Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version update PRs understate what's being updated in title and description #11366

Open
1 task done
AArnott opened this issue Jan 21, 2025 · 0 comments
Open
1 task done

Version update PRs understate what's being updated in title and description #11366

AArnott opened this issue Jan 21, 2025 · 0 comments
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet L: github:actions GitHub Actions T: bug 🐞 Something isn't working

Comments

@AArnott
Copy link

AArnott commented Jan 21, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

MSBuild

Manifest location and content before the Dependabot update

/Directory.Packages.props

<?xml version="1.0" encoding="utf-8"?>
<Project>
  <!-- https://learn.microsoft.com/nuget/consume-packages/central-package-management -->
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
    <MicroBuildVersion>2.0.171</MicroBuildVersion>
    <MetadataVersion>61.0.15-preview</MetadataVersion>
    <WDKMetadataVersion>0.12.8-experimental</WDKMetadataVersion>
    <!-- <DiaMetadataVersion>0.2.185-preview-g7e1e6a442c</DiaMetadataVersion> -->
    <ApiDocsVersion>0.1.42-alpha</ApiDocsVersion>
    <CodeAnalysisVersion>4.12.0</CodeAnalysisVersion>
    <CodeAnalysisVersion Condition="'$(IsTestProject)'!='true'">3.11.0</CodeAnalysisVersion>
  </PropertyGroup>
  <ItemGroup>
    <PackageVersion Include="MessagePack" Version="2.2.85" />
    <PackageVersion Include="MessagePackAnalyzer" Version="2.5.108" />
    <PackageVersion Include="Microsoft.CodeAnalysis.BannedApiAnalyzers" Version="3.3.4" />
    <PackageVersion Include="Microsoft.CodeAnalysis.Common" Version="$(CodeAnalysisVersion)" />
    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.SourceGenerators.Testing.XUnit" Version="1.1.3-beta1.24319.1" />
    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="$(CodeAnalysisVersion)" />
    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="$(CodeAnalysisVersion)" />
    <!-- <PackageVersion Include="Microsoft.Dia.Win32Metadata" Version="0.2.185-preview-g7e1e6a442c" /> -->
    <PackageVersion Include="Microsoft.Win32.Registry" Version="5.0.0" />
    <PackageVersion Include="Microsoft.Windows.SDK.Win32Docs" Version="$(ApiDocsVersion)" />
    <PackageVersion Include="Microsoft.Windows.SDK.Win32Metadata" Version="$(MetadataVersion)" />
    <PackageVersion Include="Microsoft.Windows.WDK.Win32Metadata" Version="$(WDKMetadataVersion)" />
    <PackageVersion Include="NuGet.Protocol" Version="6.10.0" />
    <PackageVersion Include="System.Collections.Immutable" Version="8.0.0" />
    <PackageVersion Include="System.Memory" Version="4.5.5" />
    <PackageVersion Include="System.Reflection.Metadata" Version="8.0.0" />
    <PackageVersion Include="System.Runtime.CompilerServices.Unsafe" Version="6.1.0" />
    <PackageVersion Include="System.Text.Encodings.Web" Version="4.7.1" />
    <PackageVersion Include="System.Text.Json" Version="4.7.2" />
    <PackageVersion Include="Xunit.Combinatorial" Version="2.0.24" />
    <PackageVersion Include="Xunit.Assert" Version="2.3.0" />
  </ItemGroup>
  <ItemGroup Label="Library.Template">
    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
    <PackageVersion Include="Microsoft.VisualStudio.Internal.MicroBuild.NonShipping" Version="$(MicroBuildVersion)" />
    <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
    <PackageVersion Include="xunit.v3" Version="1.0.1" />
  </ItemGroup>
  <ItemGroup Condition="'$(IsTestProject)'!='true'">
    <!-- These versions carefully chosen to support VS 2019 Update 11. -->
    <PackageVersion Update="System.Collections.Immutable" Version="5.0.0" />
    <PackageVersion Update="System.Memory" Version="4.5.4" />
    <PackageVersion Update="System.Reflection.Metadata" Version="5.0.0" />
    <PackageVersion Update="System.Runtime.CompilerServices.Unsafe" Version="5.0.0" />
  </ItemGroup>
  <ItemGroup>
    <!-- Put repo-specific GlobalPackageReference items in this group. -->
  </ItemGroup>
  <ItemGroup Label="Library.Template">
    <GlobalPackageReference Include="CSharpIsNullAnalyzer" Version="0.1.593" />
    <GlobalPackageReference Include="DotNetAnalyzers.DocumentationAnalyzers" Version="1.0.0-beta.59" />
    <GlobalPackageReference Include="Microsoft.VisualStudio.Internal.MicroBuild.VisualStudio" Version="$(MicroBuildVersion)" />
    <!-- The condition works around https://github.com/dotnet/sdk/issues/44951 -->
    <GlobalPackageReference Include="Nerdbank.GitVersioning" Version="3.7.115" Condition="!('$(TF_BUILD)'=='true' and '$(dotnetformat)'=='true')" />
    <GlobalPackageReference Include="PolySharp" Version="1.15.0" Condition="'$(DisablePolyfill)'!='true'" />
    <GlobalPackageReference Include="StyleCop.Analyzers.Unstable" Version="1.2.0.556" />
  </ItemGroup>
</Project>

dependabot.yml content

# Please see the documentation for all configuration options:
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2
updates:
- package-ecosystem: nuget
  directory: /
  schedule:
    interval: weekly
  groups:
    nerdbank-gitversioning:
      patterns:
      - nbgv
      - nerdbank.gitversioning
    xunit:
      patterns:
      - 'xunit*'
- package-ecosystem: dotnet-sdk
  directory: /
  schedule:
    interval: monthly
  ignore:
  - dependency-name: MessagePack # We have to use the MessagePack version used by win32metadata (https://github.com/microsoft/CsWin32/issues/371)

Updated dependency

-    <CodeAnalysisVersion Condition="'$(IsTestProject)'!='true'">3.11.0</CodeAnalysisVersion>
+    <CodeAnalysisVersion Condition="'$(IsTestProject)'!='true'">4.12.0</CodeAnalysisVersion>

-    <PackageVersion Include="MessagePackAnalyzer" Version="2.5.108" />
+    <PackageVersion Include="MessagePackAnalyzer" Version="2.5.192" />

-    <PackageVersion Update="System.Memory" Version="4.5.4" />
-    <PackageVersion Update="System.Reflection.Metadata" Version="5.0.0" />
-    <PackageVersion Update="System.Runtime.CompilerServices.Unsafe" Version="5.0.0" />
+    <PackageVersion Update="System.Memory" Version="4.5.5" />
+    <PackageVersion Update="System.Reflection.Metadata" Version="8.0.0" />
+    <PackageVersion Update="System.Runtime.CompilerServices.Unsafe" Version="6.1.0" />

What you expected to see, versus what you actually saw

The PR title was: "Bump MessagePackAnalyzer from 2.5.108 to 2.5.192" but it updated much more than that.

The PR description carried on this understatement, claiming to only "Bumps MessagePackAnalyzer from 2.5.108 to 2.5.192."

Yet I've seen other Dependabot PRs with descriptions that call out that more had to be updated because of interactions between dependencies. But this one didn't.

Most importantly, the alleged package update has no dependencies of its own and therefore totally should not have required updating any other packages.

Native package manager behavior

I would have expected any other tool to just update MessagePackAnalyzer itself if I asked it to update that one.

Images of the diff or a link to the PR, issue, or logs

microsoft/CsWin32#1327

Smallest manifest that reproduces the issue

No response
@AArnott AArnott added the T: bug 🐞 Something isn't working label Jan 21, 2025
@github-actions github-actions bot added L: dotnet:nuget NuGet packages via nuget or dotnet L: github:actions GitHub Actions labels Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet L: github:actions GitHub Actions T: bug 🐞 Something isn't working
Projects
Dependabot
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AArnott