diff --git a/Directory.Packages.props b/Directory.Packages.props index 6751813eb5..099b474b3e 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -138,8 +138,8 @@ Declare below packages that are bundled through MSTest.Sdk (baked into the shipped SDK templates) and are not otherwise consumed by a restored project, so that Dependabot can discover and update them. They are referenced only inside the SDK feature targets - (Sdk/Features/*.targets, which Dependabot doesn't restore); their only graph-visible reference - from a repo project restore is the inert anchor described in condition 2 below. + (Sdk/Features/*.targets, which Dependabot doesn't restore); their only Dependabot-visible + reference from a repo project is the inert anchor described in condition 2 below. Two conditions must BOTH hold for Dependabot to bump one of these, and missing either one silently stops the updates: @@ -149,17 +149,19 @@ PackageVersion whose Version is an MSBuild property interpolation. See dependabot/dependabot-core#5812 and dependabot/dependabot-core#7183. - 2. The package MUST appear in the repo's restore graph via a graph-visible reference: + 2. The package MUST be referenced by a project via a PackageReference that Dependabot reads: Dependabot only updates a CPM PackageVersion that is actually referenced by a project; an "orphan" PackageVersion (declared here but referenced nowhere) is ignored. Because these packages are only baked into the shipped SDK templates (Sdk/Features/*.targets) and never referenced by a built project, we add inert anchor references in test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj. - The anchor MUST be a PackageDownload, NOT a PackageReference with ExcludeAssets="all": - ExcludeAssets="all" removes the reference from the dependency graph Dependabot reads, so - the package stays invisible and never gets bumped. PackageDownload keeps it in the restore - graph (so Dependabot proposes bumps) without flowing any of its assets into the project. - Without a graph-visible anchor Dependabot never proposed bumps (see #9362). + The anchor MUST be a PackageReference (ExcludeAssets="all" is fine - it only stops the + package's assets from flowing into the project; it does NOT hide the reference from + Dependabot, which reads the PackageReference XML node, not the asset-flow rules). It must + NOT be a PackageDownload: Dependabot does not read PackageDownload items at all + (dependabot/dependabot-core#2502), so a PackageDownload anchor is invisible to it. Using a + PackageDownload as the anchor is exactly why Playwright silently stopped updating (see + #9362 / #9452); the PackageReference anchor is what makes the bumps flow. Each literal version is duplicated as the matching *Version property (defined near the top of this file) which is the value actually consumed by the build and baked into the MSTest.Sdk diff --git a/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj b/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj index e3348314e3..29f33d2ca4 100644 --- a/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj +++ b/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj @@ -44,27 +44,33 @@ + + + + + + -