dependabot-nuget 0.272.0 → 0.273.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b33f6b0a817def66d738b6d998bedf0248881c225ddf6b97fa0a5405d92b9d23
-  data.tar.gz: 9e736306b9d21e95639627ea2fe585d2e47a8979e1096545b4da2ed49e8dbd5f
+  metadata.gz: e74194b3b13f1f629b109a0dd66cff5e6063f898a0574b0af4a47204e2eaffa1
+  data.tar.gz: bb02d23751f1c81d9f0eaafd1e9afb1c1fd3ae3f48a0b31f902c62446d431905
 SHA512:
-  metadata.gz: 4dddbe1b9c9cbf4fb9d7876c143cfbd713bf2f6ca501210ae40a7c37bb2076687ea75996042e9ccc6582a6cd535a24eb3b2caa3143b5e8c3ef8ff500455f7827
-  data.tar.gz: f51748be257babb63de285cec8981ca84e580fa48b6d6fec2a89892f485f46ae237af86ab387a584c27c8f207ba1ae16167570bffdc59cf3cd4bb64ac27e9830
+  metadata.gz: 39c13b396b743cbda78796d1539e67d9d44b222a9ca16edbc79468f29afddd83648434f534feb5f61957be751ec1e5d06b6387ebd4bbcc1aaeb88a2049fee69a
+  data.tar.gz: 16e2fa90c7e2b9214f5b63d88d8591d17a74ccee2db0dd82b0439d07fcbdaa3483297cdd5611fc5fae440e6a2511d5f0d16890166acd1a5035ac375a209f950c

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs

@@ -108,7 +108,6 @@ public partial class AnalyzeWorker
                         discovery,
                         dependenciesToUpdate,
                         updatedVersion,
-                        dependencyInfo,
                         nugetContext,
                         _logger,
                         CancellationToken.None);
@@ -360,7 +359,6 @@ public partial class AnalyzeWorker
         WorkspaceDiscoveryResult discovery,
         ImmutableHashSet<string> packageIds,
         NuGetVersion updatedVersion,
-        DependencyInfo dependencyInfo,
         NuGetContext nugetContext,
         Logger logger,
         CancellationToken cancellationToken)
@@ -381,23 +379,10 @@ public partial class AnalyzeWorker
             .Select(NuGetFramework.Parse)
             .ToImmutableArray();
 
-        // When updating dependencies, we only need to consider top-level dependencies _UNLESS_ it's specifically vulnerable
-        var relevantDependencies = projectsWithDependency.SelectMany(p => p.Dependencies)
-            .Where(d =>
-            {
-                if (string.Compare(d.Name, dependencyInfo.Name, StringComparison.OrdinalIgnoreCase) == 0 &&
-                    dependencyInfo.IsVulnerable)
-                {
-                    // if this dependency is one we're specifically updating _and_ if it's vulnerable, always update it
-                    return true;
-                }
-                else
-                {
-                    // otherwise only update if it's a top-level dependency
-                    return !d.IsTransitive;
-                }
-            });
-        var projectDependencyNames = relevantDependencies
+        // When updating peer dependencies, we only need to consider top-level dependencies.
+        var projectDependencyNames = projectsWithDependency
+            .SelectMany(p => p.Dependencies)
+            .Where(d => !d.IsTransitive)
             .Select(d => d.Name)
             .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase);
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs

@@ -347,57 +347,6 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
         );
     }
 
