diff --git a/Directory.Packages.props b/Directory.Packages.props
index 6751813eb5..099b474b3e 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -138,8 +138,8 @@
Declare below packages that are bundled through MSTest.Sdk (baked into the shipped SDK
templates) and are not otherwise consumed by a restored project, so that Dependabot can
discover and update them. They are referenced only inside the SDK feature targets
- (Sdk/Features/*.targets, which Dependabot doesn't restore); their only graph-visible reference
- from a repo project restore is the inert anchor described in condition 2 below.
+ (Sdk/Features/*.targets, which Dependabot doesn't restore); their only Dependabot-visible
+ reference from a repo project is the inert anchor described in condition 2 below.
Two conditions must BOTH hold for Dependabot to bump one of these, and missing either one
silently stops the updates:
@@ -149,17 +149,19 @@
PackageVersion whose Version is an MSBuild property interpolation.
See dependabot/dependabot-core#5812 and dependabot/dependabot-core#7183.
- 2. The package MUST appear in the repo's restore graph via a graph-visible reference:
+ 2. The package MUST be referenced by a project via a PackageReference that Dependabot reads:
Dependabot only updates a CPM PackageVersion that is actually referenced by a project;
an "orphan" PackageVersion (declared here but referenced nowhere) is ignored. Because
these packages are only baked into the shipped SDK templates (Sdk/Features/*.targets)
and never referenced by a built project, we add inert anchor references in
test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj.
- The anchor MUST be a PackageDownload, NOT a PackageReference with ExcludeAssets="all":
- ExcludeAssets="all" removes the reference from the dependency graph Dependabot reads, so
- the package stays invisible and never gets bumped. PackageDownload keeps it in the restore
- graph (so Dependabot proposes bumps) without flowing any of its assets into the project.
- Without a graph-visible anchor Dependabot never proposed bumps (see #9362).
+ The anchor MUST be a PackageReference (ExcludeAssets="all" is fine - it only stops the
+ package's assets from flowing into the project; it does NOT hide the reference from
+ Dependabot, which reads the PackageReference XML node, not the asset-flow rules). It must
+ NOT be a PackageDownload: Dependabot does not read PackageDownload items at all
+ (dependabot/dependabot-core#2502), so a PackageDownload anchor is invisible to it. Using a
+ PackageDownload as the anchor is exactly why Playwright silently stopped updating (see
+ #9362 / #9452); the PackageReference anchor is what makes the bumps flow.
Each literal version is duplicated as the matching *Version property (defined near the top of
this file) which is the value actually consumed by the build and baked into the MSTest.Sdk
diff --git a/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj b/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj
index e3348314e3..29f33d2ca4 100644
--- a/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj
+++ b/test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj
@@ -44,27 +44,33 @@
+
+
+
+
+
+
-