error that 7.0 .NET SDK is being used, not 8.0

[danmoseley]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

nuget

Package manager version

whatever is in the 8.0 SDK

Language version

No response

Manifest location and content before the Dependabot update

various in https://github.com/danmoseley/eShop/tree/dependabot

dependabot.yml content

https://github.com/danmoseley/eShop/blob/dependabot/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

log: https://github.com/danmoseley/eShop/network/updates/758220044

errors appear to start ere

updater |   Updating global.json files.
updater |     Dependency [Duende.IdentityServer.AspNetIdentity] not found in any global.json files.
updater |   No dotnet-tools.json files found.
updater | Running for project [/home/dependabot/dependabot-updater/repo/src/eShop.AppHost/eShop.AppHost.csproj]
updater |   Running for SDK-style project
updater | dotnet build in GetAllPackageDependenciesAsync failed. STDOUT: MSBuild version 17.6.3+07e294721 for .NET
updater |   Determining projects to restore...
updater | /usr/local/dotnet/current/sdk/7.0.305/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(151,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 8.0.  Either target .NET 7.0 or lower, or use a version of the .NET SDK that supports .NET 8.0. [/tmp/package-dependency-resolution_66Ggzt/Project.csproj]

The .NET 8.0.100 SDK is shipped 3 weeks ago. As far as I know, my repo is calling for it -- the global.json has

{
  "sdk": {
    "version": "8.0.100",
    "rollForward": "latestPatch",
    "allowPrerelease": true
  }
}

Is Dependabot using the 7.0 SDK still? That would cause it to fail when examining projects that target 8.0.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[danmoseley]

BTW I see this mentioned in #8483 by @martincostello but it's not clear to me that issue covers it.

[martincostello]

Yeah, it's a weird one. Every single repo I have where I use Dependabot and .NET has been upgraded to .NET 8, but only two of them are hitting this specific error.

[Smalls1652]

Seeing the same thing. I'm seeing it affecting only one of the projects in one of my repos. The other projects in that repo don't seem to be running into any issue, but, from what I can tell, those other projects don't have any dependencies that are outdated yet and that could be the reason why Dependabot isn't throwing an error during the update check for those.

This is one part of the Dependabot log, for that project, that I'm seeing that matches up with what you're seeing:

updater |   Updating global.json files.
updater |     Dependency [Microsoft.Extensions.Http] not found in any global.json files.
updater |   Updating dotnet-tools.json files.
updater |     Dependency [Microsoft.Extensions.Http] not found in any dotnet-tools.json files.
updater | Running for project [/home/dependabot/dependabot-updater/repo/src/AdminSite/Server/AdminSite.Server.csproj]
updater |   Running for SDK-style project
updater | dotnet build in GetAllPackageDependenciesAsync failed. STDOUT: MSBuild version 17.6.3+07e294721 for .NET
updater |   Determining projects to restore...
updater | /usr/local/dotnet/current/sdk/7.0.305/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(151,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 8.0.  Either target .NET 7.0 or lower, or use a version of the .NET SDK that supports .NET 8.0. [/tmp/package-dependency-resolution_WgV2NM/Project.csproj]
updater | 
updater | Build FAILED.
updater | 
updater | /usr/local/dotnet/current/sdk/7.0.305/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(151,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 8.0.  Either target .NET 7.0 or lower, or use a version of the .NET SDK that supports .NET 8.0. [/tmp/package-dependency-resolution_WgV2NM/Project.csproj]
updater |     0 Warning(s)
updater |     1 Error(s)
updater | 
updater | Time Elapsed 00:00:02.53
updater | 
updater |  STDERR: 
updater | 
updater |     Package [Microsoft.Extensions.Http] Does not exist as a dependency in [/home/dependabot/dependabot-updater/repo/src/AdminSite/Server/AdminSite.Server.csproj].
updater | Update complete.

Edit:

Looks like the Dockerfile for building the container image for Dependabot's NuGet capabilities is set to install version 7.0.305 of the .NET SDK:

dependabot-core/nuget/Dockerfile

Line 14 in 5cf31a7

ARG DOTNET_SDK_VERSION=7.0.305

[danmoseley]

only two of them are hitting this specific error.

Could it be that dependabot is running on a pool of machines only some of which have it installed? One would have thought it would be in a consistent container though.

[martincostello]

A problem for the future for sure, but something to consider for 2024 is that early adopters of .NET 9 (👋) will be using it in their repos once it reaches release candidate stage and will likely expect Dependabot to continue to work as it has in the past with new versions of .NET.

Having to wait for Dependabot itself to update to .NET 9 (and that be deployed) isn't a great an experience for such users as in the past where it's "just worked". Something to consider ahead of .NET 9 release candidates.

[Smalls1652]

Might be helpful to have the dotnet-install script install the latest version of each "in support" and preview release of the .NET SDK during the container image build. Side-by-side installs of .NET SDKs is possible.

I can see a potential problem with that though. IIRC the dotnet CLI will default to the highest version available, so if an in-development/preview release of the .NET 9 SDK is installed it will use that over the other versions. The only way to force it to use .NET 6/7/8 would be to have a global.json in the repo, but not everyone uses that and I can see that being a problem.

[martincostello]

FWIW, all my repos have a global.json for reproducibility.

[danmoseley]

I'll actually need .NET 9 support almost immediately, eg., dotnet/eshop (which is owned by the .NET team) will take a dependency on it right away. Clearly, we're outliers, but presumably if the problem is solved for any previews, it will work for us.

[danmoseley]

I think the ideal would be to allow a flag in the yml specifying that dependabot should use the latest preview .NET rather than latest stable. It's just a flag to the install script.

My guess is that it would be unlikely for dependabot to hit a bug introduced in a preview
as the dependabot use of .NET is not particularly extensive or stressful (?) but this would eliminate any risk.

Also as a .NET committer I would certainly champion fixes to any problem it may encounter (and @martincostello is a regular contributor there too.)