-    [Fact]
-    public async Task AnalyzeVulnerableTransitiveDependencies()
-    {
-        await TestAnalyzeAsync(
-            packages:
-            [
-                MockNuGetPackage.CreateSimplePackage("Some.Transitive.Dependency", "1.0.0", "net8.0"),
-                MockNuGetPackage.CreateSimplePackage("Some.Transitive.Dependency", "1.0.1", "net8.0"),
-            ],
-            discovery: new()
-            {
-                Path = "/",
-                Projects = [
-                    new()
-                    {
-                        FilePath = "project.csproj",
-                        TargetFrameworks = ["net8.0"],
-                        Dependencies = [
-                            new("Some.Transitive.Dependency", "1.0.0", DependencyType.Unknown, TargetFrameworks: ["net8.0"], IsTransitive: true),
-                        ]
-                    }
-                ]
-            },
-            dependencyInfo: new()
-            {
-                Name = "Some.Transitive.Dependency",
-                Version = "1.0.0",
-                IsVulnerable = true,
-                IgnoredVersions = [],
-                Vulnerabilities = [
-                    new()
-                    {
-                        DependencyName = "Some.Transitive.Dependency",
-                        PackageManager = "nuget",
-                        VulnerableVersions = [Requirement.Parse("<= 1.0.0")],
-                        SafeVersions = [Requirement.Parse("= 1.0.1")],
-                    }
-                ]
-            },
-            expectedResult: new()
-            {
-                UpdatedVersion = "1.0.1",
-                CanUpdate = true,
-                VersionComesFromMultiDependencyProperty = false,
-                UpdatedDependencies = [
-                    new("Some.Transitive.Dependency", "1.0.1", DependencyType.Unknown, TargetFrameworks: ["net8.0"]),
-                ],
-            }
-        );
-    }
-
     [Fact]
     public async Task IgnoredVersionsCanHandleWildcardSpecification()
     {

data/lib/dependabot/nuget/file_parser.rb

@@ -50,10 +50,7 @@ module Dependabot
           # cache discovery results
           NativeDiscoveryJsonReader.set_discovery_from_dependency_files(dependency_files: dependency_files,
                                                                         discovery: discovery_json_reader)
-          # we only return top-level dependencies and requirements here
-          dependency_set = discovery_json_reader.dependency_set(dependency_files: dependency_files,
-                                                                top_level_only: true)
-          dependency_set.dependencies
+          discovery_json_reader.dependency_set.dependencies
         end
 
         T.must(self.class.file_dependency_cache[key])

data/lib/dependabot/nuget/file_updater.rb

@@ -16,16 +16,6 @@ module Dependabot
     class FileUpdater < Dependabot::FileUpdaters::Base
       extend T::Sig
 
-      DependencyDetails = T.type_alias do
-        {
-          file: String,
-          name: String,
-          version: String,
-          previous_version: String,
-          is_transitive: T::Boolean
-        }
-      end
-
       sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
@@ -62,21 +52,9 @@ module Dependabot
       def updated_dependency_files
         base_dir = "/"
         SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
-          expanded_dependency_details.each do |dep_details|
-            file = T.let(dep_details.fetch(:file), String)
-            name = T.let(dep_details.fetch(:name), String)
-            version = T.let(dep_details.fetch(:version), String)
-            previous_version = T.let(dep_details.fetch(:previous_version), String)
-            is_transitive = T.let(dep_details.fetch(:is_transitive), T::Boolean)
-            NativeHelpers.run_nuget_updater_tool(repo_root: T.must(repo_contents_path),
-                                                 proj_path: file,
-                                                 dependency_name: name,
-                                                 version: version,
-                                                 previous_version: previous_version,
-                                                 is_transitive: is_transitive,
-                                                 credentials: credentials)
+          dependencies.each do |dependency|
+            try_update_projects(dependency) || try_update_json(dependency)
           end
-
           updated_files = dependency_files.filter_map do |f|
             updated_content = File.read(dependency_file_path(f))
             next if updated_content == f.content
@@ -96,69 +74,104 @@ module Dependabot
 
