The .NET ecosystem and the GitHub Dependabot have a few rough edges as far as updating dependencies go:
- .NET dependency pinning/locking isn't straight forward
- Dependabot doesn't support lock files
- .NET tools don't update lock files when we'd expect them to
One consequence is that Dependabot PRs can not be directly used to update our dependencies. They can only merely alert us that we must manually run the process below.
- For each affected source/test tree (e.g., directory with a
.csproj), run:
dotnet list package --outdated
At times, you may need to run dotnet restore in the directory before dotnet list package will run correctly.
- For each out-of-date package listed, run:
dotnet add package <PACKAGE_NAME>
If you do not specify the --highest-minor option, major versions will be considered.
- Update the package lockfile:
dotnet restore --force-evaluate
- Merge in updated
.csprojandpackages.lock.jsonfiles. The Dependabot PRs will automatically rebase and close themselves.
To recursively look for packages that can be updated, run:
./tools/update-packages.bash .
By default it will look only for minor updates. To look for major updates, run:
./tools/update-packages.bash . --highest-major
but inspect major updates carefully to avoid .NET 5 incompatibility issues.
- Adding a completely brand new package with
dotnet add packagewill update the project's corresponding lock file without any subsequent commands.