Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grouped dependency updates for NuGet packages not working correctly #8576

Closed
1 task done
martincostello opened this issue Dec 9, 2023 · 26 comments
Closed
1 task done
Labels
F: grouped-updates 🎳 Relates to bumping more than one dependency in a single PR L: dotnet:nuget NuGet packages via nuget or dotnet T: bug 🐞 Something isn't working

Comments

@martincostello
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

NuGet

Package manager version

.NET 8.0.100 SDK

Language version

C# 12

Manifest location and content before the Dependabot update

Directory.Packages.props

dependabot.yml content

dependabot.yml

Updated dependency

  • xunit 2.6.2 => 2.6.3
  • xunit.runner.visualstudio 2.5.4 => 2.5.5

What you expected to see, versus what you actually saw

Dependabot reports in the pull request (martincostello/project-euler#315) and the commit message (martincostello/project-euler@741ea1e) that it has updated both of the xunit and xunit.runner.visualstudio NuGet packages.

However, on inspecting the Git diff only xunit.runner.visualstudio has been updated.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

martincostello/project-euler#315

// snipped
updater | Finding updated dependencies for xunit.
  proxy | 2023/12/09 10:14:12 [260] GET https://api.nuget.org:443/v3-flatcontainer/xunit/2.6.3/xunit.nuspec
  proxy | 2023/12/09 10:14:12 [260] 200 https://api.nuget.org:443/v3-flatcontainer/xunit/2.6.3/xunit.nuspec
updater | 2023/12/09 10:14:12 INFO <job_760251202> Updating xunit from 2.6.2 to 2.6.3
updater | running NuGet updater:
updater | /opt/nuget/NuGetUpdater/NuGetUpdater.Cli update --repo-root /home/dependabot/dependabot-updater/repo --solution-or-project /home/dependabot/dependabot-updater/repo/tests/ProjectEuler.Tests/ProjectEuler.Tests.csproj --dependency xunit --new-version 2.6.3 --previous-version 2.6.2  --verbose
// snipped
updater |   Updating global.json files.
updater |     Dependency [xunit] not found in any global.json files.
updater |   No dotnet-tools.json files found.
updater | Running for project [/home/dependabot/dependabot-updater/repo/tests/ProjectEuler.Tests/ProjectEuler.Tests.csproj]
updater |   Running for SDK-style project
updater |     Found incorrect [PackageVersion] version attribute in [Directory.Packages.props].
updater |     Saved [Directory.Packages.props].
updater | Update complete.
updater | The contents of file [Directory.Packages.props] were updated.
// snipped
updater | 2023/12/09 10:14:39 INFO <job_760251202> Updating xunit.runner.visualstudio from 2.5.4 to 2.5.5
updater | running NuGet updater:
updater | /opt/nuget/NuGetUpdater/NuGetUpdater.Cli update --repo-root /home/dependabot/dependabot-updater/repo --solution-or-project /home/dependabot/dependabot-updater/repo/tests/ProjectEuler.Tests/ProjectEuler.Tests.csproj --dependency xunit.runner.visualstudio --new-version 2.5.5 --previous-version 2.5.4  --verbose
// snipped
updater | 2023/12/09 10:15:39 INFO Results:
updater | +--------------------------------------------------------------------------------------------+
updater | |                            Changes to Dependabot Pull Requests                             |
updater | +---------+----------------------------------------------------------------------------------+
updater | | created | xunit ( from 2.6.2 to 2.6.3 ), xunit.runner.visualstudio ( from 2.5.4 to 2.5.5 ) |
updater | | created | BenchmarkDotNet ( from 0.13.10 to 0.13.11 )                                      |
updater | +---------+----------------------------------------------------------------------------------+
updater | time="2023-12-09T10:15:39Z" level=info msg="task complete" container_id=job-760251202-updater exit_code=0 job_id=760251202 step=updater

Smallest manifest that reproduces the issue

No response

@martincostello martincostello added the T: bug 🐞 Something isn't working label Dec 9, 2023
@martincostello
Copy link
Contributor Author

Manually re-running dependabot after the incorrect pull request is merged generates a PR that does update xunit to 2.6.3: martincostello/project-euler#317.

@martincostello
Copy link
Contributor Author

Similar issue here, except the package that was updated and the package that wasn't are the other way around: martincostello/website#1717

@martincostello
Copy link
Contributor Author

Another example, but in this case the commit in the pull request is completely empty: App-vNext/Polly#1848

@erri120
Copy link

erri120 commented Dec 11, 2023

Same issue: Nexus-Mods/NexusMods.App#811

@david-brink-talogy
Copy link

same as #8475?

@martincostello
Copy link
Contributor Author

Not sure. 23 days ago the previous xunit grouped update worked as expected. The NuGet implementation had a big overhaul in the last few weeks.

@jevvo-trimble
Copy link

Hello, any updates on this?
Have the same issue:
image
image
Looks like grouping is picking only last time.
I have it on multiple projects with different dependency

@samtrion
Copy link

Same issue here ...
dailydevops/healthchecks#154

@alex289
Copy link

alex289 commented Jan 1, 2024

I can also confirm this
alex289/CleanArchitecture#47

@watercable76
Copy link

Can confirm this has been happening since at least December 4th. On November 27th, one of my projects had a dependabot PR that referenced Microsoft.EntityFrameworkCore.Sqlite and Microsoft.EntityFrameworkCore.SqlServer, and both packages were updated.

After December 4th, grouped updates stopped working properly for just Nuget packages

@xt0rted
Copy link

xt0rted commented Jan 2, 2024

Can confirm this has been happening since at least December 4th.

This has been happening since November 27th in some of my repos xt0rted/dotnet-rimraf#267.

The issue is most likely a bug in the new .net based nuget updater. This and other issues all started when that was announced. At that time my .net 8 projects started randomly failing to update which ended up being due to #8530, and I'm also seeing duplicate package details in the PR/commit body sometimes as seen here #8631 (comment).

@RalphDriessen
Copy link

For me the issue with upgrading groups is that it doesn't upgrade the dependencies in all the projects. It seems like it only upgrades the projects that have all the dependencies in the group (see https://github.com/RalphDriessen/example-dependabot-groups-issues/pull/1/files). In this example, all three projects have the dependency Masstransit, but only project Main has the dependency MassTransit.Azure.ServiceBus.Core resulting in only project Main being updated, instead of all three projects.

@IsaacMarovitz
Copy link

Any update to this? This is a pretty frustrating bug

@dorssel
Copy link

dorssel commented Jan 24, 2024

Same problem for centralized package versions (Directory.Packages.props): dorssel/dotnet-debounce#168

@david-brink-talogy
Copy link

I hate to do this, but @deivid-rodriguez, is your team tracking this? Grouped nuget updates have been broken for almost two months.

@trejjam
Copy link
Contributor

trejjam commented Jan 27, 2024

I prepared a PR #8908 that should solve the issue with NuGet grouped updates, a review of changes is welcomed


I am not a project maintainer

@sebasgomez238
Copy link
Contributor

@martincostello Hello, a fix for this went out yesterday #9228 and some people have confirmed it is working as expected. Let us know if it is working for you as well. Thanks.

@fuzzzerd

This comment was marked as off-topic.

@watercable76
Copy link

@sebasgomez238 just double checked the grouping. It seems to be working for packages, but the update message was displaying all packages, not just the ones matching the filter parameters. I have some rules in place to only get the updates for Microsoft packages, but I'm getting all packages in the update message.

For the actual file updates, I'm only seeing the packages matched by the grouping filers. Here is what my grouping looks like:

groups:
      microsoft:
        patterns:
          - 'Microsoft*'
      default:
        patterns:
          - '*'
        exclude-patterns:
          - 'Microsoft*'

@abdulapopoola

This comment has been minimized.

@abdulapopoola

This comment has been minimized.

@watercable76
Copy link

@watercable76 ; glad to hear this is now working.

Regarding the update message issue; that seems to be a new and separate issue; could you please file a new issue with these details so it can be investigated?

Submitted the issue ticket, and it's #9248

@martincostello
Copy link
Contributor Author

@martincostello Hello, a fix for this went out yesterday #9228 and some people have confirmed it is working as expected. Let us know if it is working for you as well. Thanks.

I'm afraid I can't verify these issues at the moment as now I'm experiencing #9245.

@abdulapopoola
Copy link
Member

@martincostello ; can you please try again? :)

@martincostello
Copy link
Contributor Author

I've re-run dependabot on all my .NET repos and now there's only 3 that have some sort of error. I'll need to investigate a bit further as to if they're other specific existing issues or not.

I'll need to do a manual revert in a repo with a group defined later on today to see if this specific issue is resolved.

martincostello added a commit to martincostello/alexa-london-travel that referenced this issue Mar 14, 2024
Remove the PollyVersion MSBuild property and downgrade to 8.3.1 to test dependabot/dependabot-core#8576.
martincostello added a commit to martincostello/alexa-london-travel that referenced this issue Mar 14, 2024
Remove the PollyVersion MSBuild property and downgrade to 8.3.1 to test dependabot/dependabot-core#8576.
@martincostello
Copy link
Contributor Author

Looks like it's behaving now 🥳

martincostello/alexa-london-travel#1107

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
F: grouped-updates 🎳 Relates to bumping more than one dependency in a single PR L: dotnet:nuget NuGet packages via nuget or dotnet T: bug 🐞 Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

17 participants