nuget: bring NuGet lock file support to parity with npm (parse lockedVersion from packages.lock.json + update-lockfile behavior) #44360
florianwakam
started this conversation in
Suggest an Idea
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi 👋 — this is a feature idea, not a bug. I've verified the behavior in the current source (renovate
43.212.4) and via a self-hosted dry run. Framing it as a parity request with the npm manager.What I'd like Renovate to do
For .NET projects that enable NuGet lock files (
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>, producingpackages.lock.jsonnext to each.csproj), I'd like Renovate to be able to propose lock-file-only updates for transitive / minor-patch dependencies — i.e. regeneratepackages.lock.jsonwhen a transitive dependency can move within the declared version range, without requiringlockFileMaintenanceto be enabled.The npm manager already does exactly this: it parses
lockedVersionfrompackage-lock.jsonand returns theupdate-lockfilerange strategy, so Renovate proposes lock-file updates and runsnpm installto regenerate the lock file as a side effect — even whenpackage.jsondoesn't change.Current NuGet behavior
NuGet bare versions (e.g.
8.6.1inDirectory.Packages.props/.csproj) are ranges ([8.6.1, 9.0.0)per NuGet semantics). Renovate resolvescurrentVersionto the highest version satisfying the range (e.g.8.7.0), concludes the package is already up to date, and proposes no update. As a result the artifacts regen path is never reached via the normal update path:lib/modules/manager/nuget/artifacts.ts:So
dotnet restore --force-evaluateonly runs when a version bump is proposed, or whenlockFileMaintenanceis enabled.Why NuGet differs from npm today
nuget/index.ts:supportsLockFileMaintenance = true,lockFileNames = ['packages.lock.json']✅ (maintenance works)nuget/extract.ts(~L240): the lock file is only recorded (res.lockFiles = [lockFileName]) — it is never parsed for alockedVersion. There is no NuGet equivalent of npm'sgetLockedVersions()(npm/extract/post/locked-versions.ts).update-lockfilerange strategy (npm returns'update-lockfile'fromnpm/range.ts:28).Workaround (works today)
Enable
lockFileMaintenanceglobally — it triggersdotnet restore --force-evaluateunconditionally on a dedicatedrenovate/<parentDir>-lock-file-maintenancebranch. I verified this works end-to-end in a self-hosted dry run (including withadditionalBranchPrefix: "{{parentDir}}-"folder splitting — the maintenance branch was correctly prefixed, anddotnet restore --force-evaluateran on all projects). SolockFileMaintenanceis a valid supported workaround today; this request is about closing the parity gap with npm.Suggested enhancement
Bring NuGet to parity with npm:
lockedVersion(and the resolved transitive graph) frompackages.lock.jsonduring extraction — a NuGet equivalent ofgetLockedVersions.update-lockfile-style behavior: when the declared version range is already satisfied but a newer compatible transitive version exists, propose a lock-file-only update soupdateArtifactsrunsdotnet restore --force-evaluateand regeneratespackages.lock.json.Happy to provide a minimal public reproduction repo if that helps. Thanks!
Beta Was this translation helpful? Give feedback.
All reactions