Nuget indirect dependencies causes errors in dependabot and a false positive PR

[mikeKuester]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

NuGet

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

# Dependabot configuration

version: 2
updates:
  - package-ecosystem: "nuget"         # scan a .NET Solution, which uses the Nuget package manager
    directory: "/source/qPCR-Imager"   # the path within the git repo to the solution file    
    open-pull-requests-limit: 0        # create PRs only for security updates

Updated dependency

Bump Microsoft.AspNetCore.Components from 6.0.0 to 6.0.25 in /source/...

What you expected to see, versus what you actually saw

I want to scan our code (in this case .NET6) in Azure DevOps, using the Extension from Tingle Software, see also in #10834. The pipeline works in principal with a .NET8 project. With this .NET6 project, the Dependabot task failed:

2024-12-11T10:58:05.6427993Z updater | 2024/12/11 10:58:05 INFO <job_update_0_nuget_security_only> Finished job processing
2024-12-11T10:58:05.6519190Z updater | 2024/12/11 10:58:05 INFO Results:
2024-12-11T10:58:05.6519821Z updater | +--------------------------------------------------------------------+
2024-12-11T10:58:05.6520281Z updater | |                Changes to Dependabot Pull Requests                 |
2024-12-11T10:58:05.6520808Z updater | +---------+----------------------------------------------------------+
2024-12-11T10:58:05.6521655Z updater | | created | System.Text.Json ( from 6.0.2 to 6.0.10 )                |
2024-12-11T10:58:05.6521997Z updater | | created | Microsoft.AspNetCore.Components ( from 6.0.0 to 6.0.25 ) |
2024-12-11T10:58:05.6522418Z updater | +---------+----------------------------------------------------------+
2024-12-11T10:58:05.6522861Z updater | Dependabot encountered '4' error(s) during execution, please check the logs for more details.
2024-12-11T10:58:05.6523283Z updater | +---------------------------------------+
2024-12-11T10:58:05.6523634Z updater | |     Dependencies failed to update     |
2024-12-11T10:58:05.6523928Z updater | +-----------------+---------------------+
2024-12-11T10:58:05.6524432Z updater | | MessagePack     | update_not_possible |
2024-12-11T10:58:05.6524773Z updater | | NuGet.Common    | update_not_possible |
2024-12-11T10:58:05.6525311Z updater | | NuGet.Packaging | update_not_possible |
2024-12-11T10:58:05.6525660Z updater | | NuGet.Protocol  | update_not_possible |
2024-12-11T10:58:05.6525946Z updater | +-----------------+---------------------+
2024-12-11T10:58:08.1278071Z cli | 2024/12/11 10:58:08 updater failure: updater exited with code 1
2024-12-11T10:58:08.1292391Z ##[error]Dependabot failed with exit code 1
2024-12-11T10:58:08.1522468Z ##[section]Processing job outputs from '/tmp/dependabot-jobs/update-0-nuget-security-only/scenario.yaml'
2024-12-11T10:58:08.1523817Z ##[section]Processing 'update_dependency_list'
2024-12-11T10:58:08.1525176Z ##[section]Processing 'create_pull_request'
2024-12-11T10:58:08.2556071Z Creating pull request 'Bump System.Text.Json from 6.0.2 to 6.0.10 in /source/***'...
2024-12-11T10:58:08.2557062Z  - Pushing 1 file change(s) to branch 'dependabot/nuget/master/source/***/System.Text.Json-6.0.10'...
2024-12-11T10:58:08.6286704Z  - Pushed commit: f63cd52cc25acde024425193091dc7fc99cd931a.
2024-12-11T10:58:08.6289096Z  - Creating pull request to merge 'dependabot/nuget/master/source/***/System.Text.Json-6.0.10' into 'master'...
2024-12-11T10:58:09.0329384Z  - Created pull request: #839.
2024-12-11T10:58:09.0331680Z  - Adding dependency metadata to pull request properties...
2024-12-11T10:58:09.1485273Z  - Pull request was created successfully.
2024-12-11T10:58:09.1485819Z ##[section]Processing 'record_update_job_error'
2024-12-11T10:58:09.1506929Z ##[error]Update job error: update_not_possible {"dependencies":["MessagePack"]}
2024-12-11T10:58:09.1508194Z ##[section]Processing 'record_update_job_error'
2024-12-11T10:58:09.1509170Z ##[error]Update job error: update_not_possible {"dependencies":["NuGet.Common"]}
2024-12-11T10:58:09.1509811Z ##[section]Processing 'record_update_job_error'
2024-12-11T10:58:09.1510638Z ##[error]Update job error: update_not_possible {"dependencies":["NuGet.Packaging"]}
2024-12-11T10:58:09.1517169Z ##[section]Processing 'record_update_job_error'
2024-12-11T10:58:09.1518111Z ##[error]Update job error: update_not_possible {"dependencies":["NuGet.Protocol"]}
2024-12-11T10:58:09.1519245Z ##[section]Processing 'create_pull_request'
2024-12-11T10:58:09.2903343Z Creating pull request 'Bump Microsoft.AspNetCore.Components from 6.0.0 to 6.0.25 in /source/***'...
2024-12-11T10:58:09.2903823Z  - Pushing 1 file change(s) to branch 'dependabot/nuget/master/source/***/Microsoft.AspNetCore.Components-6.0.25'...
2024-12-11T10:58:09.6975493Z  - Pushed commit: be334b6e54528168e70bc873281c78b75986cc2b.
2024-12-11T10:58:09.6976482Z  - Creating pull request to merge 'dependabot/nuget/master/source/***/Microsoft.AspNetCore.Components-6.0.25' into 'master'...
2024-12-11T10:58:09.9717113Z  - Created pull request: #840.
2024-12-11T10:58:09.9717607Z  - Adding dependency metadata to pull request properties...
2024-12-11T10:58:10.1377886Z  - Pull request was created successfully.
2024-12-11T10:58:10.1378373Z ##[section]Processing 'mark_as_processed'
2024-12-11T10:58:10.1380567Z ##[endgroup]
2024-12-11T10:58:10.1384652Z ##[error]4 update tasks(s) failed, check logs for more information
2024-12-11T10:58:10.1545028Z ##[section]Finishing: dependabot

But even with this error, it creates two PRs:

• Bumps System.Text.Json from 6.0.2 to 6.0.10.
• Bumps Microsoft.AspNetCore.Components from 6.0.0 to 6.0.25.

If I copy the same code into a GitHub repository, I got only one alert:

• Bump System.Text.Json from 6.0.2 to 6.0.10 in /source/.../Controlboard in the nuget group across 1 directory

If I look deeper into the PR for the Microsoft.AspNetCore.Components, it wants to update the Blazored.Toast package. This is the package I use, but this package has a dependency from Microsoft.AspNetCore.Components => indirect dependency! But why does dependabot think, that the vulnerable Microsoft.AspNetCore.Components 6.0.0 should be used? The acutal is 6.0.34.

In the log are warnings:

error NETSDK1100: To build a project targeting Windows on this operating system, set the EnableWindowsTargeting property to true.

2024-12-11T10:53:52.2379702Z updater | 2024/12/11 10:53:46 WARN     Transitive dependency [MessagePack/2.5.187] was not added.
2024-12-11T10:53:52.2380011Z updater | STDOUT:
2024-12-11T10:53:52.2380252Z updater |   Determining projects to restore...
2024-12-11T10:53:52.2381966Z updater | /usr/local/dotnet/current/sdk/9.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.FrameworkReferenceResolution.targets(90,5): error NETSDK1100: To build a project targeting Windows on this operating system, set the EnableWindowsTargeting property to true. [/home/dependabot/dependabot-updater/repo/source/***/Hardware.Adapters.Br/Hardware.Adapters.Br.csproj]
2024-12-11T10:53:52.2382711Z updater |
2024-12-11T10:53:52.2382907Z updater |
2024-12-11T10:53:52.2383111Z updater | STDERR:
2024-12-11T10:53:52.2383551Z updater | Unable to create dependency graph file for project '/home/dependabot/dependabot-updater/repo/source/***/WebApi/WebApi.csproj'. Cannot add package reference.

Some projects in the solution needs to target Windows:

<TargetFramework>net6.0-windows</TargetFramework>

But the pipeline task runs in an Ubuntu image:

pool:
  vmImage: ubuntu-latest

The help for NETSDK1100 mentioned to add

<EnableWindowsTargeting>true</EnableWindowsTargeting>

to the project. But I don't want modify my code just for a dependabot scan. 😯

dependabot-log.txt

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response