IsUpdate = false,
     string? InfoUrl = null) : IEquatable<Dependency>
 {
@@ -34,10 +31,7 @@ public sealed record Dependency(
                Type == other.Type &&
                EvaluationResult == other.EvaluationResult &&
                TargetFrameworks.SequenceEqual(other.TargetFrameworks) &&
-               IsDevDependency == other.IsDevDependency &&
-               IsDirect == other.IsDirect &&
-               IsTransitive == other.IsTransitive &&
-               IsOverride == other.IsOverride &&
+               IsTopLevel == other.IsTopLevel &&
                IsUpdate == other.IsUpdate &&
                InfoUrl == other.InfoUrl;
     }
@@ -50,10 +44,7 @@ public sealed record Dependency(
         hash.Add(Type);
         hash.Add(EvaluationResult);
         hash.Add(TargetFrameworks);
-        hash.Add(IsDevDependency);
-        hash.Add(IsDirect);
-        hash.Add(IsTransitive);
-        hash.Add(IsOverride);
+        hash.Add(IsTopLevel);
         hash.Add(IsUpdate);
         hash.Add(InfoUrl);
         return hash.ToHashCode();

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs

@@ -171,10 +171,11 @@ public partial class DiscoveryWorker : IDiscoveryWorker
     {
         _logger.Info($"  Discovering projects beneath [{Path.GetRelativePath(repoRootPath, workspacePath)}].");
         var entryPoints = FindEntryPoints(workspacePath);
+        _logger.Info($"    Entry points found: {string.Join(", ", entryPoints)}");
         ImmutableArray<string> projects;
         try
         {
-            projects = await ExpandEntryPointsIntoProjectsAsync(entryPoints, _experimentsManager);
+            projects = await ExpandEntryPointsIntoProjectsAsync(entryPoints, _experimentsManager, _logger);
         }
         catch (InvalidProjectFileException e)
         {
@@ -193,7 +194,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
         }
         if (projects.IsEmpty)
         {
-            _logger.Info("  No project files found.");
+            _logger.Info("    No project files found.");
             return [];
         }
 
@@ -222,7 +223,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
             .ToImmutableArray();
     }
 
-    internal async static Task<ImmutableArray<string>> ExpandEntryPointsIntoProjectsAsync(IEnumerable<string> entryPoints, ExperimentsManager experimentsManager)
+    internal async static Task<ImmutableArray<string>> ExpandEntryPointsIntoProjectsAsync(IEnumerable<string> entryPoints, ExperimentsManager experimentsManager, ILogger logger)
     {
         HashSet<string> expandedProjects = new(PathComparer.Instance);
         HashSet<string> seenProjects = new(PathComparer.Instance);
@@ -235,28 +236,34 @@ public partial class DiscoveryWorker : IDiscoveryWorker
                 string extension = Path.GetExtension(candidateEntryPoint).ToLowerInvariant();
                 if (extension == ".sln")
                 {
+                    logger.Info($"    Expanding solution: {candidateEntryPoint}:");
                     SolutionFile solution = SolutionFile.Parse(candidateEntryPoint);
                     foreach (ProjectInSolution project in solution.ProjectsInOrder)
                     {
+                        logger.Info($"      Expanded project: {project.AbsolutePath}");
                         filesToExpand.Push(project.AbsolutePath);
                     }
                 }
                 else if (extension == ".slnx")
                 {
+                    logger.Info($"    Expanding solution: {candidateEntryPoint}:");
                     SolutionModel solution = await SolutionSerializers.SlnXml.OpenAsync(candidateEntryPoint, CancellationToken.None);
                     string solutionPath = Path.GetDirectoryName(candidateEntryPoint) ?? string.Empty;
 
                     foreach (SolutionProjectModel project in solution.SolutionProjects)
                     {
                         string projectPath = Path.Combine(solutionPath, project.FilePath);
+                        logger.Info($"      Expanded project: {projectPath}");
                         filesToExpand.Push(projectPath);
                     }
                 }
                 else if (extension == ".proj")
                 {
+                    logger.Info($"    Expanding file: {candidateEntryPoint}:");
                     var foundProjects = ExpandItemGroupFilesFromProject(candidateEntryPoint, "ProjectFile", "ProjectReference");
                     foreach (var foundProject in foundProjects)
                     {
+                        logger.Info($"      Expanded project: {foundProject}");
                         filesToExpand.Push(foundProject);
                     }
                 }
@@ -337,7 +344,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
         try
         {
             // get all packages.config results first
-            var expandedProjects = await ExpandEntryPointsIntoProjectsAsync(normalizedProjectPaths, _experimentsManager);
+            var expandedProjects = await ExpandEntryPointsIntoProjectsAsync(normalizedProjectPaths, _experimentsManager, _logger);
             foreach (var expandedProject in expandedProjects)
             {
                 var packagesConfigResult = await PackagesConfigDiscovery.Discover(repoRootPath, workspacePath, expandedProject, _logger);
@@ -463,7 +470,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
             ReferencedProjectPaths = mergedReferencedProjects,
             ImportedFiles = mergedImportedFiles,
             AdditionalFiles = mergedAdditionalFiles,
-            CentralPackageTransitivePinningEnabled = result1.CentralPackageTransitivePinningEnabled || result2.CentralPackageTransitivePinningEnabled,
+            PackageManagementKind = (PackageManagementKind)Math.Max((int)result1.PackageManagementKind, (int)result2.PackageManagementKind),
         };
         return mergedResult;
     }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/PackageManagementKind.cs

@@ -0,0 +1,23 @@
+namespace NuGetUpdater.Core.Discover;
+
+public enum PackageManagementKind
+{
+    /// <summary>
+    /// The default for SDK-style projects, e.g., <code>&lt;PackageReference Include="Some.Package" Version="1.0.0" /&gt;</code>
+    /// </summary>
+    Default,
+
+    /// <summary>
+    /// Separate <code>&lt;PackageReference&gt;</code> and <code>&lt;PackageVersion&gt;</code> elements.  Set by the
+    /// user by adding the property <code>&lt;ManagePackageVersionsCentrally&gt;true&lt;/ManagePackageVersionsCentrally&gt;</code>
+    /// and commonly using the file <code>Directory.Packages.props</code>
+    /// </summary>
+    CentralPackageManagement,
+
+    /// <summary>
+    /// Similar to <see cref="CentralPackageManagement"/> but with the additional property
+    /// <code>&lt;CentralPackageTransitivePinningEnabled&gt;true&lt;/CentralPackageTransitivePinningEnabled&gt;</code> which applies
+    /// <code>&lt;PackageVersion&gt;</code> elements for all transitive dependencies as well.
+    /// </summary>
+    CentralPackageManagementWithTransitivePinning,
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/ProjectDiscoveryResult.cs

@@ -14,5 +14,5 @@ public record ProjectDiscoveryResult : IDiscoveryResultWithDependencies
     public ImmutableArray<string> ReferencedProjectPaths { get; init; } = [];
     public required ImmutableArray<string> ImportedFiles { get; init; }
     public required ImmutableArray<string> AdditionalFiles { get; init; }
-    public bool CentralPackageTransitivePinningEnabled { get; init; } = false;
+    public PackageManagementKind PackageManagementKind { get; init; } = PackageManagementKind.Default;
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs

@@ -144,7 +144,7 @@ internal static class SdkProjectDiscovery
             try
             {
                 // when using single restore, we can directly invoke the relevant targets...
-                var args = new List<string>() { "msbuild", startingProjectPath };
+                var args = new List<string>() { startingProjectPath };
 
                 // ...but determining what the relevant targets are can be complicated
 
@@ -195,7 +195,7 @@ internal static class SdkProjectDiscovery
                 args.Add("/p:MSBuildTreatWarningsAsErrors=false");
                 args.Add($"/bl:{binLogPath}");
 
