[Bug]: Package version downgrade is not detected due to invalid transitive pinning

[marcin-krystianc]

NuGet Product Used

dotnet.exe

Product Version

7.0.100-preview.3.22179.4

Worked before?

no

Impact

It bothers me. A fix would be nice

Repro Steps & Context

There are some correctness issues when restoring packages for a solution in which projects specify different versions using CPVM and transitive pinning
As in the attached example, the App project specifies a lower version of a dependency than the Lib1 and the Lib2 projects. However, the restore operation is still successful and no version downgrades are being reported.

Solution.sln:

App -> Lib1 {{Newtonsoft.Json 12.0.2}} -> Lib2 -> Newtonsoft.Json 12.0.2
    -> Newtonsoft.Json 12.0.1

Output of dotnet restore:

  Determining projects to restore...
  The project _\Lib1\Lib1.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project _\App\App.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  Restored _\Lib2\Lib2.csproj (in 158 ms).
  Restored _\App\App.csproj (in 158 ms).
  Restored _\Lib1\Lib1.csproj (in 158 ms).

Output of dotnet list package:

dotnet list package
Project 'App' has the following package references
   [net5.0]:
   Top-level Package      Requested   Resolved
   > Newtonsoft.Json                  12.0.1

Project 'Lib1' has the following package references
   [net5.0]: No packages were found for this framework.
Project 'Lib2' has the following package references
   [net5.0]:
   Top-level Package      Requested   Resolved
   > Newtonsoft.Json      12.0.2      12.0.2

App:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net5.0</TargetFramework>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" />
    <ProjectReference Include="..\Lib1\Lib1.csproj" />
  </ItemGroup>
</Project>

Directory.Packages.props (App):

<Project>
  <ItemGroup>		
    <PackageVersion Include="Newtonsoft.Json" Version="12.0.1"  />
  </ItemGroup>
</Project>

Lib1:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net5.0</TargetFramework>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
  </PropertyGroup>
  <ItemGroup>
    <ProjectReference Include="..\Lib2\Lib2.csproj" />
  </ItemGroup>
</Project>

Directory.Packages.props (Lib1):

<Project>
  <ItemGroup>		
    <PackageVersion Include="Newtonsoft.Json" Version="12.0.2"  />
  </ItemGroup>
</Project>

Lib2:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net5.0</TargetFramework>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
  </ItemGroup>
</Project>

Attachements:

• MissingDowngradeCentralisedLib.zip

Verbose Logs

No response

[nkolev92]

Team Triage: Assigning to @jeffkl for the initial investigation.

[marcin-krystianc]

My understanding is that the code that adds central package versions to the list of dependencies should run only for top-level projects. Currently, it runs for all projects, which makes it difficult to understand what should actually happen when a top-level project has a different set of central versions than other projects in the solution.
Also, that code in RemoteDependencyWalker makes sense only when dependencies for transitive pinning are defined for the root node (top-level project), otherwise that logic is completely wrong.
If you agree with my assessment I can try to prepare a fix.

[jeffkl]

@marcin-krystianc Yes feel free to take a crack at a fix, I'll be more than happy to accept a contribution.