Do not warn when NuGet resolves to a higher version of the package unless its change in major version #5764
Comments
|
The screenshot shows NU1603 for Castle.Core 4.0.0, the issue here is a package authoring here which has since been fixed: castleproject/Core#239 NU1603 refers to missing packages, not the resolved version in the final flattened graph. This warning appears when the min version of a dependency cannot be found. Finding a version of a higher patch does not help here, the expected exact match is still missing. From https://docs.microsoft.com/en-us/nuget/reference/errors-and-warnings for more details on this warning. A package dependency specified a version that could not be found. A higher version was used instead, which differs from what the package was authored against.
|
|
You say "differs from what the package was authored against" but what about this one: I have specified Another example: While this one is "interesting": |
Here is an example of how NU1603 can happen:
Here is an example where NU1603 does not occur:
NU1603 is useful for the following reasons:
NU1603 is not intended to cover these scenarios:
NU1603 as an errorI recommend treating NU1603 as an error to ensure that restores are fast and consistent. <WarningsAsErrors>NU1603</WarningsAsErrors> |
|
Echoing what @emgarten said: @xlegalles The minimum version of the package should be what actually built against. You shouldn't be making nuget packages that target an arbitrary minimum that doesn't exist. That leads to inefficiencies where you're forcing consumers to do a feed check to find the best match when that could be skipped. With the new coupling of producing and consuming packages, it makes it really hard to mess this up since there's no separate nuspec being authored. |
@xlegalles this sounds like a new feature, unrelated to NU1603. I suggest opening a new issue to track it and explain what you would like to see in the warnings/log. It sounds useful. |
|
@xlegalles why do you have so many warnings? |
|
@davidfowl Sorry, I did not see your question: well, we are migrating a big project to .NET Core and we have to manage quite a number of 3pp dependencies. Not all of them are already migrated but they are still compatible and everything work well. So this is the first cause of warnings: using .NET FW libraries from .NET Core. |
|
This is broken, IMO. Please see the following warning details: Dapper.SimpleCRUD 2.2.0 depends on Dapper (>= 2.0.0) but Dapper 2.0.0 was not found. An approximate best match of Dapper 2.0.4 was resolved. The message itself appears to indicate that Dapper.SimpleCRUD needs Dapper that is version 2.0.0 - or greater. And in fact, Dapper 2.0.4 (which is greater...) is used as a resolution to this dependency. How can any rational person see this as a valid warning and not the defective behavior that it is? |
|
@Yuck not sure what you mean, why does Dapper.SimpleCRUD depend on Dapper 2.0.0:
It doesn't exist, the package is broken and should depend on a real version of Dapper, the one it compiled and tested against. |
|
I feel like there's a real disconnect here between how the NuGet developers like @davidfowl view the ranged version specification working vs. how some users, such as myself, think this should work. In @Yuck's example above, the warning seems nonsensical to some of us because the package said that it will function correctly with any version greater than or equal to 2.0.0 - whether that be 2.0.0 or 2.0.1. It doesn't matter that 2.0.0 doesn't exist, because 2.0.1 will do just fine. Why would the package manager warn when this constraint is satisfied? It seems to me that @davidfowl is saying there's an implication that the original developer of the package must have built and tested their product against the exact version at the bottom of the range - in this case 2.0.0. Any movement from that exact version is allowed, but it's considered to be worth warning about because it wasn't the exact version tested against. Maybe the warning could be reworded to make it clear for those of us who assume that any version that satisfies the constraint is fine? |
|
I missed the solution in here. The situation I'm in is that multiple old packages need Foo Package version 3.X.X but we have others that need Foo Package version 4.X.X. Our private feed only carries 4.X.X. Binding redirects are generated. Is the issue that if we listed 3.X.X in our private feed then we would get both versions installed? I guess I'm missing how we can take action based on this warning, and what that action would be. (this is an old Web Forms project being moved to PackageReference to deal with issues surrounding "netstandard" and 4.7.2) |
|
No both versions wouldn’t be installed. The question is what was Foo built and tested with and why is that version not available? |
|
I guess my question is why would they say |
|
While that's 100% reasonable statement, the reality is that 98% of the time, the feed would have both versions. In the other 2% of cases:
|
|
We fall under the second use case - we keep only the latest version of our packages in the feed. NU1603 is something that we have to work around, quite frustrating. |
|
@davidfowl We are encountering this with the Microsoft SQL Server Reporting Services (SSRS Team) Provided Package "Microsoft.ReportingServices.ReportViewerControl.Winforms" (https://www.nuget.org/packages/Microsoft.ReportingServices.ReportViewerControl.Winforms/) According to your statements above this indicates that Microsoft's Reporting Team has a defect in their package creation process, this is because there is no such version as They seem to have the same impression that many of the developers are posting here, that To assist in reporting this defect to Microsoft's SSRS Team (and for the benefit of the rest of us playing along at home): What is the "correct" way to indicate this behavior in NuGet? Based on your comments above what I am seeing is that, in your world, If I understood what you are trying to say, your claim is that in order to fix this defect in Microsoft SSRS Team's NuGet package that they should have declared their dependency is If that really is the case then why hasn't someone written a tool to go scan NuGet.org to find invalid package configurations and start sending out automated emails? Starting at home sounds like a great place to be. In addition can you please kindly point to where in docs.microsoft.com this is explicitly documented to never target a non-existent version? What happens when the package has to be de-listed for security purposes? Otherwise you've broken people who would have worked without issue. Here's a Git Repository that shows a simple reproduction of this defective packaging using only the Microsoft SSRS Team supplied NuGet packages: https://github.com/aolszowka/NU1603InSSRS Realize that if you convert warnings to errors in this project your CI will fail due to this failure; it sure doesn't feel real good to suppress NU1603 but that is probably where we are at. |
|
my nuget NLog.Extensions.RabbitMQ has the following in the nuspec However I am seeing this message: I see that a few people above have reported a similar issue. Why this this a warning if 12.0.1 perfectly matches 12.* ? |
|
Your NuGet package should have floated to get a specific version then that version should have beeen burnt into the nuspec. Don’t put floating versions in the nuspec because it doesn’t mean anything |
|
@davidfowl I don't recall encountering this problem in any of the other package managers that I've used for various languages. So long as there is a package available that fits within the specified version range, other package managers are happy. Is NuGet unique in having this restriction/philosophy? Why? |
|
NuGet doesn’t work like lots of other package managers (though it does like the java ones). You may bee familiar npm which prefers the highest version of a dependency by default and it’s up tothe package author to clamp versions down. Works fine for dynamic languages where everything is a runtime breaking change, not so great in a statically types ecosystem which needs binary compatibility to function. NuGet doesn’t float dependencies by default and prefers the lowest version of your dependency (the one you specified). That comes with a different set of trade offs of course but it’s also what lead to this behavior of “specify in the nuspec what you tested against” because as a package author and let the package manager resolve the correct version based on policy. This also leaves the package graph stable at install time. I don’t disagree that these policies might change in the future as we default to more lock file specific experiences but until that switch happens., I’d recommend package authors specify the version they tested their package against. |
|
I treat warnings as errors on release builds to enforce compliance with Roslyn rules. I don't know why my build should be blocked by this warning.
The package it chose is totally reasonable... |
|
What I found interesting, is that half of examples here reference packages from Microsoft itself. Edit Microsoft guys should first adhere their own guides I think before pushing them to everyone... |
|
Still running into this with .NET RC2: error NU1603: Microsoft.VisualStudio.Web.CodeGeneration.Templating 5.0.0-rc.2.20473.1 depends on Microsoft.AspNetCore.Razor.Language (>= 5.0.0-rc.2.20466.1) but Microsoft.AspNetCore.Razor.Language 5.0.0-rc.2.20466.1 was not found. An approximate best match of Microsoft.AspNetCore.Razor.Language 5.0.0-rc.2.20475.17 was resolved. error NU1603: Microsoft.VisualStudio.Web.CodeGeneration.Templating 5.0.0-rc.2.20473.1 depends on Microsoft.CodeAnalysis.Razor (>= 5.0.0-rc.2.20466.1) but Microsoft.CodeAnalysis.Razor 5.0.0-rc.2.20466.1 was not found. An approximate best match of Microsoft.CodeAnalysis.Razor 5.0.0-rc.2.20475.17 was resolved. error NU1603: DevBetterWeb.Web depends on Microsoft.EntityFrameworkCore.Sqlite (>= 5.0.0-rc.2.20451.13) but Microsoft.EntityFrameworkCore.Sqlite 5.0.0-rc.2.20451.13 was not found. An approximate best match of Microsoft.EntityFrameworkCore.Sqlite 5.0.0-rc.2.20475.6 was resolved. |
|
/cc: @JonDouglas |
|
@aolszowka - this is precisely our problem. Microsoft.ReportingServices.ReportViewerControl.WebForms depends on Microsoft.SqlServer.Types like this: The closest version of Microsoft.SqlServer.Types on Nuget is 14.0.314.76. Trying to install results in: So, for some reason this warning seems to actually fail the install. |
## Why make this change? - Updates dependencies `SqlClient` and `Microsoft.AspNetCore.Authentication.JwtBearer` - Explicitly set version of and include transitive dependencies: `System.IdentityModel.Tokens.Jwt` and `Microsoft.IdentityModel.JsonWebTokens` - Suppress NU1603 when resolving dependencies from NuGet feed to prevent pipeline failures. - Allows pipeline to pull compatible dependency version from private feed even when dependency is not the exact lower bounded version. DAB project treats warnings as errors and in this case, NU1603 is emitted and should be ignored. - Background on issue: NuGet/Home#5764 Even though our feed may have version `6.10.1` of the relevant package which meets the expectations of `>=6.10.0`, NuGet is expects and considers the "ideal" match to be `6.10.0` because that is what the package was built and tested against. Newer versions may or may not work and allows build systems to be consistent (per linked NuGet issue thread). > ##[error]Core.csproj(0,0): Error NU1603: Microsoft.IdentityModel.Protocols 6.10.0 depends on Microsoft.IdentityModel.Tokens (>= 6.10.0) > but Microsoft.IdentityModel.Tokens 6.10.0 was not found. > An approximate best match of Microsoft.IdentityModel.Tokens 6.10.1 was resolved. ## What is this change? - Suppress `NU1603` warning in all csproj files. - Updates SqlClient dependency to version `5.1.4`. - Updates Microsoft.AspNetCore.Authentication.JwtBearer to version `6.0.26` - Updates System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to `6.35.0` explicitly even though transitive dependencies because latest SqlClient 5.1.4 references vulnerable 6.24.0 versions. Known issue in sqlclient dotnet/SqlClient#2294 and workaround is to explicitly define the dependencies/needed version. ## How was this tested? - [x] integration test: privately running the pipeline resolves expected dependencies without error. --------- Co-authored-by: neeraj-sharma2592 <neeraj.sharma2592@gmail.com>
## Why make this change? - Updates dependencies `SqlClient` and `Microsoft.AspNetCore.Authentication.JwtBearer` - Explicitly set version of and include transitive dependencies: `System.IdentityModel.Tokens.Jwt` and `Microsoft.IdentityModel.JsonWebTokens` - Suppress NU1603 when resolving dependencies from NuGet feed to prevent pipeline failures. - Allows pipeline to pull compatible dependency version from private feed even when dependency is not the exact lower bounded version. DAB project treats warnings as errors and in this case, NU1603 is emitted and should be ignored. - Background on issue: NuGet/Home#5764 Even though our feed may have version `6.10.1` of the relevant package which meets the expectations of `>=6.10.0`, NuGet is expects and considers the "ideal" match to be `6.10.0` because that is what the package was built and tested against. Newer versions may or may not work and allows build systems to be consistent (per linked NuGet issue thread). > ##[error]Core.csproj(0,0): Error NU1603: Microsoft.IdentityModel.Protocols 6.10.0 depends on Microsoft.IdentityModel.Tokens (>= 6.10.0) > but Microsoft.IdentityModel.Tokens 6.10.0 was not found. > An approximate best match of Microsoft.IdentityModel.Tokens 6.10.1 was resolved. ## What is this change? - Suppress `NU1603` warning in all csproj files. - Updates SqlClient dependency to version `5.1.4`. - Updates Microsoft.AspNetCore.Authentication.JwtBearer to version `6.0.26` - Updates System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to `6.35.0` explicitly even though transitive dependencies because latest SqlClient 5.1.4 references vulnerable 6.24.0 versions. Known issue in sqlclient dotnet/SqlClient#2294 and workaround is to explicitly define the dependencies/needed version. ## How was this tested? - [x] integration test: privately running the pipeline resolves expected dependencies without error. --------- Co-authored-by: neeraj-sharma2592 <neeraj.sharma2592@gmail.com>
## Why make this change? - Updates dependencies `SqlClient` and `Microsoft.AspNetCore.Authentication.JwtBearer` - Explicitly set version of and include transitive dependencies: `System.IdentityModel.Tokens.Jwt` and `Microsoft.IdentityModel.JsonWebTokens` - Suppress NU1603 when resolving dependencies from NuGet feed to prevent pipeline failures. - Allows pipeline to pull compatible dependency version from private feed even when dependency is not the exact lower bounded version. DAB project treats warnings as errors and in this case, NU1603 is emitted and should be ignored. - Background on issue: NuGet/Home#5764 Even though our feed may have version `6.10.1` of the relevant package which meets the expectations of `>=6.10.0`, NuGet is expects and considers the "ideal" match to be `6.10.0` because that is what the package was built and tested against. Newer versions may or may not work and allows build systems to be consistent (per linked NuGet issue thread). > ##[error]Core.csproj(0,0): Error NU1603: Microsoft.IdentityModel.Protocols 6.10.0 depends on Microsoft.IdentityModel.Tokens (>= 6.10.0) > but Microsoft.IdentityModel.Tokens 6.10.0 was not found. > An approximate best match of Microsoft.IdentityModel.Tokens 6.10.1 was resolved. ## What is this change? - Suppress `NU1603` warning in all csproj files. - Updates SqlClient dependency to version `5.1.4`. - Updates Microsoft.AspNetCore.Authentication.JwtBearer to version `6.0.26` - Updates System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to `6.35.0` explicitly even though transitive dependencies because latest SqlClient 5.1.4 references vulnerable 6.24.0 versions. Known issue in sqlclient dotnet/SqlClient#2294 and workaround is to explicitly define the dependencies/needed version. ## How was this tested? - [x] integration test: privately running the pipeline resolves expected dependencies without error. --------- Co-authored-by: neeraj-sharma2592 <neeraj.sharma2592@gmail.com>
|
Any ideas why this error is displayed only on one machine but on others there is no message at all?
All machines have SDK 8.0.200 - is there any global switch, environment variable or something to control this behavior? |
|
The two machines are probably using different package sources. We highly recommend that all repos/solutions have a nuget.config file set up to make the package sources deterministic (have a nuget.config file where the first element under This way your solution is not subject to different user configurations on different machines. |
|
I have nuget.config but I have some trash in user configuration - I never touch this files but clear them was solution for me. Thanks. |
Today NuGet warns with NU1603 if the package resolved is not the min version specified. E.g.
This looks like information to many users. Following 2 options may be desired:
Warn only if resolved Major version is different than the specified min Major version. i.e. Do not warn for 4.0.1 -> 4.10 but warn for 4.0.1->5.x
Have an option to convert this warning to information message from settings
The text was updated successfully, but these errors were encountered: