don't attempt to update a package if no versions could be found

[brettfo]

This partially fixes the issue:

ERROR undefined method `fetch' for nil:NilClass

           latest_version: preferred_resolvable_version_details.fetch(:version)&.to_s,
                                                               ^^^^^^

This can happen if querying NuGet for the available package versions returns an empty set and can happen if the package source doesn't contain that package.

The fix is to only report dependencies where at least one of the package repositories reported at least one search result.

[deivid-rodriguez]

As you explained, this is more of a "could not find any versions for this package in the remote source" situation, rather than a "this package is update to date" situation, which is the effect of early returning true here.

Like in 38d5044, I'd rather raise an explicit, but unexpected, error that explains the situation and makes it easier to figure out the real culprit.

My understanding is that if you had introduced this code from the beginning, it would've been really hard to notice this bug. Maybe in this case it's not a very bad bug (you just have a "phantom dependency" around that dependabot thinks it's valid and up to date), but I'd rather be sure that the update checker is never fed with dependencies that don't really exist, and I believe failing hard is an easy way to achieve that.

[brettfo]

@deivid-rodriguez I re-worked this change to only report a Dependency if one of the package sources actually contains that package. Since this moves a bunch of network calls into the file parser tests, the bulk of this PR is simply stubbing the search requests.

[JoeRobich]

Looks good. If RepositoryFinder understood nuget.configs <packageSourceMapping>, it could potentially reduce the number of dependeny urls that had to be checked. Future enhancement maybe.

[brettfo]

Looks good. If RepositoryFinder understood nuget.configs , it could potentially reduce the number of dependeny urls that had to be checked. Future enhancement maybe.

Good call, that'll improve the other lookups, too. I'm going to add one or 2 more test scenarios, just to be safe, then I think this is ready for final approval.

[brettfo]

Updated to stub out more network calls instead of pulling from a file. Reduced changed lines from 36k to 300.

[jakecoffman]

Consider logging the dependency and why it was skipped. It might be hard to track down why a certain dependency is missing without a log message here.

[jakecoffman]

This is a bit different than how most of the other ecosystems do it, but let's give it a shot. I like that the calls are cached so they don't have to be made again during the UpdateChecker step.

[jakecoffman]

I deployed this and a new exception popped up:

updater | 2023/12/05 13:01:59 ERROR key not found: :search_url
updater | 2023/12/05 13:01:59 ERROR /home/dependabot/nuget/lib/dependabot/nuget/file_parser/project_file_parser.rb:308:in `fetch'
updater | 2023/12/05 13:01:59 ERROR /home/dependabot/nuget/lib/dependabot/nuget/file_parser/project_file_parser.rb:308:in `execute_search_for_dependency_url'
updater | 2023/12/05 13:01:59 ERROR /home/dependabot/nuget/lib/dependabot/nuget/file_parser/project_file_parser.rb:293:in `block in dependency_has_search_results?'

Reproducible with: dependabot update nuget udap-tools/udap-dotnet

[jakecoffman]

Over the last 3 hours the NilClass error has dropped dramatically. Now the KeyError is frequent, but it's an order of magnitude less than the NilClass error was. This is definitely an improvement, I'll go ahead and merge this so we can keep moving forward.

[brettfo]

@jakecoffman PR for key not found: :search_url here: #8534