-                var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory);
+                var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetMSBuildSafelyAsync(args, startingProjectDirectory);
                 if (exitCode != 0 && stdOut.Contains("error : Object reference not set to an instance of an object."))
                 {
                     // https://github.com/NuGet/Home/issues/11761#issuecomment-1105218996
@@ -203,7 +203,7 @@ internal static class SdkProjectDiscovery
                     // but this argument can't always be added; it can cause problems in other instances, so we're taking the approach of not using it
                     // unless we have to.
                     args.Add("/RestoreProperty:__Unused__=__Unused__");
-                    (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, startingProjectDirectory);
+                    (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetMSBuildSafelyAsync(args, startingProjectDirectory);
                 }
 
                 MSBuildHelper.ThrowOnError(stdOut);
@@ -621,7 +621,7 @@ internal static class SdkProjectDiscovery
                     }
 
                     var normalizedTfms = combinedTfms.OrderBy(t => t).ToImmutableArray();
-                    groupedDependencies[package.Key] = new Dependency(packageName, packageVersion, dependencyType, TargetFrameworks: normalizedTfms, IsDirect: isTopLevel, IsTransitive: !isTopLevel);
+                    groupedDependencies[package.Key] = new Dependency(packageName, packageVersion, dependencyType, TargetFrameworks: normalizedTfms, IsTopLevel: isTopLevel);
                 }
             }
 
@@ -643,13 +643,19 @@ internal static class SdkProjectDiscovery
                 .Select(p => p.NormalizePathToUnix())
                 .OrderBy(p => p)
                 .ToImmutableArray();
-            var useCpmTransitivePinning =
+            var projectLevelCpm =
                 projectProperties.TryGetValue("ManagePackageVersionsCentrally", out var useCpmString) &&
                 bool.TryParse(useCpmString, out var useCpm) &&
-                useCpm &&
+                useCpm;
+            var projectLevelCpmWithPinning =
+                projectLevelCpm &&
                 projectProperties.TryGetValue("CentralPackageTransitivePinningEnabled", out var useTransitivePinningString) &&
                 bool.TryParse(useTransitivePinningString, out var useTransitivePinning) &&
                 useTransitivePinning;
+            var packageManagementKind =
+                projectLevelCpmWithPinning ? PackageManagementKind.CentralPackageManagementWithTransitivePinning :
+                projectLevelCpm ? PackageManagementKind.CentralPackageManagement :
+                PackageManagementKind.Default;
 
             var projectDiscoveryResult = new ProjectDiscoveryResult()
             {
@@ -659,7 +665,7 @@ internal static class SdkProjectDiscovery
                 ReferencedProjectPaths = referenced,
                 ImportedFiles = imported,
                 AdditionalFiles = additional,
-                CentralPackageTransitivePinningEnabled = useCpmTransitivePinning,
+                PackageManagementKind = packageManagementKind,
             };
             projectDiscoveryResults.Add(projectDiscoveryResult);
         }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/PackagesConfigBuildFile.cs

@@ -26,6 +26,5 @@ internal sealed class PackagesConfigBuildFile : XmlBuildFile
         .Select(p => new Dependency(
             p.GetAttributeValue("id", StringComparison.OrdinalIgnoreCase),
             p.GetAttributeValue("version", StringComparison.OrdinalIgnoreCase),
-            DependencyType.PackagesConfig,
-            IsDevDependency: (p.GetAttribute("developmentDependency", StringComparison.OrdinalIgnoreCase)?.Value ?? "false").Equals(true.ToString(), StringComparison.OrdinalIgnoreCase)));
+            DependencyType.PackagesConfig));
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/ProjectBuildFile.cs

@@ -108,12 +108,10 @@ internal sealed class ProjectBuildFile : XmlBuildFile
             return null;
         }
 
-        var isVersionOverride = false;
         var version = element.GetAttributeOrSubElementValue("Version", StringComparison.OrdinalIgnoreCase);
         if (version is null)
         {
             version = element.GetAttributeOrSubElementValue("VersionOverride", StringComparison.OrdinalIgnoreCase);
-            isVersionOverride = version is not null;
         }
 
         dependencies.AddRange(
@@ -122,8 +120,7 @@ internal sealed class ProjectBuildFile : XmlBuildFile
                         Name: dep.Trim(),
                         Version: string.IsNullOrEmpty(version) ? null : version,
                         Type: GetDependencyType(element.Name),
-                        IsUpdate: isUpdate,
-                        IsOverride: isVersionOverride))
+                        IsUpdate: isUpdate))
         );
 
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/IUpdaterWorker.cs

@@ -5,5 +5,5 @@ namespace NuGetUpdater.Core;
 
 public interface IUpdaterWorker
 {
-    Task<UpdateOperationResult> RunAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTransitive);
+    Task<UpdateOperationResult> RunAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTopLevel);
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Job.cs

@@ -210,8 +210,8 @@ public sealed record Job
                     return true;
                 }
 
-                // ...no specific update being performed, do it if it's not transitive
-                return !dependency.IsTransitive;
+                // ...no specific update being performed, do it if it's a top-level dependency
+                return dependency.IsTopLevel;
             }
         }
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/UpdateHandlers/CreateSecurityUpdatePullRequestHandler.cs

@@ -111,7 +111,7 @@ internal class CreateSecurityUpdatePullRequestHandler : IUpdateHandler
 
                     logger.Info($"Attempting update of {dependency.Name} from {dependency.Version} to {analysisResult.UpdatedVersion} for {projectPath}.");
                     var projectDiscovery = discoveryResult.GetProjectDiscoveryFromPath(projectPath);
-                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTransitive);
+                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTopLevel);
                     if (updaterResult.Error is not null)
                     {
                         logger.Error($"Error updating {dependency.Name} in {projectPath}: {updaterResult.Error.GetReport()}");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/UpdateHandlers/GroupUpdateAllVersionsHandler.cs

@@ -117,7 +117,7 @@ internal class GroupUpdateAllVersionsHandler : IUpdateHandler
                     }
 
                     var projectDiscovery = discoveryResult.GetProjectDiscoveryFromPath(projectPath);
-                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTransitive);
+                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTopLevel);
                     if (updaterResult.Error is not null)
                     {
                         logger.Error($"Error updating {dependency.Name} in {projectPath}: {updaterResult.Error.GetReport()}");
@@ -236,7 +236,7 @@ internal class GroupUpdateAllVersionsHandler : IUpdateHandler
                     }
 
                     var projectDiscovery = discoveryResult.GetProjectDiscoveryFromPath(projectPath);
-                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTransitive);
+                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTopLevel);
                     if (updaterResult.Error is not null)
                     {
                         await apiHandler.RecordUpdateJobError(updaterResult.Error, logger);

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/UpdateHandlers/RefreshGroupUpdatePullRequestHandler.cs

@@ -117,7 +117,7 @@ internal class RefreshGroupUpdatePullRequestHandler : IUpdateHandler
 
                     logger.Info($"Attempting update of {dependency.Name} from {dependency.Version} to {analysisResult.UpdatedVersion} for {projectPath}.");
                     var projectDiscovery = discoveryResult.GetProjectDiscoveryFromPath(projectPath);
-                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTransitive);
+                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTopLevel);
                     if (updaterResult.Error is not null)
                     {
                         logger.Error($"Error updating {dependency.Name} in {projectPath}: {updaterResult.Error.GetReport()}");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/UpdateHandlers/RefreshSecurityUpdatePullRequestHandler.cs

@@ -112,7 +112,7 @@ internal class RefreshSecurityUpdatePullRequestHandler : IUpdateHandler
 
                     logger.Info($"Attempting update of {dependency.Name} from {dependency.Version} to {analysisResult.UpdatedVersion} for {projectPath}.");
                     var projectDiscovery = discoveryResult.GetProjectDiscoveryFromPath(projectPath);
-                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTransitive);
+                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTopLevel);
                     if (updaterResult.Error is not null)
                     {
                         logger.Error($"Error updating {dependency.Name} in {projectPath}: {updaterResult.Error.GetReport()}");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/UpdateHandlers/RefreshVersionUpdatePullRequestHandler.cs

@@ -102,7 +102,7 @@ internal class RefreshVersionUpdatePullRequestHandler : IUpdateHandler
 
                     logger.Info($"Attempting update of {dependency.Name} from {dependency.Version} to {analysisResult.UpdatedVersion} for {projectPath}.");
                     var projectDiscovery = discoveryResult.GetProjectDiscoveryFromPath(projectPath);
-                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTransitive);
+                    var updaterResult = await updaterWorker.RunAsync(repoContentsPath.FullName, projectPath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, dependency.IsTopLevel);
                     if (updaterResult.Error is not null)
                     {
                         logger.Error($"Error updating {dependency.Name} in {projectPath}: {updaterResult.Error.GetReport()}");

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/FileWriters/FileWriterWorker.cs

@@ -167,7 +167,7 @@ public class FileWriterWorker
         }
 
         var initialTopLevelDependencies = initialProjectDiscovery.Dependencies
-            .Where(d => !d.IsTransitive)
+            .Where(d => d.IsTopLevel)
             .ToImmutableArray();
         var newDependency = new Dependency(dependencyName, newDependencyVersion.ToString(), DependencyType.Unknown);
         var desiredDependencies = initialTopLevelDependencies.Any(d => d.Name.Equals(dependencyName, StringComparison.OrdinalIgnoreCase))
@@ -243,7 +243,7 @@ public class FileWriterWorker
                 }
 
                 var rerunTopLevelDependencies = rerunProjectDiscovery.Dependencies
-                    .Where(d => !d.IsTransitive)
+                    .Where(d => d.IsTopLevel)
                     .ToImmutableArray();
                 var rerunDesiredDependencies = rerunTopLevelDependencies.Any(d => d.Name.Equals(dependencyName, StringComparison.OrdinalIgnoreCase))
                     ? rerunTopLevelDependencies.Select(d => d.Name.Equals(dependencyName, StringComparison.OrdinalIgnoreCase) ? newDependency : d).ToImmutableArray()
@@ -408,8 +408,7 @@ public class FileWriterWorker
             .ToImmutableArray();
 
         // try update
-        var addPackageReferenceElementForPinnedPackages = !projectDiscovery.CentralPackageTransitivePinningEnabled;
-        var success = await fileWriter.UpdatePackageVersionsAsync(repoContentsPath, relativeFilePaths, projectDiscovery.Dependencies, requiredPackageVersions, addPackageReferenceElementForPinnedPackages);
+        var success = await fileWriter.UpdatePackageVersionsAsync(repoContentsPath, relativeFilePaths, projectDiscovery.Dependencies, requiredPackageVersions, projectDiscovery.PackageManagementKind);
         var updatedFiles = new List<string>();
         foreach (var (filePath, originalContents) in originalFileContents)
         {

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/FileWriters/IFileWriter.cs

@@ -1,5 +1,7 @@
 using System.Collections.Immutable;
 
+using NuGetUpdater.Core.Discover;
+
 namespace NuGetUpdater.Core.Updater.FileWriters;
 
 public interface IFileWriter
@@ -9,6 +11,6 @@ public interface IFileWriter
         ImmutableArray<string> relativeFilePaths,
         ImmutableArray<Dependency> originalDependencies,
         ImmutableArray<Dependency> requiredPackageVersions,
-        bool addPackageReferenceElementForPinnedPackages
+        PackageManagementKind packageManagementKind
     );
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/FileWriters/XmlFileWriter.cs

