NuGet doesn't handle conflicts of versions in an install request when HighestVersion dependency

[ferventcoder]

The NuGet dependency walker doesn't seem to be able to handle the scenario where a package has a dependency constraint on a package version and another dependency has a similar, but looser constraint on a package version.

It fails with Already referencing a newer version of 'x'.

Related to #227 and #506.

From: https://groups.google.com/d/msgid/chocolatey/ad9e0b37-a81d-4c75-98c7-c84c787b8859%40googlegroups.com?utm_medium=email&utm_source=footer

Hasdependency.nuspec:

<?xml version="1.0"?>
<package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
  <metadata>
    <id>hasdependency</id>
    <version>1.0.0</version>
    <authors>__REPLACE_AUTHORS_OF_SOFTWARE__</authors>
    <owners>__REPLACE_YOUR_NAME__</owners>
    <description>__REPLACE__</description>
    <dependencies>
      <dependency id="isdependency" version="[1.0.0]" />
      <dependency id="isexactversiondependency" version="[1.0.0]" />
    </dependencies>
  </metadata>
</package>

isdependency.nuspec

<?xml version="1.0"?>
<package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
  <metadata>
    <id>isdependency</id>
    <version>1.0.0</version>
    <authors>__REPLACE_AUTHORS_OF_SOFTWARE__</authors>
    <owners>__REPLACE_YOUR_NAME__</owners>
    <description>__REPLACE__</description>
    <dependencies>
      <dependency id="isexactversiondependency" version="[1.0.0, 2)" />
    </dependencies>
  </metadata>
</package>

isexactversiondependency.nuspec (with one file so it will build) - 1.0.0

<?xml version="1.0"?>
<package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
  <metadata>
    <id>isexactversiondependency</id>
    <version>1.0.0</version>
     <authors>__REPLACE_AUTHORS_OF_SOFTWARE__</authors>
    <owners>__REPLACE_YOUR_NAME__</owners>
    <description>__REPLACE__</description>
  </metadata>
  <files>
    <file src="tools\**" target="tools" />
  </files>
</package>

isexactversiondependency.nuspec (with one file so it will build) - 1.1.0

<?xml version="1.0"?>
<package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
  <metadata>
    <id>isexactversiondependency</id>
    <version>1.1.0</version>
     <authors>__REPLACE_AUTHORS_OF_SOFTWARE__</authors>
    <owners>__REPLACE_YOUR_NAME__</owners>
    <description>__REPLACE__</description>
  </metadata>
  <files>
    <file src="tools\**" target="tools" />
  </files>
</package>

[ferventcoder]

Similar to #116 (although in this case it does).

[ferventcoder]

@timbrown5

[ferventcoder]

@maartenba / @xavierdecoster Did NuGet v3 fix this problem? I am working on reproducing it all the way up.

[ferventcoder]

Of course I need to install VisualStudio 2015 to verify this as it doesn't seem that the command line version of NuGet (up to 3.3.0) respects the DependencyVersion attribute in the NuGet.config file. I've set it to highest and it ignores it.

[ferventcoder]

Here is a reproduction - repro.zip

Unzip this and add it to a local folder, then add that local folder in visual studio nuget manager.

Run this command install-package toplevelhasexactversiondependency -DependencyVersion Highest

It fails in VS2013 which looks like it includes up to 2.8.7 in the latest available extension. I'm curious if it also fails in VS2015 (which includes 3.x).

[ferventcoder]

Here are the failing specs - https://github.com/chocolatey/choco/blob/master/Scenarios.md#when-installing-a-package-with-a-dependent-package-that-also-depends-on-a-less-constrained-but-still-valid-dependency-of-the-same-package

[maartenba]

Best to post an issue at http://github.com/nuget/home

[ferventcoder]

@maartenba I am planning on it, but if you had any updates as to whether this was fixed ahead of time, it would be helpful.

[ferventcoder]

Hate to post an issue for something that may have already been fixed.

[maartenba]

No idea personally, maybe @xavierdecoster

[ferventcoder]

@maartenba / @xavierdecoster - I followed up with NuGet/Home#1839

[ferventcoder]

@gep13 verified this works properly in v3.

[ferventcoder]

This will require .NET 4.5 for the upgrade to a v3 version of NuGet so this will need to move to 0.9.11 where we are eclipsing support for .NET 4 (and Windows 2003).

[rockobonaparte]

I just got bit with this again with version 0.10.8. Is it actually still open? The packages I'm using are internal so I can't directly expose them but the dependency chain was basically:

X 1.1
(no specific dependencies)
(there is also an X 1.2 and that screws things up)

this is actually wants being specified to be installed in Chocolatey
package X-wrapper 1.1
needs X, specifically version 1.1
needs X-config 1.0

X-config 1.0
needs X, no specific version
needs X-collateral, no specific version

X-collateral 1.0
needs X, no specific version

If I install X 1.1 beforehand then we're cool. If I install X-wrapper 1.1 then X-config seems to grab X 1.2, then X-wrapper tries to get X 1.1, and the world explodes.

[ferventcoder]

Howdy @rockobonaparte - we are typically quite good at the paperwork aspect of our tickets, so if it is still open, it's likely still an issue. There are sometimes we do have duplicates that are not caught so they get tagged for the release and older issues might be missed in that regard. We are looking to upgrade NuGet coming in the next few months (hopefully completed by mid 2021).

[TheCakeIsNaOH]

This issue appears to be fixed as a part of #2740, by enabling/completing the below tests:

choco/src/chocolatey.tests.integration/scenarios/InstallScenarios.cs

Lines 3251 to 3459 in c0e2f84

	public class when_installing_a_package_with_dependencies_on_an_older_version_of_a_package_than_is_already_installed : ScenariosBase
	{
	public override void Context()
	{
	base.Context();
	Configuration.PackageNames = Configuration.Input = "hasdependency";
	Scenario.add_packages_to_source_location(Configuration, "hasdependency.1.0.0*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "conflictingdependency.2.1.0*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "isdependency.*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "isexactversiondependency*" + NuGetConstants.PackageExtension);
	Scenario.install_package(Configuration, "conflictingdependency", "2.1.0");
	}
	/*
	Setup should have the following installed:
	* conflictingdependency 2.1.0
	* isexactversiondependency 2.0.0
	* isdependency at least 2.0.0
	*/
	public override void Because()
	{
	Results = Service.install_run(Configuration);
	}
	[Fact]
	public void should_not_install_the_conflicting_package_in_the_lib_directory()
	{
	var packageDir = Path.Combine(Scenario.get_top_level(), "lib", Configuration.PackageNames);
	DirectoryAssert.DoesNotExist(packageDir);
	}
	[Fact]
	public void should_not_downgrade_the_exact_version_dependency()
	{
	var packageFile = Path.Combine(Scenario.get_top_level(), "lib", "isexactversiondependency", "isexactversiondependency.nupkg");
	using (var packageReader = new PackageArchiveReader(packageFile))
	{
	packageReader.NuspecReader.GetVersion().to_string().ShouldEqual("2.0.0");
	}
	}
	[Fact]
	public void should_contain_a_message_that_it_was_unable_to_install_any_packages()
	{
	bool expectedMessage = false;
	foreach (var message in MockLogger.MessagesFor(LogLevel.Warn).or_empty_list_if_null())
	{
	if (message.Contains("installed 0/1")) expectedMessage = true;
	}
	expectedMessage.ShouldBeTrue();
	}
	[Fact]
	public void should_not_have_a_successful_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Success.ShouldBeFalse();
	}
	}
	[Fact]
	public void should_not_have_inconclusive_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Inconclusive.ShouldBeFalse();
	}
	}
	[Fact]
	public void should_not_have_warning_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Warning.ShouldBeFalse();
	}
	}
	[Fact]
	public void should_have_an_error_package_result()
	{
	bool errorFound = false;
	foreach (var packageResult in Results)
	{
	foreach (var message in packageResult.Value.Messages)
	{
	if (message.MessageType == ResultType.Error)
	{
	errorFound = true;
	}
	}
	}
	errorFound.ShouldBeTrue();
	}
	}
	public class when_installing_a_package_with_a_dependent_package_that_also_depends_on_a_less_constrained_but_still_valid_dependency_of_the_same_package : ScenariosBase
	{
	public override void Context()
	{
	base.Context();
	Configuration.PackageNames = Configuration.Input = "toplevelhasexactversiondependency";
	Scenario.add_packages_to_source_location(Configuration, "toplevelhasexactversiondependency*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "childdependencywithlooserversiondependency*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "isexactversiondependency*" + NuGetConstants.PackageExtension);
	}
	public override void Because()
	{
	Results = Service.install_run(Configuration);
	}
	/*
	Because should result in the following installed:
	* toplevelhasexactversiondependency 1.0.0
	* childdependencywithlooserversiondependency 1.0.0
	* isexactversiondependency 1.0.0
	*/
	[Fact]
	public void should_install_where_install_location_reports()
	{
	foreach (var packageResult in Results)
	{
	DirectoryAssert.Exists(packageResult.Value.InstallLocation);
	}
	}
	[Fact]
	public void should_install_a_package_in_the_lib_directory()
	{
	var packageDir = Path.Combine(Scenario.get_top_level(), "lib", Configuration.PackageNames);
	DirectoryAssert.Exists(packageDir);
	}
	[Fact]
	public void should_install_the_dependency_in_the_lib_directory()
	{
	var packageDir = Path.Combine(Scenario.get_top_level(), "lib", "childdependencywithlooserversiondependency");
	DirectoryAssert.Exists(packageDir);
	}
	[Fact]
	public void should_install_the_expected_version_of_the_dependency()
	{
	var packageFile = Path.Combine(Scenario.get_top_level(), "lib", "childdependencywithlooserversiondependency", "childdependencywithlooserversiondependency.nupkg");
	using (var packageReader = new PackageArchiveReader(packageFile))
	{
	packageReader.NuspecReader.GetVersion().to_string().ShouldEqual("1.0.0");
	}
	}
	[Fact]
	public void should_install_the_expected_version_of_the_constrained_dependency()
	{
	var packageFile = Path.Combine(Scenario.get_top_level(), "lib", "isexactversiondependency", "isexactversiondependency.nupkg");
	using (var packageReader = new PackageArchiveReader(packageFile))
	{
	packageReader.NuspecReader.GetVersion().to_string().ShouldEqual("1.0.0");
	}
	}
	[Fact]
	public void should_contain_a_message_that_everything_installed_successfully()
	{
	bool expectedMessage = false;
	foreach (var message in MockLogger.MessagesFor(LogLevel.Warn).or_empty_list_if_null())
	{
	if (message.Contains("3/3")) expectedMessage = true;
	}
	expectedMessage.ShouldBeTrue();
	}
	[Fact]
	public void should_have_a_successful_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Success.ShouldBeTrue();
	}
	}
	[Fact]
	public void should_not_have_inconclusive_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Inconclusive.ShouldBeFalse();
	}
	}
	[Fact]
	public void should_not_have_warning_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Warning.ShouldBeFalse();
	}
	}
	}

[rockobonaparte]

Do you know how I can mess around with the sum of that and see what's going on? Version resolution came up recently among colleagues so we are actually still motivated over stuff like this.

[TheCakeIsNaOH]

@rockobonaparte there is an alpha release available: https://blog.chocolatey.org/2023/01/chocolatey-cli-v2-alpha-release/

[choco-bot]

🎉 This issue has been resolved in version 2.0.0 🎉

The release is available on:

• GitHub Release
• Chocolatey Package

Your GitReleaseManager bot 📦🚀