NuGetAudit in VisualStudio with packages.config projects does not support configuring audit properties for projects sharing the same name #13466
Labels
Functionality:Restore
Priority:1
High priority issues that must be resolved in the current sprint.
Product:VS.Client
Style:Packages.Config
TechDebt
Technical debt
Type:Bug
PackageRestoreData should use the project path instead of the project name when restoring
It contains the deduplicated id and the list of projects names that are relevant to it.
https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.PackageManagement/IDE/PackageRestoreData.cs#L11-L13
In AuditChecker, the PackageRestoreData key is compared to the AuditInfo key:
https://github.com/NuGet/NuGet.Client/blob/2d9dbdb4140df7bccbb1df768c64617b661239ff/src/NuGet.Core/NuGet.PackageManagement/Audit/AuditChecker.cs#L224.
The problem, project path is unique, while project name isn't required to be.
What this means is that long term, we need to switch from using the name, to using the project path.
The challenge is that the PackageRestoreData has a lot of usages.
In order to fix #13465, we had to make an assumption in there with a known limitation, basically meaning that projects with the same name will have the same audit configuration.
The chances of anyone configuring msbuild audit properties differently within the same solution are low, but still a possibility nonetheless.
The text was updated successfully, but these errors were encountered: