Show warnings for referenced packages that are out of date

[jnm2]

When you pin package versions, there's nothing to remind you when package updates are available. If there was a warning shown at the end of each script execution, it would provide awareness to folks who aren't thinking about loading up their various packages' websites to check manually.

Similar to #2260, so I'll copy this part:

Could a warning be too strong? Information might be a better fit except that it might fail in its purpose of drawing attention during a normal script execution. On the other hand, there's occasionally a CVE associated with a new update.

Since the update check isn't mission-critical, it could be started asynchronously before compiling the script. If there is no network connectivity, the check can time out silently or be canceled silently when the script execution is finished.

There should be a configuration setting for folks to opt out.

[bjorkstromm]

Not sure if I agree that this functionality should be present on every execution as it will have significant impact on wxecution time. Checking each package will result in a fair amount of HTTP requests. Instead I suggest implementing this feature as a separate command. The command should also support updating the versions.

[jnm2]

@mholo65 If the HTTP requests are sent asynchronously and the results are only shown after the script is finished executing, and canceled if the script finishes first, the wall time shouldn't be any shorter for the entire execution.

[jnm2]

(Does the NuGet protocol have a single-roundtrip way to check for package updates?)

[bjorkstromm]

Async could be nice, however quickly thinking it through it feels like it would require some breaking changes which then could have impact on some modules, etc. Speaking if modules, this functionality should be implemented in a way that it’s opt-in for other modules to implement (e.g. Choco, Paket, Apt-Get etc.)

Back to NuGet (which is the only module maintained by Cake core), glad you asked about NuGet V3 protocol (which is implemented using JSON-LD) 😄 Simple answer, no there isn’t a quick way to check if package is outdated. From the top of my head, here’s how it goes:

1. First query service index (https://api.nuget.org/v3/index.json) to get the Registration url.
2. For each package, query the registration for that specific package and parse that. If you’re lucky, and the registration doesn’t contain many versions it will look something like this https://api.nuget.org/v3/registration3/cake/index.json. If you’re unlucky, it will look like this https://www.myget.org/F/cake/api/v3/registration1/cake/index.json and you will need to go one level deeper lile this https://www.myget.org/F/cake/api/v3/registration1/cake/page/0.29.0-alpha0023/0.31.0-alpha0002.json

Just look at that amount of JSON and take a moment to reflect over why NuGet is slow 😄 Fortunately, we don’t need to implement the protocol as we can rely on the NuGet Client libraries.