Description
Describe the bug
The dependency-review-action does not properly resolve package versions in C# projects that use centralized package management (Directory.Packages.props). The action inspects only .csproj files and does not account for centrally managed versions, resulting in an empty Version column in the report.
To Reproduce
Steps to reproduce the behavior:
-
Create a C# project with the following structure:
/src/ MyProject/ MyProject.csproj /Directory.Packages.props -
In
MyProject.csproj, add aPackageReferencewithout a version:<Project Sdk="Microsoft.NET.Sdk"> <ItemGroup> <PackageReference Include="Newtonsoft.Json" /> </ItemGroup> </Project>
-
In
Directory.Packages.props, define the package version:<Project> <ItemGroup> <PackageVersion Include="Newtonsoft.Json" Version="13.0.1" /> </ItemGroup> </Project>
-
Commit the change and run the
dependency-review-action.
Expected behavior
The action should detect and resolve the version from Directory.Packages.props and show it in the report. In this case, it should display version 13.0.1 for Newtonsoft.Json.
Screenshots
If applicable, add screenshots to help explain your problem.
Action version
What version of the action are you using in your workflow? 4.6.0
Note: if you're not running the latest release please try that first!
Additional context
This behavior reduces the usefulness of the review, as dependency versions are a critical part of understanding changes. Let me know if you'd like a minimal reproducible repository or more logs.