       private
 
-      # rubocop:disable Metrics/AbcSize
-      sig { returns(T::Array[DependencyDetails]) }
-      def expanded_dependency_details
-        discovery_json_reader = NativeDiscoveryJsonReader.get_discovery_from_dependency_files(dependency_files)
-        dependency_set = discovery_json_reader.dependency_set(dependency_files: dependency_files, top_level_only: false)
-        all_dependencies = dependency_set.dependencies
-        dependencies.map do |dep|
-          # if vulnerable metadata is set, re-fetch all requirements from discovery
-          is_vulnerable = T.let(dep.metadata.fetch(:is_vulnerable, false), T::Boolean)
-          relevant_dependencies = all_dependencies.filter { |d| d.name.casecmp?(dep.name) }
-          candidate_vulnerable_dependency = T.must(relevant_dependencies.first)
-          relevant_dependency = is_vulnerable ? candidate_vulnerable_dependency : dep
-          relevant_details = relevant_dependency.requirements.filter_map do |req|
-            dependency_details_from_requirement(dep.name, req, is_vulnerable: is_vulnerable)
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
+      def try_update_projects(dependency)
+        update_ran = T.let(false, T::Boolean)
+        checked_files = Set.new
+
+        # run update for each project file
+        project_files.each do |project_file|
+          project_dependencies = project_dependencies(project_file)
+          proj_path = dependency_file_path(project_file)
+
+          next unless project_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) }
+
+          next unless repo_contents_path
+
+          checked_key = "#{project_file.name}-#{dependency.name}#{dependency.version}"
+          call_nuget_updater_tool(dependency, proj_path) unless checked_files.include?(checked_key)
+
+          checked_files.add(checked_key)
+          # We need to check the downstream references even though we're already evaluated the file
+          downstream_files = referenced_project_paths(project_file)
+          downstream_files.each do |downstream_file|
+            checked_files.add("#{downstream_file}-#{dependency.name}#{dependency.version}")
           end
+          update_ran = true
+        end
+        update_ran
+      end
+
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
+      def try_update_json(dependency)
+        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) } ||
+           global_json_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) }
+
+          # We just need to feed the updater a project file, grab the first
+          project_file = T.must(project_files.first)
+          proj_path = dependency_file_path(project_file)
+
+          return false unless repo_contents_path
+
+          call_nuget_updater_tool(dependency, proj_path)
+          return true
+        end
 
-          next relevant_details if relevant_details.any?
-
-          # If we didn't find anything to update, we're in a very specific corner case: we were explicitly asked to
-          # (1) update a certain dependency, (2) it wasn't listed as a security update, but (3) it only exists as a
-          # transitive dependency.  In this case, we need to rebuild the dependency requirements as if this were a
-          # security update so that we can perform the appropriate update.
-          candidate_vulnerable_dependency.requirements.filter_map do |req|
-            rebuilt_req = {
-              file: req[:file], # simple copy
-              requirement: relevant_dependency.version, # the newly available version
-              metadata: {
-                is_transitive: T.let(req[:metadata], T::Hash[Symbol, T.untyped])[:is_transitive], # simple copy
-                previous_requirement: req[:requirement] # the old requirement's "current" version is now the "previous"
-              }
-            }
-            dependency_details_from_requirement(dep.name, rebuilt_req, is_vulnerable: true)
+        false
+      end
+
+      sig { params(dependency: Dependency, proj_path: String).void }
+      def call_nuget_updater_tool(dependency, proj_path)
+        NativeHelpers.run_nuget_updater_tool(repo_root: T.must(repo_contents_path), proj_path: proj_path,
+                                             dependency: dependency, is_transitive: !dependency.top_level?,
+                                             credentials: credentials)
+
+        # Tests need to track how many times we call the tooling updater to ensure we don't recurse needlessly
+        # Ideally we should find a way to not run this code in prod
+        # (or a better way to track calls made to NativeHelpers)
+        @update_tooling_calls ||= T.let({}, T.nilable(T::Hash[String, Integer]))
+        key = "#{proj_path.delete_prefix(T.must(repo_contents_path))}+#{dependency.name}"
+        @update_tooling_calls[key] =
+          if @update_tooling_calls[key]
+            T.must(@update_tooling_calls[key]) + 1
+          else
+            1
           end
-        end.flatten
-      end
-      # rubocop:enable Metrics/AbcSize
-
-      sig do
-        params(
-          name: String,
-          requirement: T::Hash[Symbol, T.untyped],
-          is_vulnerable: T::Boolean
-        ).returns(T.nilable(DependencyDetails))
-      end
-      def dependency_details_from_requirement(name, requirement, is_vulnerable:)
-        metadata = T.let(requirement.fetch(:metadata), T::Hash[Symbol, T.untyped])
-        current_file = T.let(requirement.fetch(:file), String)
-        return nil unless current_file.match?(/\.(cs|vb|fs)proj$/)
-
-        is_transitive = T.let(metadata.fetch(:is_transitive), T::Boolean)
-        return nil if !is_vulnerable && is_transitive
-
-        version = T.let(requirement.fetch(:requirement), String)
-        previous_version = T.let(metadata[:previous_requirement], String)
-        return nil if version == previous_version
-
-        {
-          file: T.let(requirement.fetch(:file), String),
-          name: name,
-          version: version,
-          previous_version: previous_version,
-          is_transitive: is_transitive
-        }
+      end
+
+      # Don't call this from outside tests, we're only checking that we aren't recursing needlessly
+      sig { returns(T.nilable(T::Hash[String, Integer])) }
+      def testonly_update_tooling_calls
+        @update_tooling_calls
+      end
+
+      sig { returns(T.nilable(NativeWorkspaceDiscovery)) }
+      def workspace
+        discovery_json_reader = NativeDiscoveryJsonReader.get_discovery_from_dependency_files(dependency_files)
+        discovery_json_reader.workspace_discovery
+      end
+
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+      def referenced_project_paths(project_file)
+        workspace&.projects&.find { |p| p.file_path == project_file.name }&.referenced_project_paths || []
+      end
+
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[NativeDependencyDetails]) }
+      def project_dependencies(project_file)
+        workspace&.projects&.find do |p|
+          full_project_file_path = File.join(project_file.directory, project_file.name)
+          p.file_path == full_project_file_path
+        end&.dependencies || []
+      end
+
+      sig { returns(T::Array[NativeDependencyDetails]) }
+      def global_json_dependencies
+        workspace&.global_json&.dependencies || []
+      end
+
+      sig { returns(T::Array[NativeDependencyDetails]) }
+      def dotnet_tools_json_dependencies
+        workspace&.dotnet_tools_json&.dependencies || []
       end
 
       # rubocop:disable Metrics/PerceivedComplexity

data/lib/dependabot/nuget/native_discovery/native_dependency_file_discovery.rb

@@ -106,20 +106,22 @@ module Dependabot
           .returns(T.nilable(T::Hash[Symbol, T.untyped]))
       end
       def build_requirement(file_name, dependency_details)
+        return if dependency_details.is_transitive
+
         version = dependency_details.version
         version = nil if version&.empty?
-        metadata = { is_transitive: dependency_details.is_transitive }
 
         requirement = {
           requirement: version,
           file: file_name,
           groups: [dependency_details.is_dev_dependency ? "devDependencies" : "dependencies"],
-          source: nil,
-          metadata: metadata
+          source: nil
         }
 
         property_name = dependency_details.evaluation&.root_property_name
-        metadata[:property_name] = property_name if property_name
+        return requirement unless property_name
+
+        requirement[:metadata] = { property_name: property_name }
         requirement
       end
     end

data/lib/dependabot/nuget/native_discovery/native_discovery_json_reader.rb

@@ -125,90 +125,16 @@ module Dependabot
       sig { returns(T.nilable(NativeWorkspaceDiscovery)) }
       attr_reader :workspace_discovery
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      attr_reader :dependency_set
+
       sig { params(discovery_json: DependencyFile).void }
       def initialize(discovery_json:)
         @discovery_json = discovery_json
         @workspace_discovery = T.let(read_workspace_discovery, T.nilable(Dependabot::Nuget::NativeWorkspaceDiscovery))
+        @dependency_set = T.let(read_dependency_set, Dependabot::FileParsers::Base::DependencySet)
       end
 
-      # rubocop:disable Metrics/AbcSize
-      # rubocop:disable Metrics/MethodLength
-      # rubocop:disable Metrics/PerceivedComplexity
-      sig do
-        params(
-          dependency_files: T::Array[Dependabot::DependencyFile],
-          top_level_only: T::Boolean
-        ).returns(Dependabot::FileParsers::Base::DependencySet)
-      end
-      def dependency_set(dependency_files:, top_level_only:)
-        # dependencies must be recalculated so that we:
-        #   1. only return dependencies that are in the file set we reported earlier
-        #      see https://github.com/dependabot/dependabot-core/issues/10303
-        #   2. the reported version is the minimum across all requirements; this ensures that we get the opportunity
-        #      to update everything later
-        dependency_file_set = T.let(Set.new(dependency_files.map do |df|
-          Pathname.new(File.join(df.directory, df.name)).cleanpath.to_path
-        end), T::Set[String])
-
-        rebuilt_dependencies = read_dependency_set.dependencies.filter_map do |dep|
-          # only report requirements in files we know about
-          matching_requirements = dep.requirements.filter do |req|
-            file = T.let(req.fetch(:file), String)
-            dependency_file_set.include?(file)
-          end
-
-          # find the minimum version across all requirements
-          min_version = matching_requirements.filter_map do |req|
-            v = T.let(req.fetch(:requirement), T.nilable(String))
-            next unless v
-
-            Dependabot::Nuget::Version.new(v)
-          end.min
-          next unless min_version
-
-          # only return dependency requirements that are top-level
-          if top_level_only
-            matching_requirements.reject! do |req|
-              metadata = T.let(req.fetch(:metadata), T::Hash[Symbol, T.untyped])
-              T.let(metadata.fetch(:is_transitive), T::Boolean)
-            end
-          end
-
-          # we might need to return a dependency like this
-          dep_without_reqs = Dependabot::Dependency.new(
-            name: dep.name,
-            version: min_version.to_s,
-            package_manager: "nuget",
-            requirements: []
-          )
-
-          dep_with_reqs = matching_requirements.filter_map do |req|
-            version = T.let(req.fetch(:requirement, nil), T.nilable(String))
-            next unless version
-
-            Dependabot::Dependency.new(
-              name: dep.name,
-              version: min_version.to_s,
-              package_manager: "nuget",
-              requirements: [req]
-            )
-          end
-
-          # if only returning top-level dependencies and we had no non-transitive requirements, return an empty
-          # dependency so it can be tracked for security updates
-          matching_requirements.empty? && top_level_only ? [dep_without_reqs] : dep_with_reqs
-        end.flatten
-
-        final_dependency_set = Dependabot::FileParsers::Base::DependencySet.new
-        rebuilt_dependencies.each do |dep|
-          final_dependency_set << dep
-        end
-        final_dependency_set
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/MethodLength
-      # rubocop:enable Metrics/AbcSize
-
       private
 
       sig { returns(DependencyFile) }

data/lib/dependabot/nuget/native_discovery/native_project_discovery.rb

@@ -1,7 +1,6 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "dependabot/file_parsers/base/dependency_set"
 require "dependabot/nuget/native_discovery/native_dependency_details"
 require "dependabot/nuget/native_discovery/native_property_details"
 require "sorbet-runtime"

data/lib/dependabot/nuget/native_helpers.rb

@@ -171,18 +171,10 @@ module Dependabot
 
       # rubocop:disable Metrics/MethodLength
       sig do
-        params(
-          repo_root: String,
-          proj_path: String,
-          dependency_name: String,
-          version: String,
-          previous_version: String,
-          is_transitive: T::Boolean,
-          result_output_path: String
-        ).returns([String, String])
+        params(repo_root: String, proj_path: String, dependency: Dependency,
+               is_transitive: T::Boolean, result_output_path: String).returns([String, String])
       end
-      def self.get_nuget_updater_tool_command(repo_root:, proj_path:, dependency_name:, version:, previous_version:,
-                                              is_transitive:, result_output_path:)
+      def self.get_nuget_updater_tool_command(repo_root:, proj_path:, dependency:, is_transitive:, result_output_path:)
         exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
         command_parts = [
           exe_path,
@@ -192,11 +184,11 @@ module Dependabot
           "--solution-or-project",
           proj_path,
           "--dependency",
-          dependency_name,
+          dependency.name,
           "--new-version",
-          version,
+          dependency.version,
           "--previous-version",
-          previous_version,
+          dependency.previous_version,
           is_transitive ? "--transitive" : nil,
           "--result-output-path",
           result_output_path,
@@ -237,21 +229,14 @@ module Dependabot
         params(
           repo_root: String,
           proj_path: String,
-          dependency_name: String,
-          version: String,
-          previous_version: String,
+          dependency: Dependency,
           is_transitive: T::Boolean,
           credentials: T::Array[Dependabot::Credential]
         ).void
       end
-      def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency_name:, version:, previous_version:,
-                                      is_transitive:, credentials:)
-        (command, fingerprint) = get_nuget_updater_tool_command(repo_root: repo_root,
-                                                                proj_path: proj_path,
-                                                                dependency_name: dependency_name,
-                                                                version: version,
-                                                                previous_version: previous_version,
-                                                                is_transitive: is_transitive,
+      def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency:, is_transitive:, credentials:)
+        (command, fingerprint) = get_nuget_updater_tool_command(repo_root: repo_root, proj_path: proj_path,
+                                                                dependency: dependency, is_transitive: is_transitive,
                                                                 result_output_path: update_result_file_path)
 
         puts "running NuGet updater:\n" + command

data/lib/dependabot/nuget/native_update_checker/native_requirements_updater.rb

@@ -21,18 +21,15 @@ module Dependabot
         sig do
           params(
             requirements: T::Array[T::Hash[Symbol, T.untyped]],
-            dependency_details: T.nilable(Dependabot::Nuget::NativeDependencyDetails),
-            vulnerable: T::Boolean
+            dependency_details: T.nilable(Dependabot::Nuget::NativeDependencyDetails)
           )
             .void
         end
-        def initialize(requirements:, dependency_details:, vulnerable:)
+        def initialize(requirements:, dependency_details:)
           @requirements = requirements
           @dependency_details = dependency_details
-          @vulnerable = vulnerable
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
         sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           return requirements unless clean_version
@@ -40,18 +37,13 @@ module Dependabot
           # NOTE: Order is important here. The FileUpdater needs the updated
           # requirement at index `i` to correspond to the previous requirement
           # at the same index.
-          requirements.filter_map do |req|
-            next if !@vulnerable && req[:metadata][:is_transitive]
-
-            previous_requirement = req.fetch(:requirement)
-            req[:metadata][:previous_requirement] = previous_requirement
-
-            next req if previous_requirement.nil?
-            next req if previous_requirement.include?(",")
+          requirements.map do |req|
+            next req if req.fetch(:requirement).nil?
+            next req if req.fetch(:requirement).include?(",")
 
             new_req =
-              if previous_requirement.include?("*")
-                update_wildcard_requirement(previous_requirement)
+              if req.fetch(:requirement).include?("*")
+                update_wildcard_requirement(req.fetch(:requirement))
               else
                 # Since range requirements are excluded by the line above we can
                 # replace anything that looks like a version with the new
@@ -62,7 +54,7 @@ module Dependabot
                 )
               end
 
-            next req if new_req == previous_requirement
+            next req if new_req == req.fetch(:requirement)
 
             new_source = req[:source]&.dup
             unless @dependency_details.nil?
@@ -75,7 +67,6 @@ module Dependabot
             req.merge({ requirement: new_req, source: new_source })
           end
         end
-        # rubocop:enable Metrics/PerceivedComplexity
 
         private
 

data/lib/dependabot/nuget/native_update_checker/native_update_checker.rb

@@ -56,8 +56,7 @@ module Dependabot
         dep_details = updated_dependency_details.find { |d| d.name.casecmp?(dependency.name) }
         NativeRequirementsUpdater.new(
           requirements: dependency.requirements,
-          dependency_details: dep_details,
-          vulnerable: vulnerable?
+          dependency_details: dep_details
         ).updated_requirements
       end
 
@@ -113,10 +112,9 @@ module Dependabot
 
       sig { void }
       def write_dependency_info
-        dependency_version = T.let(dependency.requirements.first&.fetch(:requirement, nil), T.nilable(String))
         dependency_info = {
           Name: dependency.name,
-          Version: dependency_version || dependency.version.to_s,
+          Version: dependency.version.to_s,
           IsVulnerable: vulnerable?,
           IgnoredVersions: ignored_versions,
           Vulnerabilities: security_advisories.map do |vulnerability|
@@ -143,7 +141,7 @@ module Dependabot
       sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def discovered_dependencies
         discovery_json_reader = NativeDiscoveryJsonReader.get_discovery_from_dependency_files(dependency_files)
-        discovery_json_reader.dependency_set(dependency_files: dependency_files, top_level_only: false)
+        discovery_json_reader.dependency_set
       end
 
       sig { override.returns(T::Boolean) }
@@ -152,10 +150,6 @@ module Dependabot
         true
       end
 
-      # rubocop:disable Metrics/AbcSize
-      # rubocop:disable Metrics/BlockLength
-      # rubocop:disable Metrics/MethodLength
-      # rubocop:disable Metrics/PerceivedComplexity
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies_after_full_unlock
         dependencies = discovered_dependencies.dependencies
@@ -163,16 +157,14 @@ module Dependabot
           dep = dependencies.find { |d| d.name.casecmp(dependency_details.name)&.zero? }
           next unless dep
 
-          dep_metadata = T.let({}, T::Hash[Symbol, T.untyped])
+          metadata = {}
           # For peer dependencies, instruct updater to not directly update this dependency
-          dep_metadata[:information_only] = true unless dependency.name.casecmp(dependency_details.name)&.zero?
-          dep_metadata[:is_vulnerable] = vulnerable?
+          metadata = { information_only: true } unless dependency.name.casecmp(dependency_details.name)&.zero?
 
           # rebuild the new requirements with the updated dependency details
           updated_reqs = dep.requirements.map do |r|
             r = r.clone
-            T.let(r[:metadata], T::Hash[Symbol, T.untyped])[:previous_requirement] = r[:requirement] # keep old version
-            r[:requirement] = dependency_details.version # set new version
+            r[:requirement] = dependency_details.version
             r[:source] = {
               type: "nuget_repo",
               source_url: dependency_details.info_url
@@ -180,44 +172,17 @@ module Dependabot
             r
           end
 
-          reqs = dep.requirements
-          unless vulnerable?
-            updated_reqs = updated_reqs.filter do |r|
-              req_metadata = T.let(r.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
-              !T.let(req_metadata[:is_transitive], T::Boolean)
-            end
-            reqs = reqs.filter do |r|
-              req_metadata = T.let(r.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
-              !T.let(req_metadata[:is_transitive], T::Boolean)
-            end
-          end
-
-          # report back the highest version that all of these dependencies can be updated to
-          # this will ensure that we get a chance to update all relevant dependencies
-          max_updatable_version = updated_reqs.filter_map do |r|
-            v = T.let(r.fetch(:requirement, nil), T.nilable(String))
-            next unless v
-
-            Dependabot::Nuget::Version.new(v)
-          end.max
-          next unless max_updatable_version
-
-          previous_version = T.let(dep.requirements.first&.fetch(:requirement, nil), T.nilable(String))
           Dependency.new(
             name: dep.name,
-            version: max_updatable_version.to_s,
+            version: dependency_details.version,
             requirements: updated_reqs,
-            previous_version: previous_version,
-            previous_requirements: reqs,
+            previous_version: dep.version,
+            previous_requirements: dep.requirements,
             package_manager: dep.package_manager,
-            metadata: dep_metadata
+            metadata: metadata
           )
         end
       end
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/MethodLength
-      # rubocop:enable Metrics/BlockLength
-      # rubocop:enable Metrics/AbcSize
 
       sig { returns(T::Array[Dependabot::Nuget::NativeDependencyDetails]) }
       def updated_dependency_details

data/lib/dependabot/nuget/update_checker/requirements_updater.rb

@@ -37,11 +37,10 @@ module Dependabot
         def updated_requirements
           return requirements unless latest_version
 
+          # NOTE: Order is important here. The FileUpdater needs the updated
+          # requirement at index `i` to correspond to the previous requirement
+          # at the same index.
           requirements.map do |req|
-            req[:metadata] ||= {}
-            req[:metadata][:is_transitive] = false
-            req[:metadata][:previous_requirement] = req[:requirement]
-
             next req if req.fetch(:requirement).nil?
             next req if req.fetch(:requirement).include?(",")
 
@@ -57,6 +56,7 @@ module Dependabot
                   latest_version.to_s
                 )
               end
+
             next req if new_req == req.fetch(:requirement)
 
             req.merge(requirement: new_req, source: updated_source)

data/lib/dependabot/nuget/update_checker.rb

@@ -166,8 +166,7 @@ module Dependabot
           requirements: updated_requirements,
           previous_version: dependency.version,
           previous_requirements: dependency.requirements,
-          package_manager: dependency.package_manager,
-          metadata: { is_vulnerable: vulnerable? }
+          package_manager: dependency.package_manager
         )
         updated_dependencies = [updated_dependency]
         updated_dependencies += DependencyFinder.new(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.272.0
+  version: 0.273.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-08-22 00:00:00.000000000 Z
+date: 2024-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.272.0
+        version: 0.273.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.272.0
+        version: 0.273.0
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -463,7 +463,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.272.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.273.0
 post_install_message: 
 rdoc_options: []
 require_paths: