upd-cli 0.0.23__tar.gz → 0.0.25__tar.gz

{upd_cli-0.0.23 → upd_cli-0.0.25}/CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+
+## [0.0.25](https://github.com/rvben/upd/compare/v0.0.24...v0.0.25) - 2026-04-15
+
+### Fixed
+
+- **pypi**: handle string-valued yanked field in PEP 691 JSON Simple API ([b17034b](https://github.com/rvben/upd/commit/b17034b540f6a5b62e446131c6e87f43695bbd9b))
+
+## [0.0.24] - 2026-03-23
+
+### Added
+
+- **NuGet/.NET support**: Update `PackageReference` and `PackageVersion` elements in `.csproj` and `Directory.Packages.props` files via the NuGet v3 API
+- **Gemfile.lock regeneration**: `--lock` flag now supports Ruby projects (runs `bundle install`)
+
 ## [0.0.23] - 2026-03-23
 
 ### Added

{upd_cli-0.0.23 → upd_cli-0.0.25}/Cargo.lock

@@ -1780,7 +1780,7 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.0.23"
+version = "0.0.25"
 dependencies = [
  "anyhow",
  "async-trait",

{upd_cli-0.0.23 → upd_cli-0.0.25}/Cargo.toml

@@ -1,9 +1,9 @@
 [package]
 name = "upd"
-version = "0.0.23"
+version = "0.0.25"
 edition = "2024"
 rust-version = "1.91.1"
-description = "A fast dependency updater for Python, Node.js, Rust, Go, and GitHub Actions projects"
+description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"
 license = "MIT"
 repository = "https://github.com/rvben/upd"
 homepage = "https://github.com/rvben/upd"

upd_cli-0.0.25/Makefile

@@ -0,0 +1,57 @@
+.PHONY: build release test lint fmt check clean run install release-patch release-minor release-major
+
+# Build debug binary
+build:
+	cargo build
+
+# Build release binary
+release:
+	cargo build --release
+
+# Run all tests
+test:
+	cargo test
+
+# Run tests with output
+test-verbose:
+	cargo test -- --nocapture
+
+# Run clippy lints
+lint:
+	cargo clippy -- -D warnings
+
+# Format code
+fmt:
+	cargo fmt
+
+# Check formatting without changing files
+fmt-check:
+	cargo fmt -- --check
+
+# Run all checks (format, lint, test)
+check: fmt-check lint test
+
+# Clean build artifacts
+clean:
+	cargo clean
+
+# Run debug build
+run:
+	cargo run
+
+# Run with arguments
+run-release:
+	./target/release/upd
+
+# Install to ~/.cargo/bin
+install:
+	cargo install --path .
+
+release-patch:
+	vership bump patch
+
+release-minor:
+	vership bump minor
+
+release-major:
+	vership bump major

{upd_cli-0.0.23 → upd_cli-0.0.25}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.0.23
+Version: 0.0.25
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -10,8 +10,8 @@ Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Rust
 Classifier: Topic :: Software Development :: Build Tools
 License-File: LICENSE
-Summary: A fast dependency updater for Python and Node.js projects
-Keywords: dependencies,update,python,nodejs,npm
+Summary: A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects
+Keywords: dependencies,update,python,nodejs,rust,go,ruby,terraform,github-actions
 Home-Page: https://github.com/rvben/upd
 Author-email: Ruben Jongejan <ruben.jongejan@gmail.com>
 License: MIT
@@ -27,7 +27,7 @@ Project-URL: Repository, https://github.com/rvben/upd
 
 # upd
 
-A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects, written in Rust.
+A fast dependency updater for Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, and Mise projects, written in Rust.
 
 ## Quick Start
 
@@ -44,7 +44,7 @@ uvx --from upd-cli upd -n
 
 ## Features
 
-- **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, Mise/asdf
+- **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
 - **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
 - **Smart caching**: 24-hour version cache for faster subsequent runs
@@ -129,6 +129,7 @@ upd --lang python --lang go # Update Python and Go only
 upd --lang actions          # Update only GitHub Actions
 upd --lang pre-commit       # Update only pre-commit hooks
 upd --lang ruby             # Update only Ruby gems
+upd --lang dot-net          # Update only .NET NuGet packages
 upd --lang terraform        # Update only Terraform providers/modules
 upd --lang mise             # Update only Mise/asdf tools
 
@@ -191,6 +192,14 @@ upd audit --check  # Exit 1 if vulnerabilities found (for CI)
 
 - `Gemfile` (gem declarations with version constraints)
 
+### .NET / NuGet
+
+- `.csproj` files (`PackageReference` elements)
+- `Directory.Packages.props` and `Directory.Build.props` (`PackageVersion` elements)
+- Supports both inline `Version` attributes and child `<Version>` elements
+- Queries the NuGet v3 API (`api.nuget.org`)
+- Skips range version constraints (`[1.0, 2.0)`)
+
 ### Terraform / OpenTofu
 
 - `.tf` files (HCL format)
@@ -324,7 +333,7 @@ Checking 42 unique package(s) for vulnerabilities...
 Summary: 2 vulnerable package(s), 3 total vulnerability/ies
 ```
 
-**Supported ecosystems for auditing:** PyPI, npm, crates.io, Go, RubyGems
+**Supported ecosystems for auditing:** PyPI, npm, crates.io, Go, RubyGems, NuGet
 
 **CI/CD Integration:**
 
@@ -586,8 +595,8 @@ Add `upd` to your `.pre-commit-config.yaml`:
 
 ```yaml
 repos:
-  - repo: https://github.com/rvben/upd
-    rev: v0.0.22  # Use the latest version
+  - repo: https://github.com/rvben/upd-pre-commit
+    rev: v0.0.24
     hooks:
       - id: upd-check
         # Optional: only check specific ecosystems
@@ -601,9 +610,7 @@ Available hooks:
 | `upd-check` | Fail if any dependencies are outdated |
 | `upd-check-major` | Fail only on major (breaking) updates |
 
-Both hooks run on `pre-push` by default and trigger when dependency files change.
-
-**Note:** Requires `upd` to be installed and available in PATH.
+Both hooks run on `pre-push` by default. Uses `language: python` which installs `upd-cli` from PyPI automatically — no manual installation needed.
 
 ## Development
 

{upd_cli-0.0.23 → upd_cli-0.0.25}/README.md

@@ -4,7 +4,7 @@
 
 # upd
 
-A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects, written in Rust.
+A fast dependency updater for Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, and Mise projects, written in Rust.
 
 ## Quick Start
 
@@ -21,7 +21,7 @@ uvx --from upd-cli upd -n
 
 ## Features
 
-- **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, Mise/asdf
+- **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
 - **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
 - **Smart caching**: 24-hour version cache for faster subsequent runs
@@ -106,6 +106,7 @@ upd --lang python --lang go # Update Python and Go only
 upd --lang actions          # Update only GitHub Actions
 upd --lang pre-commit       # Update only pre-commit hooks
 upd --lang ruby             # Update only Ruby gems
+upd --lang dot-net          # Update only .NET NuGet packages
 upd --lang terraform        # Update only Terraform providers/modules
 upd --lang mise             # Update only Mise/asdf tools
 
@@ -168,6 +169,14 @@ upd audit --check  # Exit 1 if vulnerabilities found (for CI)
 
 - `Gemfile` (gem declarations with version constraints)
 
+### .NET / NuGet
+
+- `.csproj` files (`PackageReference` elements)
+- `Directory.Packages.props` and `Directory.Build.props` (`PackageVersion` elements)
+- Supports both inline `Version` attributes and child `<Version>` elements
+- Queries the NuGet v3 API (`api.nuget.org`)
+- Skips range version constraints (`[1.0, 2.0)`)
+
 ### Terraform / OpenTofu
 
 - `.tf` files (HCL format)
@@ -301,7 +310,7 @@ Checking 42 unique package(s) for vulnerabilities...
 Summary: 2 vulnerable package(s), 3 total vulnerability/ies
 ```
 
-**Supported ecosystems for auditing:** PyPI, npm, crates.io, Go, RubyGems
+**Supported ecosystems for auditing:** PyPI, npm, crates.io, Go, RubyGems, NuGet
 
 **CI/CD Integration:**
 
@@ -563,8 +572,8 @@ Add `upd` to your `.pre-commit-config.yaml`:
 
 ```yaml
 repos:
-  - repo: https://github.com/rvben/upd
-    rev: v0.0.22  # Use the latest version
+  - repo: https://github.com/rvben/upd-pre-commit
+    rev: v0.0.24
     hooks:
       - id: upd-check
         # Optional: only check specific ecosystems
@@ -578,9 +587,7 @@ Available hooks:
 | `upd-check` | Fail if any dependencies are outdated |
 | `upd-check-major` | Fail only on major (breaking) updates |
 
-Both hooks run on `pre-push` by default and trigger when dependency files change.
-
-**Note:** Requires `upd` to be installed and available in PATH.
+Both hooks run on `pre-push` by default. Uses `language: python` which installs `upd-cli` from PyPI automatically — no manual installation needed.
 
 ## Development
 

{upd_cli-0.0.23 → upd_cli-0.0.25}/pyproject.toml

@@ -5,11 +5,11 @@ build-backend = "maturin"
 [project]
 name = "upd-cli"
 dynamic = ["version"]
-description = "A fast dependency updater for Python and Node.js projects"
+description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"
 readme = "README.md"
 license = { text = "MIT" }
 authors = [{ name = "Ruben Jongejan", email = "ruben.jongejan@gmail.com" }]
-keywords = ["dependencies", "update", "python", "nodejs", "npm"]
+keywords = ["dependencies", "update", "python", "nodejs", "rust", "go", "ruby", "terraform", "github-actions"]
 classifiers = [
     "Development Status :: 4 - Beta",
     "Environment :: Console",

{upd_cli-0.0.23 → upd_cli-0.0.25}/src/align.rs

@@ -4,8 +4,8 @@
 //! used across multiple dependency files and update all occurrences to that version.
 
 use crate::updater::{
-    CargoTomlUpdater, FileType, GemfileUpdater, GithubActionsUpdater, GoModUpdater, Lang,
-    MiseUpdater, PackageJsonUpdater, ParsedDependency, PreCommitUpdater, PyProjectUpdater,
+    CargoTomlUpdater, CsprojUpdater, FileType, GemfileUpdater, GithubActionsUpdater, GoModUpdater,
+    Lang, MiseUpdater, PackageJsonUpdater, ParsedDependency, PreCommitUpdater, PyProjectUpdater,
     RequirementsUpdater, TerraformUpdater, Updater,
 };
 use anyhow::Result;
@@ -78,6 +78,7 @@ fn get_updater(file_type: FileType) -> Box<dyn Updater> {
         FileType::CargoToml => Box::new(CargoTomlUpdater::new()),
         FileType::GoMod => Box::new(GoModUpdater::new()),
         FileType::Gemfile => Box::new(GemfileUpdater::new()),
+        FileType::Csproj => Box::new(CsprojUpdater::new()),
         FileType::GithubActions => Box::new(GithubActionsUpdater::new()),
         FileType::PreCommitConfig => Box::new(PreCommitUpdater::new()),
         FileType::MiseToml | FileType::ToolVersions => Box::new(MiseUpdater::new()),
@@ -179,7 +180,7 @@ fn is_stable_version(version: &str, lang: Lang) -> bool {
                 && !v.contains("beta")
                 && !v.contains("dev")
         }
-        Lang::Node | Lang::Rust | Lang::Go => {
+        Lang::Node | Lang::Rust | Lang::Go | Lang::DotNet => {
             // Semver pre-release indicator: hyphen followed by identifier
             !version.contains('-')
         }
@@ -201,7 +202,7 @@ fn is_stable_version(version: &str, lang: Lang) -> bool {
 fn compare_versions(a: &str, b: &str, lang: Lang) -> std::cmp::Ordering {
     match lang {
         Lang::Python => compare_pep440(a, b),
-        Lang::Node | Lang::Rust | Lang::Ruby => compare_semver(a, b),
+        Lang::Node | Lang::Rust | Lang::Ruby | Lang::DotNet => compare_semver(a, b),
         Lang::Go => compare_go_version(a, b),
         Lang::Actions | Lang::PreCommit | Lang::Mise | Lang::Terraform => {
             let clean_a = a.trim_start_matches('v');

{upd_cli-0.0.23 → upd_cli-0.0.25}/src/cache.rs

@@ -27,6 +27,8 @@ pub struct Cache {
     rubygems: HashMap<String, CacheEntry>,
     #[serde(default)]
     terraform: HashMap<String, CacheEntry>,
+    #[serde(default)]
+    nuget: HashMap<String, CacheEntry>,
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone)]
@@ -83,6 +85,7 @@ impl Cache {
             "github-releases" => &self.github_releases,
             "rubygems" => &self.rubygems,
             "terraform" => &self.terraform,
+            "nuget" => &self.nuget,
             _ => return None,
         };
 
@@ -104,6 +107,7 @@ impl Cache {
             "github-releases" => &mut self.github_releases,
             "rubygems" => &mut self.rubygems,
             "terraform" => &mut self.terraform,
+            "nuget" => &mut self.nuget,
             _ => return,
         };
 
@@ -167,6 +171,8 @@ impl Cache {
             .retain(|_, entry| !Self::is_expired(entry.fetched_at));
         self.terraform
             .retain(|_, entry| !Self::is_expired(entry.fetched_at));
+        self.nuget
+            .retain(|_, entry| !Self::is_expired(entry.fetched_at));
     }
 }
 

{upd_cli-0.0.23 → upd_cli-0.0.25}/src/cli.rs

@@ -7,7 +7,7 @@ use std::path::PathBuf;
 #[command(
     author,
     version,
-    about = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise/asdf projects"
+    about = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, and Mise/asdf projects"
 )]
 pub struct Cli {
     #[command(subcommand)]

{upd_cli-0.0.23 → upd_cli-0.0.25}/src/lib.rs

@@ -16,7 +16,7 @@ pub use cli::{Cli, Command};
 pub use config::UpdConfig;
 pub use lockfile::{LockfileType, detect_lockfiles, regenerate_lockfiles};
 pub use registry::{
-    GitHubReleasesRegistry, NpmRegistry, PyPiRegistry, Registry, RubyGemsRegistry,
+    GitHubReleasesRegistry, NpmRegistry, NuGetRegistry, PyPiRegistry, Registry, RubyGemsRegistry,
     TerraformRegistry,
 };
 pub use updater::{FileType, Lang, UpdateResult, Updater, discover_files};

{upd_cli-0.0.23 → upd_cli-0.0.25}/src/lockfile.rs

@@ -27,6 +27,8 @@ pub enum LockfileType {
     CargoLock,
     /// go.sum - regenerated with `go mod tidy`
     GoSum,
+    /// Gemfile.lock - regenerated with `bundle install`
+    GemfileLock,
 }
 
 impl LockfileType {
@@ -41,6 +43,7 @@ impl LockfileType {
             LockfileType::BunLock => "bun.lockb",
             LockfileType::CargoLock => "Cargo.lock",
             LockfileType::GoSum => "go.sum",
+            LockfileType::GemfileLock => "Gemfile.lock",
         }
     }
 
@@ -55,6 +58,7 @@ impl LockfileType {
             LockfileType::BunLock => ("bun", &["install"]),
             LockfileType::CargoLock => ("cargo", &["update"]),
             LockfileType::GoSum => ("go", &["mod", "tidy"]),
+            LockfileType::GemfileLock => ("bundle", &["install"]),
         }
     }
 
@@ -68,6 +72,7 @@ impl LockfileType {
             | LockfileType::BunLock => "package.json",
             LockfileType::CargoLock => "Cargo.toml",
             LockfileType::GoSum => "go.mod",
+            LockfileType::GemfileLock => "Gemfile",
         }
     }
 }
@@ -131,6 +136,16 @@ pub fn detect_lockfiles(manifest_path: &Path) -> Vec<LockfileType> {
         lockfiles.push(LockfileType::GoSum);
     }
 
+    // Check for Ruby lockfile (only if manifest is Gemfile)
+    if manifest_path
+        .file_name()
+        .map(|n| n == "Gemfile")
+        .unwrap_or(false)
+        && dir.join("Gemfile.lock").exists()
+    {
+        lockfiles.push(LockfileType::GemfileLock);
+    }
+
     lockfiles
 }
 
@@ -407,4 +422,61 @@ mod tests {
         let detected = detect_lockfiles(&manifest);
         assert!(detected.is_empty());
     }
+
+    #[test]
+    fn test_lockfile_type_gemfile_filename() {
+        assert_eq!(LockfileType::GemfileLock.filename(), "Gemfile.lock");
+    }
+
+    #[test]
+    fn test_lockfile_type_gemfile_command() {
+        let (cmd, args) = LockfileType::GemfileLock.command();
+        assert_eq!(cmd, "bundle");
+        assert_eq!(args, &["install"]);
+    }
+
+    #[test]
+    fn test_lockfile_type_gemfile_manifest() {
+        assert_eq!(LockfileType::GemfileLock.manifest(), "Gemfile");
+    }
+
+    #[test]
+    fn test_detect_lockfiles_gemfile() {
+        let dir = tempdir().unwrap();
+        let manifest = dir.path().join("Gemfile");
+        let lockfile = dir.path().join("Gemfile.lock");
+
+        fs::write(&manifest, "source 'https://rubygems.org'").unwrap();
+        fs::write(&lockfile, "").unwrap();
+
+        let detected = detect_lockfiles(&manifest);
+        assert_eq!(detected.len(), 1);
+        assert_eq!(detected[0], LockfileType::GemfileLock);
+    }
+
+    #[test]
+    fn test_detect_lockfiles_gemfile_no_lockfile() {
+        // Gemfile without Gemfile.lock should not detect any lockfile
+        let dir = tempdir().unwrap();
+        let manifest = dir.path().join("Gemfile");
+
+        fs::write(&manifest, "source 'https://rubygems.org'").unwrap();
+
+        let detected = detect_lockfiles(&manifest);
+        assert!(detected.is_empty());
+    }
+
+    #[test]
+    fn test_detect_lockfiles_gemfile_wrong_manifest() {
+        // Gemfile.lock should only be detected for Gemfile, not for other manifests
+        let dir = tempdir().unwrap();
+        let manifest = dir.path().join("pyproject.toml");
+        let lockfile = dir.path().join("Gemfile.lock");
+
+        fs::write(&manifest, "[project]").unwrap();
+        fs::write(&lockfile, "").unwrap();
+
+        let detected = detect_lockfiles(&manifest);
+        assert!(detected.is_empty());
+    }
 }

{upd_cli-0.0.23 → upd_cli-0.0.25}/src/main.rs

@@ -15,11 +15,11 @@ use upd::interactive::{PendingUpdate, prompt_all};
 use upd::lockfile::regenerate_lockfiles;
 use upd::registry::{
     CratesIoRegistry, GitHubReleasesRegistry, GoProxyRegistry, MultiPyPiRegistry, NpmRegistry,
-    PyPiRegistry, RubyGemsRegistry, TerraformRegistry,
+    NuGetRegistry, PyPiRegistry, RubyGemsRegistry, TerraformRegistry,
 };
 use upd::updater::{
-    CargoTomlUpdater, FileType, GemfileUpdater, GithubActionsUpdater, GoModUpdater, Lang,
-    MiseUpdater, PackageJsonUpdater, PreCommitUpdater, PyProjectUpdater, RequirementsUpdater,
+    CargoTomlUpdater, CsprojUpdater, FileType, GemfileUpdater, GithubActionsUpdater, GoModUpdater,
+    Lang, MiseUpdater, PackageJsonUpdater, PreCommitUpdater, PyProjectUpdater, RequirementsUpdater,
     TerraformUpdater, UpdateOptions, UpdateResult, Updater, discover_files, read_file_safe,
     write_file_atomic,
 };
@@ -245,6 +245,10 @@ async fn run_update(cli: &Cli) -> Result<()> {
     let terraform_registry = TerraformRegistry::new();
     let terraform = CachedRegistry::new(terraform_registry, Arc::clone(&cache), cache_enabled);
 
+    // Create NuGet registry
+    let nuget_registry = NuGetRegistry::new();
+    let nuget = CachedRegistry::new(nuget_registry, Arc::clone(&cache), cache_enabled);
+
     // Create GitHub releases registry with optional token
     let github_releases_registry = GitHubReleasesRegistry::new();
     if cli.verbose && GitHubReleasesRegistry::detect_token().is_some() {
@@ -264,6 +268,7 @@ async fn run_update(cli: &Cli) -> Result<()> {
     let gemfile_updater = Arc::new(GemfileUpdater::new());
     let mise_updater = Arc::new(MiseUpdater::new());
     let terraform_updater = Arc::new(TerraformUpdater::new());
+    let csproj_updater = Arc::new(CsprojUpdater::new());
 
     // Wrap registries in Arc for parallel processing
     let pypi = Arc::new(pypi);
@@ -272,6 +277,7 @@ async fn run_update(cli: &Cli) -> Result<()> {
     let go_proxy = Arc::new(go_proxy);
     let rubygems = Arc::new(rubygems);
     let terraform = Arc::new(terraform);
+    let nuget = Arc::new(nuget);
     let github_releases = Arc::new(github_releases);
 
     // Interactive mode: first discover updates, then prompt, then apply approved ones
@@ -287,6 +293,7 @@ async fn run_update(cli: &Cli) -> Result<()> {
             &go_proxy,
             &rubygems,
             &terraform,
+            &nuget,
             &github_releases,
             &requirements_updater,
             &pyproject_updater,
@@ -298,6 +305,7 @@ async fn run_update(cli: &Cli) -> Result<()> {
             &pre_commit_updater,
             &mise_updater,
             &terraform_updater,
+            &csproj_updater,
             &cache,
             cache_enabled,
         )
@@ -328,6 +336,7 @@ async fn run_update(cli: &Cli) -> Result<()> {
             let go_proxy = Arc::clone(&go_proxy);
             let rubygems = Arc::clone(&rubygems);
             let terraform = Arc::clone(&terraform);
+            let nuget = Arc::clone(&nuget);
             let github_releases = Arc::clone(&github_releases);
             let requirements_updater = Arc::clone(&requirements_updater);
             let pyproject_updater = Arc::clone(&pyproject_updater);
@@ -338,6 +347,7 @@ async fn run_update(cli: &Cli) -> Result<()> {
             let github_actions_updater = Arc::clone(&github_actions_updater);
             let pre_commit_updater = Arc::clone(&pre_commit_updater);
             let mise_updater = Arc::clone(&mise_updater);
+            let csproj_updater = Arc::clone(&csproj_updater);
             let terraform_updater = Arc::clone(&terraform_updater);
             let update_options = update_options.clone();
 
@@ -388,6 +398,11 @@ async fn run_update(cli: &Cli) -> Result<()> {
                             .update(&path, github_releases.as_ref(), update_options.clone())
                             .await
                     }
+                    FileType::Csproj => {
+                        csproj_updater
+                            .update(&path, nuget.as_ref(), update_options.clone())
+                            .await
+                    }
                     FileType::TerraformTf => {
                         terraform_updater
                             .update(&path, terraform.as_ref(), update_options.clone())
@@ -489,6 +504,7 @@ async fn run_interactive_update(
     go_proxy: &Arc<CachedRegistry<GoProxyRegistry>>,
     rubygems: &Arc<CachedRegistry<RubyGemsRegistry>>,
     terraform: &Arc<CachedRegistry<TerraformRegistry>>,
+    nuget: &Arc<CachedRegistry<NuGetRegistry>>,
     github_releases: &Arc<CachedRegistry<GitHubReleasesRegistry>>,
     requirements_updater: &Arc<RequirementsUpdater>,
     pyproject_updater: &Arc<PyProjectUpdater>,
@@ -500,6 +516,7 @@ async fn run_interactive_update(
     pre_commit_updater: &Arc<PreCommitUpdater>,
     mise_updater: &Arc<MiseUpdater>,
     terraform_updater: &Arc<TerraformUpdater>,
+    csproj_updater: &Arc<CsprojUpdater>,
     cache: &Arc<std::sync::Mutex<Cache>>,
     cache_enabled: bool,
 ) -> Result<()> {
@@ -565,6 +582,11 @@ async fn run_interactive_update(
                     .update(path, github_releases.as_ref(), dry_run_options.clone())
                     .await
             }
+            FileType::Csproj => {
+                csproj_updater
+                    .update(path, nuget.as_ref(), dry_run_options.clone())
+                    .await
+            }
             FileType::TerraformTf => {
                 terraform_updater
                     .update(path, terraform.as_ref(), dry_run_options.clone())
@@ -690,6 +712,11 @@ async fn run_interactive_update(
                     .update(path, github_releases.as_ref(), apply_options.clone())
                     .await
             }
+            FileType::Csproj => {
+                csproj_updater
+                    .update(path, nuget.as_ref(), apply_options.clone())
+                    .await
+            }
             FileType::TerraformTf => {
                 terraform_updater
                     .update(path, terraform.as_ref(), apply_options.clone())
@@ -884,11 +911,12 @@ async fn run_audit(cli: &Cli) -> Result<()> {
         std::collections::HashSet::new();
 
     for ((name, lang), occurrences) in &packages {
-        // OSV doesn't cover GitHub Actions, pre-commit hooks, mise tools, or Terraform; skip
+        // OSV doesn't cover GitHub Actions, pre-commit hooks, mise tools, Terraform, or .NET; skip
         if *lang == Lang::Actions
             || *lang == Lang::PreCommit
             || *lang == Lang::Mise
             || *lang == Lang::Terraform
+            || *lang == Lang::DotNet
         {
             continue;
         }
@@ -899,7 +927,7 @@ async fn run_audit(cli: &Cli) -> Result<()> {
             Lang::Rust => Ecosystem::CratesIo,
             Lang::Go => Ecosystem::Go,
             Lang::Ruby => Ecosystem::RubyGems,
-            Lang::Actions | Lang::PreCommit | Lang::Mise | Lang::Terraform => {
+            Lang::Actions | Lang::PreCommit | Lang::Mise | Lang::Terraform | Lang::DotNet => {
                 unreachable!("filtered above")
             }
         };
@@ -1054,6 +1082,7 @@ fn print_alignment(alignment: &PackageAlignment, _dry_run: bool) {
         Lang::Rust => " (cargo)",
         Lang::Go => " (go)",
         Lang::Ruby => " (rubygems)",
+        Lang::DotNet => " (nuget)",
         Lang::Actions => " (actions)",
         Lang::PreCommit => " (pre-commit)",
         Lang::Mise => " (mise)",
@@ -1187,6 +1216,9 @@ fn apply_version_updates(
             FileType::ToolVersions => {
                 replace_tool_versions_version(&result, package, old_version, &target_version)
             }
+            FileType::Csproj => {
+                replace_csproj_version(&result, package, old_version, &target_version)
+            }
             FileType::TerraformTf => {
                 replace_terraform_version(&result, package, old_version, &target_version)
             }
@@ -1304,6 +1336,27 @@ fn replace_gemfile_version(content: &str, package: &str, old: &str, new: &str) -
         .to_string()
 }
 
+fn replace_csproj_version(content: &str, package: &str, old: &str, new: &str) -> String {
+    // Pattern: <PackageReference Include="package" Version="old" />
+    // and:     <PackageVersion Include="package" Version="old" />
+    let pattern = format!(
+        r#"(<(?:PackageReference|PackageVersion)\s+Include="{}"[^>]*Version="){}"#,
+        regex::escape(package),
+        regex::escape(old)
+    );
+    let re = regex::Regex::new(&pattern).unwrap();
+    let mut result = re
+        .replace_all(content, format!(r#"${{1}}{}"#, new))
+        .to_string();
+
+    // Also handle <Version>old</Version> child element for the given package
+    let old_element = format!("<Version>{}</Version>", old);
+    let new_element = format!("<Version>{}</Version>", new);
+    result = result.replacen(&old_element, &new_element, 1);
+
+    result
+}
+
 fn replace_github_actions_version(content: &str, package: &str, old: &str, new: &str) -> String {
     let pattern = format!(
         r#"({}@){}(\s|$|#|")"#,