Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version update PRs overstate what's being updated in title and description #11365

Open
1 task done
AArnott opened this issue Jan 21, 2025 · 0 comments
Open
1 task done

Version update PRs overstate what's being updated in title and description #11365

AArnott opened this issue Jan 21, 2025 · 0 comments
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet T: bug 🐞 Something isn't working

Comments

@AArnott
Copy link

AArnott commented Jan 21, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

MSBuild

Manifest location and content before the Dependabot update

/Directory.Packages.props

<?xml version="1.0" encoding="utf-8"?>
<Project>
  <!-- https://learn.microsoft.com/nuget/consume-packages/central-package-management -->
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
    <MessagePackVersion>2.5.187</MessagePackVersion>
    <MicroBuildVersion>2.0.171</MicroBuildVersion>
    <VisualStudioThreadingVersion>17.10.48</VisualStudioThreadingVersion>
    <CodeAnalysisAnalyzerVersion>3.11.0-beta1.24527.2</CodeAnalysisAnalyzerVersion>
  </PropertyGroup>
  <ItemGroup>
    <PackageVersion Include="BenchmarkDotNet.Diagnostics.Windows" Version="0.13.10" />
    <PackageVersion Include="MessagePack" Version="$(MessagePackVersion)" />
    <PackageVersion Include="MessagePackAnalyzer" Version="$(MessagePackVersion)" />
    <PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="2.2.0" />
    <PackageVersion Include="Microsoft.AspNetCore" Version="2.2.0" />
    <PackageVersion Include="Microsoft.Bcl.AsyncInterfaces" Version="8.0.0" />
    <PackageVersion Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="$(CodeAnalysisAnalyzerVersion)" />
    <PackageVersion Include="Microsoft.VisualStudio.Threading.Analyzers" Version="$(VisualStudioThreadingVersion)" />
    <PackageVersion Include="Microsoft.VisualStudio.Threading" Version="$(VisualStudioThreadingVersion)" />
    <PackageVersion Include="Microsoft.VisualStudio.Validation" Version="17.8.8" />
    <PackageVersion Include="Nerdbank.Streams" Version="2.11.74" />
    <PackageVersion Include="Newtonsoft.Json" Version="13.0.1" />
    <PackageVersion Include="System.Collections.Immutable" Version="6.0.0" />
    <PackageVersion Include="System.Diagnostics.DiagnosticSource" Version="6.0.1" />
    <PackageVersion Include="System.IO.Pipelines" Version="8.0.0" />
    <PackageVersion Include="System.IO.Pipes" Version="4.3.0" />
    <PackageVersion Include="System.Net.Http" Version="4.3.4" />
    <PackageVersion Include="System.Text.Json" Version="8.0.5" />
    <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="6.0.0" />
    <PackageVersion Include="System.ValueTuple" Version="4.5.0" />
    <PackageVersion Include="xunit.combinatorial" Version="1.6.24" />
    <PackageVersion Include="xunit.runner.console" Version="2.5.3" />
    <PackageVersion Include="xunit.skippablefact" Version="1.4.13" />
    <PackageVersion Include="xunit.stafact" Version="1.1.11" />
  </ItemGroup>
  <ItemGroup Label="Library.Template">
    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
    <PackageVersion Include="Microsoft.VisualStudio.Internal.MicroBuild.NonShipping" Version="$(MicroBuildVersion)" />
    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
    <PackageVersion Include="xunit" Version="2.9.3" />
  </ItemGroup>
  <ItemGroup>
    <GlobalPackageReference Include="Microsoft.CodeAnalysis.BannedApiAnalyzers" Version="$(CodeAnalysisAnalyzerVersion)" />
    <GlobalPackageReference Include="Microsoft.CodeAnalysis.ResxSourceGenerator" Version="$(CodeAnalysisAnalyzerVersion)" />
  </ItemGroup>
  <ItemGroup Label="Library.Template">
    <GlobalPackageReference Include="CSharpIsNullAnalyzer" Version="0.1.593" />
    <GlobalPackageReference Include="DotNetAnalyzers.DocumentationAnalyzers" Version="1.0.0-beta.59" />
    <GlobalPackageReference Include="Microsoft.VisualStudio.Internal.MicroBuild.VisualStudio" Version="$(MicroBuildVersion)" />
    <!-- The condition works around https://github.com/dotnet/sdk/issues/44951 -->
    <GlobalPackageReference Include="Nerdbank.GitVersioning" Version="3.7.115" Condition="!('$(TF_BUILD)'=='true' and '$(dotnetformat)'=='true')" />
    <GlobalPackageReference Include="PolySharp" Version="1.15.0" Condition="'$(DisablePolyfills)'!='true'" />
    <GlobalPackageReference Include="StyleCop.Analyzers.Unstable" Version="1.2.0.556" />
  </ItemGroup>
</Project>

dependabot.yml content

# Please see the documentation for all configuration options:
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2
updates:
- package-ecosystem: nuget
  directory: /
  schedule:
    interval: weekly
  ignore:
  - dependency-name: Newtonsoft.Json # This has to match VS and VS rarely updates it
  - dependency-name: Microsoft.AspNetCore.TestHost # Later versions require .NET Core 3.1, which prevents our testing on net472
  # We want to match the minimum target .NET runtime
  - dependency-name: System.Threading.Tasks.Dataflow
  - dependency-name: System.Collections.Immutable
  - dependency-name: System.Diagnostics.DiagnosticSource
  - dependency-name: System.Text.Json

Updated dependency

-    <PackageVersion Include="xunit.combinatorial" Version="1.6.24" />
+    <PackageVersion Include="xunit.combinatorial" Version="2.0.24" />

What you expected to see, versus what you actually saw

The PR title was: "Bump Microsoft.Bcl.AsyncInterfaces and xunit.combinatorial" yet only xunit.combinatorial was updated.

The PR description was:

Bumps Microsoft.Bcl.AsyncInterfaces and xunit.combinatorial. These dependencies needed to be updated together.
Updates Microsoft.Bcl.AsyncInterfaces from 8.0.0 to 6.0.0

Updates xunit.combinatorial from 1.6.24 to 2.0.24

Notice how it again calls out Microsoft.Bcl.AsyncInterfaces as updated when in fact it is untouched. Notice further how it claims to "update" from 8.0.0 down to 6.0.0. Why in the world would it believe that?

Native package manager behavior

It would have just updated xunit.combinatorial 2.0.24.

This would by the way cause build breaks, because this major update of this package brings in a whole new tree of dependencies including xunit.v3 which will provide colliding types to the compiler. But this isn't something I expect Dependabot to be able to predict and manage.

Images of the diff or a link to the PR, issue, or logs

microsoft/vs-streamjsonrpc#1116

Smallest manifest that reproduces the issue

No response
@AArnott AArnott added the T: bug 🐞 Something isn't working label Jan 21, 2025
@github-actions github-actions bot added the L: dotnet:nuget NuGet packages via nuget or dotnet label Jan 21, 2025
@AArnott AArnott changed the title Version update PRs created with incorrect claims in title and description about what's being updated Version update PRs overstate what's being updated in title and description Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet T: bug 🐞 Something isn't working
Projects
Dependabot
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AArnott