New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for NuGet package lock files #1303
Comments
Super keen to do this, but it's going to require some work - at the moment Dependabot does all of its .NET updating in Ruby, and we'll need to change that. We might want to continue this over at #541? |
Breaks Dependabot PRs until lock files supported (dependabot/dependabot-core#1303).
@jerriep. given your great work with dotnet-outdated, do you have any advice on how Dependabot can also update any associated dependency lock files in its PR? Is the best way to run |
@gitfool No, I was not even aware of this new feature until you just pointed it out. You may have to resort to using some of the NuGet Client libraries to achieve this. Maybe look at this PR and the linked specifications to see whether there are some hints to guide you. |
is there any news regarding this topic? |
Would also be interested in support for this feature. Any updates? |
Would also be interested in support for this. |
I've written up a workaround for this at https://david.gardiner.net.au/2021/05/dependabot-nuget-lockfiles.html, but would much prefer it was handled natively given that dependabot stops maintaining the PR once a 'foreign' commit has been added. |
Much needed feature! |
As a workaround, I define a GitHub action in my repository that kicks restore:
name: Update NuGet Lock Files
if: contains(github.head_ref, 'dependabot') && github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2.4.0
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
- uses: actions/setup-dotnet@v1.9.0
with:
dotnet-version: 6.0.x
- run: dotnet restore --force-evaluate
- id: diff
continue-on-error: true
run: |
git add -N .
git diff --name-only --exit-code
- if: steps.diff.outcome == 'failure'
run: |
git config user.email "github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
git add .
git commit -m "chore(deps): update NuGet lock file"
git push |
Dependabot does not yet support automatically updating the lock file, see dependabot/dependabot-core#1303
Dependabot does not yet support automatically updating the lock file, see dependabot/dependabot-core#1303
Dependabot does not yet support automatically updating the lock file, see dependabot/dependabot-core#1303
Dependabot does not yet support automatically updating the lock file, see dependabot/dependabot-core#1303
@greysteil - do you have any technical pointers to share on what a solution would look like? I'd be happy to contribute a fix if there's a clear path forward. |
You could look at what Renovate does since it already handles package lock files: |
I'm not the right person to ask anymore (I'm a PM working across all of GitHub's security products these days, and no longer an expert on Dependabot). @jeffwidman @deivid-rodriguez do either of you have pointers here? |
Thanks! I've hacked my way through an implementation (PR #6031). @jeffwidman / @deivid-rodriguez - would appreciate some guidance if you've got the time! |
👍🏻 for having this. We've recently added packages.lock file to .NET nanoFramework libraries and tools and now each update from dependabot fails to build because the packages.lock file is not updated along. Here's the most recent PR failing on the pipeline build: nanoframework/nanoFirmwareFlasher#174 |
Add workaround for dependabot auto update. From: dependabot/dependabot-core#1303 (comment)
Any updates @jeffwidman @deivid-rodriguez ? |
Hei, nice! We love lockfiles around here :) Both @jeffwidman and I are going through the backlog of PRs, so we should eventually get to this. I personally know nothing about nuget so I will need to read on a few things to properly review that PR. On top of that, I first want to get merged a bunch of other PR I haven't yet got to merging. But I'll get to this one soonish unless Jeff beats me to it! |
I'm glad to read this! |
Dependabot does not yet support automatically updating the lock file, see dependabot/dependabot-core#1303
The lack of support for Nuget lockfiles also extends to the dependency graph functionality and vulnerability analysis. Transitive dependencies are not detected even when they have critical vulnerabilities listed against them... |
👋 Sorry for the delay. I reviewed #6031, which would add support for NuGet package lock files to and the PR itself looked very straightforward / solid, but I had a couple of questions about general NuGet things. Since I haven't yet gotten a reply from the PR author, can anyone here pop by that PR and provide answers? Be great to move this forward! |
[dependabot does not support packages.lock.json](dependabot/dependabot-core#1303)
[dependabot does not support packages.lock.json](dependabot/dependabot-core#1303)
Hello, what is the status of this issue? |
It's too annoying to enable builds using the lock file and have dependabot working, at least until dependabot can update this file by itself dependabot/dependabot-core#1303
It's too annoying to enable builds using the lock file and have dependabot working, at least until dependabot can update this file by itself dependabot/dependabot-core#1303
#6031 is too old. I tried to fix it, but I don't know where or how to fix it. |
It should be relatively easy. You need to enable lock file generation in the https://github.com/dependabot/dependabot-core/tree/main/nuget/helpers/lib/NuGetUpdater which can actually cause issues with group updates. Or since there is DotNet executable you can run DotNet restore after update before commit is finalized. |
In NuGet 4.9 I think it is they added support for package lock files using the setting
RestorePackagesWithLockFile
which is part of your.csproj
or.props
file chain. This creates a file calledpackages.lock.json
alongside your project file. The spec for this can be found at https://github.com/NuGet/Home/wiki/Enable-repeatable-package-restore-using-lock-fileThe text was updated successfully, but these errors were encountered: