Grouped dependency updates for NuGet packages not working correctly

[martincostello]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

NuGet

Package manager version

.NET 8.0.100 SDK

Language version

C# 12

Manifest location and content before the Dependabot update

Directory.Packages.props

dependabot.yml content

dependabot.yml

Updated dependency

• xunit 2.6.2 => 2.6.3
• xunit.runner.visualstudio 2.5.4 => 2.5.5

What you expected to see, versus what you actually saw

Dependabot reports in the pull request (martincostello/project-euler#315) and the commit message (martincostello/project-euler@741ea1e) that it has updated both of the xunit and xunit.runner.visualstudio NuGet packages.

However, on inspecting the Git diff only xunit.runner.visualstudio has been updated.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

martincostello/project-euler#315

// snipped
updater | Finding updated dependencies for xunit.
  proxy | 2023/12/09 10:14:12 [260] GET https://api.nuget.org:443/v3-flatcontainer/xunit/2.6.3/xunit.nuspec
  proxy | 2023/12/09 10:14:12 [260] 200 https://api.nuget.org:443/v3-flatcontainer/xunit/2.6.3/xunit.nuspec
updater | 2023/12/09 10:14:12 INFO <job_760251202> Updating xunit from 2.6.2 to 2.6.3
updater | running NuGet updater:
updater | /opt/nuget/NuGetUpdater/NuGetUpdater.Cli update --repo-root /home/dependabot/dependabot-updater/repo --solution-or-project /home/dependabot/dependabot-updater/repo/tests/ProjectEuler.Tests/ProjectEuler.Tests.csproj --dependency xunit --new-version 2.6.3 --previous-version 2.6.2  --verbose
// snipped
updater |   Updating global.json files.
updater |     Dependency [xunit] not found in any global.json files.
updater |   No dotnet-tools.json files found.
updater | Running for project [/home/dependabot/dependabot-updater/repo/tests/ProjectEuler.Tests/ProjectEuler.Tests.csproj]
updater |   Running for SDK-style project
updater |     Found incorrect [PackageVersion] version attribute in [Directory.Packages.props].
updater |     Saved [Directory.Packages.props].
updater | Update complete.
updater | The contents of file [Directory.Packages.props] were updated.
// snipped
updater | 2023/12/09 10:14:39 INFO <job_760251202> Updating xunit.runner.visualstudio from 2.5.4 to 2.5.5
updater | running NuGet updater:
updater | /opt/nuget/NuGetUpdater/NuGetUpdater.Cli update --repo-root /home/dependabot/dependabot-updater/repo --solution-or-project /home/dependabot/dependabot-updater/repo/tests/ProjectEuler.Tests/ProjectEuler.Tests.csproj --dependency xunit.runner.visualstudio --new-version 2.5.5 --previous-version 2.5.4  --verbose
// snipped
updater | 2023/12/09 10:15:39 INFO Results:
updater | +--------------------------------------------------------------------------------------------+
updater | |                            Changes to Dependabot Pull Requests                             |
updater | +---------+----------------------------------------------------------------------------------+
updater | | created | xunit ( from 2.6.2 to 2.6.3 ), xunit.runner.visualstudio ( from 2.5.4 to 2.5.5 ) |
updater | | created | BenchmarkDotNet ( from 0.13.10 to 0.13.11 )                                      |
updater | +---------+----------------------------------------------------------------------------------+
updater | time="2023-12-09T10:15:39Z" level=info msg="task complete" container_id=job-760251202-updater exit_code=0 job_id=760251202 step=updater

Smallest manifest that reproduces the issue

No response

[martincostello]

Manually re-running dependabot after the incorrect pull request is merged generates a PR that does update xunit to 2.6.3: martincostello/project-euler#317.

[martincostello]

Similar issue here, except the package that was updated and the package that wasn't are the other way around: martincostello/website#1717

[martincostello]

Another example, but in this case the commit in the pull request is completely empty: App-vNext/Polly#1848

[erri120]

Same issue: Nexus-Mods/NexusMods.App#811

[david-brink-talogy]

same as #8475?

[martincostello]

Not sure. 23 days ago the previous xunit grouped update worked as expected. The NuGet implementation had a big overhaul in the last few weeks.

[jevvo-trimble]

Hello, any updates on this?
Have the same issue:


Looks like grouping is picking only last time.
I have it on multiple projects with different dependency

[samtrion]

Same issue here ...
dailydevops/healthchecks#154

[alex289]

I can also confirm this
alex289/CleanArchitecture#47

[watercable76]

Can confirm this has been happening since at least December 4th. On November 27th, one of my projects had a dependabot PR that referenced Microsoft.EntityFrameworkCore.Sqlite and Microsoft.EntityFrameworkCore.SqlServer, and both packages were updated.

After December 4th, grouped updates stopped working properly for just Nuget packages

[xt0rted]

Can confirm this has been happening since at least December 4th.

This has been happening since November 27th in some of my repos xt0rted/dotnet-rimraf#267.

The issue is most likely a bug in the new .net based nuget updater. This and other issues all started when that was announced. At that time my .net 8 projects started randomly failing to update which ended up being due to #8530, and I'm also seeing duplicate package details in the PR/commit body sometimes as seen here #8631 (comment).

[RalphDriessen]

For me the issue with upgrading groups is that it doesn't upgrade the dependencies in all the projects. It seems like it only upgrades the projects that have all the dependencies in the group (see https://github.com/RalphDriessen/example-dependabot-groups-issues/pull/1/files). In this example, all three projects have the dependency Masstransit, but only project Main has the dependency MassTransit.Azure.ServiceBus.Core resulting in only project Main being updated, instead of all three projects.

[IsaacMarovitz]

Any update to this? This is a pretty frustrating bug

[dorssel]

Same problem for centralized package versions (Directory.Packages.props): dorssel/dotnet-debounce#168

[david-brink-talogy]

I hate to do this, but @deivid-rodriguez, is your team tracking this? Grouped nuget updates have been broken for almost two months.

[trejjam]

I prepared a PR #8908 that should solve the issue with NuGet grouped updates, a review of changes is welcomed

---

I am not a project maintainer

[sebasgomez238]

@martincostello Hello, a fix for this went out yesterday #9228 and some people have confirmed it is working as expected. Let us know if it is working for you as well. Thanks.

[watercable76]

@sebasgomez238 just double checked the grouping. It seems to be working for packages, but the update message was displaying all packages, not just the ones matching the filter parameters. I have some rules in place to only get the updates for Microsoft packages, but I'm getting all packages in the update message.

For the actual file updates, I'm only seeing the packages matched by the grouping filers. Here is what my grouping looks like:

groups:
      microsoft:
        patterns:
          - 'Microsoft*'
      default:
        patterns:
          - '*'
        exclude-patterns:
          - 'Microsoft*'

[watercable76]

@watercable76 ; glad to hear this is now working.

Regarding the update message issue; that seems to be a new and separate issue; could you please file a new issue with these details so it can be investigated?

Submitted the issue ticket, and it's #9248

[martincostello]

@martincostello Hello, a fix for this went out yesterday #9228 and some people have confirmed it is working as expected. Let us know if it is working for you as well. Thanks.

I'm afraid I can't verify these issues at the moment as now I'm experiencing #9245.

[abdulapopoola]

@martincostello ; can you please try again? :)

[martincostello]

I've re-run dependabot on all my .NET repos and now there's only 3 that have some sort of error. I'll need to investigate a bit further as to if they're other specific existing issues or not.

I'll need to do a manual revert in a repo with a group defined later on today to see if this specific issue is resolved.

[martincostello]

Looks like it's behaving now 🥳

martincostello/alexa-london-travel#1107