Conversation
|
Any news on this? |
jeffwidman
left a comment
jeffwidman
left a comment
There was a problem hiding this comment.
👋 Sorry for the delay, I've been wanting to get to this and finally had a little time this evening.
A few thoughts:
- First, a big caveat, I've never worked with Dotnet/Nuget myself, so any comments may simply be due to misunderstanding.
- This looks really solid from a general "dependabot" structure perspective, nice job! 🎉
- We split out the dockerfiles by ecosystem, so you'll need to rebase to install
dotnetinto https://github.com/dependabot/dependabot-core/blob/d0bd472495eda2eabb71040a59dbbfeb4dfb4931/nuget/Dockerfile - I really like that you're leveraging the native tooling... we want to migrate this direction as much as we can.
- Today we do all our dotnet updating via ruby/regex text parsing hackery... now that we'd have the native tooling available, does it also support updating the manifest itself? Such that we could start to leverage that to migrate away from our existing text hackery? Obviously something we'd handle in a different PR, but just want to know if we should be creating a new ticket to track opportunities for migration.
- CI looks unhappy, mind fixing?
If you can rebase and fix that last CI failure, then I'm 👍 on merging.
I'll also ask a teammate who's more familiar with Nuget to take a look just in case I'm overlooking something, but this looks pretty straightforward so I don't expect any issues. Even if we don't cover all use cases, even adding support for some of them would be a great start for others to build out further.
Thanks again! And sorry took so long to review.
There was a problem hiding this comment.
I'm curious: why does this fixture not have a file extension? No other fixture in this folder is extension-less.
I was also surprised that it's plural "lockfiles" when the content appears to be only a single lockfile?
|
Nudge @anthony-c-martin any chance of addressing my questions?☝️ Be great to move this forward! |
|
Note to self: Since this adds lockfile support, we'll need to ensure it supports the |
|
@jeffwidman - sorry, I've been pretty busy! Will try and take a look over the comments this weekend and sync the branch with |
|
I'm not entirely sure you want |
is trying to update? At least for me it is sufficient to run the basic 
anthony-c-martin
force-pushed
the
lockfiles
branch
from
211f595 to
fe1d84c
Compare
These are great points, and something I was wondering about. The A caveat that I can think of that needs investigating - You've already got some pretty sophisticated tooling here (for example, you're looking inside |
I can confirm that |
|
is there any news on this? Would love to see depandabot to support nuget lock files :-) |
anthony-c-martin
changed the title
|
@jeffwidman sorry for the delay, I've merged and fixed up the CI. |
| project_file = files.find { |f| project_file?(f) && File.dirname(f.name) == File.dirname(lock_file.name) } | ||
| next if project_file.nil? |
There was a problem hiding this comment.
Can you explain this check?
It seems like there can be more than one lockfile (packages.lock.json) per project?
There was a problem hiding this comment.
In general there's a lockfile for every project in a solution, and transitive dependencies are represented in each lockfile.
So for example, you could have a structure like the following:
- dirs.sln (solution file, contains refs to projA & projB)
- projA/projA.csproj (proj file, has nuget reference to nugetX)
- projB/projB.csproj (proj file, has project reference to projA)
If dependabot runs for the solution file (dirs.sln), and decides to bump nugetX, you would expect to see:
- projA/packages.lock.json has a direct dependency, and is updated
- projB/packages.lock.json has a transitive dependency, and is also updated
Here's a concrete example of what this looks like in my project:
- Bicep.sln references Bicep.Core & Bicep.Cli
- Bicep.Core has a direct dependency on SharpYaml
- Bicep.Cli has a project dependency on Bicep.Core (and thus a transitive dependency on SharpYaml)
- Both of these lockfiles should be updated if SharpYaml is upgraded:
|
@jeffwidman, @Nishnha - out of interest, is there any way to manually test this against a repo prior to merging? |
You could set up a smoke test https://github.com/dependabot/smoke-tests |
anthony-c-martin
force-pushed
the
lockfiles
branch
13 times, most recently
from
e04ad05 to
8fb77ae
Compare
anthony-c-martin
force-pushed
the
lockfiles
branch
from
8fb77ae to
3e1ac1e
Compare
anthony-c-martin
force-pushed
the
lockfiles
branch
2 times, most recently
from
24a84da to
697aa77
Compare
Thanks! I've done this, and temporarily updated this branch to point to my fork, to demonstrate that it's working: https://github.com/dependabot/dependabot-core/actions/runs/6284091213/job/17065146529?pr=6031 |
anthony-c-martin
force-pushed
the
lockfiles
branch
from
697aa77 to
1eb8102
Compare
|
@jeffwidman @anthony-c-martin @Nishnha are there any updates on this? |
|
Since the last commit, nuget's dependabot logic has been rewritten in C#. I think this PR should (probably) be updated. |
|
Closing this for now, as NuGet support has largely been rewritten in C# and this PR has diverged a lot. Thank you @anthony-c-martin for the implementation, and thank you @na1307 for picking it up. |
13 participants
First draft at addressing #1303
I'm super unfamiliar with this project as well as Ruby, so guidance is very welcome.