Dependabot-core: .NET - supporting .nuspec and Directory.Build.props?
Related to #541 , there's two more files related to NuGet updates: .nuspec and Directory.Build.props. Would you consider updating those as well in the future?
Disclosure: I'm one of the devs at https://github.com/NuKeeperDotNet/NuKeeper , and I think it's awesome dependabot got acquired by GitHub and it would be amazing to have feature parity 馃槃 Unfortunately, my Ruby skills are nonexistent, I'd be more than happy to answer any obscure NuGet/.NET/MSBuild questions.
So: .nuspec : this is the file describing how a NuGet package is published from a project. The "modern" .NET projects using <PackageReference/> format will generally have .nuspec generated automatically and there will be nothing to update. The older projects might have a version range specified there (not that common, AFAIK) or a fixed version, in line with what is in packages.config. In that last case, this file would need to be updated to stay in sync with packages.config.
MSDN .nuspec file reference
NuKeeper .nuspec update code
Directory.Build.props on the other hand is relevant only to the "modern" project format: it's a file automatically merged with every project in its folder and subfolders. Quite useful for specifying things like compilation settings, copyrights, versions - and shared references, like analyzers. This file can be updated (and has the same syntax) as a .csproj.
MSDN introduction (rather barebones)
Sample use with shared build analyzer settings
NuKeeper Directory.Build.props update code
skolima
All 11 comments
Any progress on this? 馃槃
david-driscoll
on 28 Jul 2019
We already fetch Directory.Build.props files and update them, but not .nuspec ones (yet).
greysteil
on 28 Jul 2019
And more generally, thanks for opening this @skolima, and for all your work on NuKeeper. I'm super keen to get to feature parity, but we're still a tiny team on Dependabot (we don't have much additional resource from GitHub yet and have a lot of additional work integrating directly into GitHub and dealing with a 1000x scale increase). We'll definitely get to this and PRs are very appreciated (although I understand not easy since Dependabot Core is in Ruby).
greysteil
on 28 Jul 2019
Update regarding the Directory.Build.props: there's a (minor) bug where currently Dependabot does not detect if that dependency has been updated externally and the PR is no longer needed, like it does for other updates - the PR is not auto-flagged and closed. Mentioning it with @dependabot rebase will correctly detect and close.
Repro repository: https://github.com/skolima/dependabot-props-problem/pull/3
skolima
on 12 Aug 2019
Good catch! Fixed by https://github.com/dependabot/dependabot-core/commit/55aab505de979d4188a7f3a9c18195190f356004. Thanks for the heads up.
greysteil
on 12 Aug 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 23 Oct 2019
@greysteil, is this issue still open as there's more to be done or can it be closed?
SeanFeldman
on 2 Dec 2020
I _think_ there's more to be done - the fix commit I mentioned above was for a small issue @skolima pointed out, not the full details of the issue body.
I don't work on Dependabot anymore (these days I'm a product manager for code security at GitHub, which is pretty much all our security stuff _except_ dependency related things), but you're in safe hands with @feelepxyz and the rest of the team.
greysteil
on 3 Dec 2020
Thank you, @greysteil.
@feelepxyz, could you please confirm that Depedabot respects Directory.Build.props? And if not, clarify what's missing? Thank you.
SeanFeldman
on 4 Dec 2020
@SeanFeldman dependabot should fetch and update Directory.Build.props files, the issue is also asking to update .nuspec which isn't currently supported.
feelepxyz
on 4 Dec 2020
Right. Perhaps considering an update to the issue description to have a list with Directory.Build.propschecked off and . nuspec not would make it easier to see at a glance what鈥檚 the status? Or, closing this issue with a link to a specific one for .nuspeconly?
Regardless, thank you @feelepxyz for the clarification.
SeanFeldman
on 4 Dec 2020
Related issues
rebelagentm
路
3Comments
v1sion
路
3Comments
rafaelrocha-hotmart
路
4Comments
qnighy
路
4Comments
greysteil
路
4Comments
Most helpful comment
And more generally, thanks for opening this @skolima, and for all your work on NuKeeper. I'm super keen to get to feature parity, but we're still a tiny team on Dependabot (we don't have much additional resource from GitHub yet and have a lot of additional work integrating directly into GitHub and dealing with a 1000x scale increase). We'll definitely get to this and PRs are very appreciated (although I understand not easy since Dependabot Core is in Ruby).