Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sources in 'dotnet list package' need to include package source mapping details #11557

Open
erdembayar opened this issue Feb 3, 2022 · 6 comments
Open

Sources in 'dotnet list package' need to include package source mapping details #11557

erdembayar opened this issue Feb 3, 2022 · 6 comments
Labels
Area:PackageSourceMapping Issues related to the package source mapping feature Functionality:ListPackage dotnet.exe list package Priority:3 Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog. Product:dotnet.exe Type:Feature

Comments

@erdembayar
Copy link
Contributor

erdembayar commented Feb 3, 2022
edited
Loading

Currently it only displays sources but if package source mapping is enabled then we need to inform about it for precision.
For example: if someone is checking for dependency confusion attack then it helps to narrow down there it came from.

https://github.com/NuGet/Home/pull/11446/files#r798101062
Given GH is not good at keep track of comment/discussion I'll include screenshot too.

image
@erdembayar erdembayar added Area:PackageSourceMapping Issues related to the package source mapping feature Functionality:ListPackage dotnet.exe list package Product:dotnet.exe labels Feb 3, 2022
@erdembayar erdembayar mentioned this issue Feb 3, 2022
Merged
@nkolev92
Copy link
Member

nkolev92 commented Feb 3, 2022

The command in quesiton here is list package.
We have an equivalent list sources command.

We'll likely have an equivalent list source-mappings.

Curious what @JonDouglas thinks, but my proposal would be that we don't add it right now and close this for nwo.

@erdembayar
Copy link
Contributor Author

The command in quesiton here is list package. We have an equivalent list sources command.

We'll likely have an equivalent list source-mappings.

Curious what @JonDouglas thinks, but my proposal would be that we don't add it right now and close this for nwo.

If we dig down there're so many edge cases.

@nkolev92
Copy link
Member

nkolev92 commented Feb 3, 2022

Can you clarify what you mean by edge cases?

@erdembayar
Copy link
Contributor Author

Can you clarify what you mean by edge cases?

I just mean something like this. Package source mapping + some scenario.

@JonDouglas
Copy link
Contributor

Yes I think it's a good issue to track. As Nikolche mentions, there will likely be other commands that give different outputs closer to what you might see in a nuget.config.

This is a good start to track the addition of seeing sources clearly defined in CLI. It may turn out similar to transitive dependencies and where they came from. i.e.

image

But with source used to resolve or in order if mapped multiple.

@nkolev92
Copy link
Member

nkolev92 commented Feb 3, 2022

My suggestion actually was to close it, because this is the last thing we'd do, but don't feel too strongly :D

@nkolev92 nkolev92 added Type:Feature Priority:3 Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog. labels Feb 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area:PackageSourceMapping Issues related to the package source mapping feature Functionality:ListPackage dotnet.exe list package Priority:3 Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog. Product:dotnet.exe Type:Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JonDouglas @nkolev92 @erdembayar @jeffkl @heng-liu