Contribute changes to NuGet updater from Azure team#8179
Merged
deivid-rodriguez merged 86 commits intodependabot:mainfrom Nov 27, 2023
Merged
Contribute changes to NuGet updater from Azure team#8179deivid-rodriguez merged 86 commits intodependabot:mainfrom
deivid-rodriguez merged 86 commits intodependabot:mainfrom
Conversation
github-actions
bot
added
L: docker
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Check failure
Code scanning / CodeQL
Server-side request forgery
brettfo
force-pushed
the
dev/brettfo/nuget-clean
branch
from
4d543e5 to
3487492
Compare
yeikel
reviewed
Oct 12, 2023
yeikel
reviewed
Oct 12, 2023
yeikel
reviewed
Oct 12, 2023
yeikel
reviewed
Oct 12, 2023
yeikel
reviewed
Oct 12, 2023
nuget/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/AssemblyMetadataExtractor.cs
Outdated
Show resolved
Hide resolved
brettfo
force-pushed
the
dev/brettfo/nuget-clean
branch
from
3487492 to
0a2ca5e
Compare
brettfo
force-pushed
the
dev/brettfo/nuget-clean
branch
5 times, most recently
from
0b320c8 to
3a74f2b
Compare
Contributor
deivid-rodriguez
left a comment
deivid-rodriguez
left a comment
There was a problem hiding this comment.
I made a quick pass commenting on some stuff that seems general and not necessarily related to NuGet.
It'd be nice to discuss & merge those changes independently through separate PRs.
common/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb
Outdated
Show resolved
Hide resolved
updater/lib/dependabot/updater/operations/update_all_versions.rb
Outdated
Show resolved
Hide resolved
brettfo
force-pushed
the
dev/brettfo/nuget-clean
branch
from
0b0acd9 to
8807cad
Compare
This was referenced Oct 13, 2023
brettfo
force-pushed
the
dev/brettfo/nuget-clean
branch
from
ba2f12f to
9cc924b
Compare
brettfo
force-pushed
the
dev/brettfo/nuget-clean
branch
3 times, most recently
from
3b6fd01 to
1a3b5fd
Compare
Native helpers path is for native helpers.
This is more consistent with other ecosystems.
And not only build them. This is consistent with other ecosystems and simplifies dev loop when working with native helpers inside the dev image, since you only have to run `nuget/helpers/build` after changing them.
It's generally a bad practice and Ruby warns it:
```
=> bump aspnetcore.healthchecks.rabbitmq and microsoft.extensions.diagnostics.healthchecks in /dependabotrepro
system temporary path is world-writable: /tmp
/tmp is world-writable: /tmp
system temporary path is world-writable: /tmp
/tmp is world-writable: /tmp
± DependabotRepro/Directory.Packages.props
~~~
--- /home/dependabot/original20231117-11-ghq2ml 2023-11-17 13:19:01.669901000 +0000
+++ /home/dependabot/updated20231117-11-bwqzij 2023-11-17 13:19:01.669901000 +0000
@@ -4,7 +4,7 @@
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
</PropertyGroup>
<ItemGroup>
- <PackageVersion Include="AspNetCore.HealthChecks.Rabbitmq" Version="5.0.2" />
- <PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="5.0.17" />
+ <PackageVersion Include="AspNetCore.HealthChecks.Rabbitmq" Version="7.0.0" />
+ <PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="7.0.9" />
</ItemGroup>
</Project>
\ No newline at end of file
~~~
3 insertions (+), 3 deletions (-)
```
I fixed it by telling nuget to use a different path where we have
permissions.
Also fix a typo in the MSBuild targets.
Only allow empty `Condition` attributes _or_ `Condition` attributes that are comparing to an emtpy string.
deivid-rodriguez
force-pushed
the
dev/brettfo/nuget-clean
branch
from
d214ce3 to
b3e84fd
Compare
deivid-rodriguez
force-pushed
the
dev/brettfo/nuget-clean
branch
from
b3e84fd to
38d5044
Compare
1 task
This was referenced Nov 29, 2023
1 task
This was referenced Jan 5, 2024
1 task
Closed
1 task
5 tasks
1 task
|
So this needs to be reverted or fixed, preferrably also with a unit test that makes sure wildcard version strings isn't broken again |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Contribute NuGet changes back to the community
Internally at Microsoft we've been making some updates to the NuGet dependabot updater and are now in a position to contribute those changes back to the community. We're excited to be able to do this and hope that it will help improve the experience for everyone.
This work was announced by Bryan Sullivan at Microsoft Build 2023 in May of this year.
Summary of improvements
packages.configscenarios. This ensures that we're using as close to the same logic as possible as the NuGet CLI to update the references..propsand.targetsfiles that are imported, regardless of any complicated path computations. This ensures that for each project file being analyzed, we can better determine the exact file that declares the package version. This can be particularly helpful in large monorepos.app.config/web.configfiles. Without these changes the user's app will likely fail to load the assemblies at runtime, making these errors hard to detect.Notes
Part of the NuGet updater work (i.e., supporting
packages.config) required code from the NuGet/NuGet.Client repo. The specific code required only exists as a Windows console app targeting net472 (see nuget.org/downloads) and the NuGet team does not want contributions back to allow this to build on Linux/net7.0 (I asked) so to avoid copying the entire repo, a submodule was added tied to the latest public release. To help make local development easier, the NuGet build script checks for a sentinel file in that submodule and if it's not present, will report the command the developer can use to fix the issue.Related PRs
There were a number of other internal improvements that we made that have been split into separate PRs:
Caveats
There will be a few more changes from our side that I'll add to this PR as appropriate, but wanted to get the ball rolling on review and feedback.
I'll separately be working on cleaning up the git history to remove duplicate commits. When that work is done I'll force-push to this branch to help ensure a clean merge when it's all complete.
As of internal commit
15e3b8d09374468e40d8d77bafc1c01178db444cClosed issues