@@ -5,6 +5,7 @@ using Microsoft.Language.Xml;
 
 using NuGet.Versioning;
 
+using NuGetUpdater.Core.Discover;
 using NuGetUpdater.Core.Utilities;
 
 namespace NuGetUpdater.Core.Updater.FileWriters;
@@ -51,7 +52,7 @@ public class XmlFileWriter : IFileWriter
         ImmutableArray<string> relativeFilePaths,
         ImmutableArray<Dependency> originalDependencies,
         ImmutableArray<Dependency> requiredPackageVersions,
-        bool addPackageReferenceElementForPinnedPackages
+        PackageManagementKind packageManagementKind
     )
     {
         if (relativeFilePaths.IsDefaultOrEmpty)
@@ -185,6 +186,12 @@ public class XmlFileWriter : IFileWriter
                     .WithAttribute(IncludeAttributeName, requiredPackageVersion.Name);
 
                 // ...add the `<PackageReference>` element if and where appropriate...
+                var addPackageReferenceElementForPinnedPackages =
+                    packageManagementKind switch
+                    {
+                        PackageManagementKind.CentralPackageManagementWithTransitivePinning => false,
+                        _ => true,
+                    };
                 if (addPackageReferenceElementForPinnedPackages)
                 {
                     addItemGroup();

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackageReferenceUpdater.cs

@@ -118,7 +118,7 @@ internal static class PackageReferenceUpdater
             // generate project.assets.json
             var parsedTargetFramework = NuGetFramework.Parse(targetFramework);
             var tempProject = await MSBuildHelper.CreateTempProjectAsync(tempDir, repoRoot, projectPath, targetFramework, topLevelDependencies, logger, importDependencyTargets: true);
-            var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["msbuild", tempProject, "/t:Restore,GenerateBuildDependencyFile"], tempDir.FullName);
+            var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetMSBuildSafelyAsync([tempProject, "/t:Restore,GenerateBuildDependencyFile"], tempDir.FullName);
             var assetsJsonPath = Path.Join(tempDir.FullName, "obj", "project.assets.json");
             var assetsJsonContent = await File.ReadAllTextAsync(assetsJsonPath);
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/UpdaterWorker.cs

@@ -32,9 +32,9 @@ public class UpdaterWorker : IUpdaterWorker
         _logger = logger;
     }
 
-    public async Task RunAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTransitive, string? resultOutputPath = null)
+    public async Task RunAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTopLevel, string? resultOutputPath = null)
     {
-        var result = await RunWithErrorHandlingAsync(repoRootPath, workspacePath, dependencyName, previousDependencyVersion, newDependencyVersion, isTransitive);
+        var result = await RunWithErrorHandlingAsync(repoRootPath, workspacePath, dependencyName, previousDependencyVersion, newDependencyVersion, isTopLevel);
         if (resultOutputPath is { })
         {
             await WriteResultFile(result, resultOutputPath, _logger);
@@ -42,11 +42,11 @@ public class UpdaterWorker : IUpdaterWorker
     }
 
     // this is a convenient method for tests
-    internal async Task<UpdateOperationResult> RunWithErrorHandlingAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTransitive)
+    internal async Task<UpdateOperationResult> RunWithErrorHandlingAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTopLevel)
     {
         try
         {
-            var result = await RunAsync(repoRootPath, workspacePath, dependencyName, previousDependencyVersion, newDependencyVersion, isTransitive);
+            var result = await RunAsync(repoRootPath, workspacePath, dependencyName, previousDependencyVersion, newDependencyVersion, isTopLevel);
             return result;
         }
         catch (Exception ex)
@@ -66,7 +66,7 @@ public class UpdaterWorker : IUpdaterWorker
         }
     }
 
-    public async Task<UpdateOperationResult> RunAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTransitive)
+    public async Task<UpdateOperationResult> RunAsync(string repoRootPath, string workspacePath, string dependencyName, string previousDependencyVersion, string newDependencyVersion, bool isTopLevel)
     {
         MSBuildHelper.RegisterMSBuild(Environment.CurrentDirectory, repoRootPath, _logger);
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs

@@ -197,10 +197,7 @@ internal static partial class MSBuildHelper
                 DependencyType.Unknown,
                 null,
                 null,
-                false,
-                false,
-                false,
-                false,
+                true,
                 false
             ))
             .ToList();
@@ -409,9 +406,8 @@ internal static partial class MSBuildHelper
         var (exitCode, stdOut, stdErr) = await HandleGlobalJsonAsync(projectDirectory, repoRoot, async () =>
         {
             var targetsHelperPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)!, "TargetFrameworkReporter.targets");
-            var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(
+            var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetMSBuildSafelyAsync(
                 [
-                    "msbuild",
                     projectPath,
                     "/t:ReportTargetFramework",
                     $"/p:CustomAfterMicrosoftCommonCrossTargetingTargets={targetsHelperPath}",
@@ -527,11 +523,10 @@ internal static partial class MSBuildHelper
         var projectDirectory = Path.GetDirectoryName(projectPath)!;
         var args = new[]
         {
-            "msbuild",
             projectPath,
             "-targets"
         };
-        var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, projectDirectory);
+        var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetMSBuildSafelyAsync(args, projectDirectory);
         if (exitCode != 0)
         {
             logger.Warn($"Unable to determine targets for project [{projectPath}]:\nSTDOUT:\n{stdOut}\nSTDERR:\n{stdErr}\n");
@@ -558,12 +553,11 @@ internal static partial class MSBuildHelper
         var projectDirectory = Path.GetDirectoryName(projectPath)!;
         var args = new[]
         {
-            "msbuild",
             projectPath,
             $"-getProperty:{propertyName}"
         };
 
-        var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, projectDirectory);
+        var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetMSBuildSafelyAsync(args, projectDirectory);
         if (exitCode != 0)
         {
             if (stdOut.Contains("error MSB1001: Unknown switch."))
@@ -583,12 +577,11 @@ internal static partial class MSBuildHelper
 
                     // do it
                     args = [
-                        "msbuild",
                         projectPath,
                         $"/p:CustomAfterMicrosoftCommonTargets={tempTargetsPath}",
                         "/t:_Dependabot_GetProperty",
                     ];
-                    (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(args, projectDirectory);
+                    (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetMSBuildSafelyAsync(args, projectDirectory);
                     if (exitCode == 0)
                     {
                         var match = Regex.Match(stdOut, "__PROPERTY_VALUE:(?<PropertyValue>[^$]*)$", RegexOptions.Multiline);

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/ProcessExtensions.cs

@@ -5,6 +5,21 @@ namespace NuGetUpdater.Core;
 
 public static class ProcessEx
 {
+    /// <summary>
+    /// Run `dotnet msbuild` with the given additional arguments.  The argument `-noAutoResponse` is always appended to
+    /// suppress `Directory.Build.rsp` inclusion.  This new set of arguments is then passed to the function
+    /// `RunDotnetWithoutMSBuildEnvironmentVariablesAsync` to prevent MSBuild from inheriting certain environment
+    /// variables.
+    /// </summary>
+    public static Task<(int ExitCode, string Output, string Error)> RunDotnetMSBuildSafelyAsync(
+        IEnumerable<string> arguments,
+        string workingDirectory,
+        IEnumerable<(string Name, string? Value)>? extraEnvironmentVariables = null
+    )
+    {
+        return RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["msbuild", .. arguments, "-noAutoResponse"], workingDirectory, extraEnvironmentVariables);
+    }
+
     /// <summary>
     /// Run the `dotnet` command with the given values.  This will exclude all `MSBuild*` environment variables from the execution.
     /// </summary>