Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions Directory.Packages.props
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,8 @@
Declare below packages that are bundled through MSTest.Sdk (baked into the shipped SDK
templates) and are not otherwise consumed by a restored project, so that Dependabot can
discover and update them. They are referenced only inside the SDK feature targets
(Sdk/Features/*.targets, which Dependabot doesn't restore); their only graph-visible reference
from a repo project restore is the inert anchor described in condition 2 below.
(Sdk/Features/*.targets, which Dependabot doesn't restore); their only Dependabot-visible
reference from a repo project is the inert anchor described in condition 2 below.

Two conditions must BOTH hold for Dependabot to bump one of these, and missing either one
silently stops the updates:
Expand All @@ -149,17 +149,19 @@
PackageVersion whose Version is an MSBuild property interpolation.
See dependabot/dependabot-core#5812 and dependabot/dependabot-core#7183.

2. The package MUST appear in the repo's restore graph via a graph-visible reference:
2. The package MUST be referenced by a project via a PackageReference that Dependabot reads:
Dependabot only updates a CPM PackageVersion that is actually referenced by a project;
an "orphan" PackageVersion (declared here but referenced nowhere) is ignored. Because
these packages are only baked into the shipped SDK templates (Sdk/Features/*.targets)
and never referenced by a built project, we add inert anchor references in
test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj.
The anchor MUST be a PackageDownload, NOT a PackageReference with ExcludeAssets="all":
ExcludeAssets="all" removes the reference from the dependency graph Dependabot reads, so
the package stays invisible and never gets bumped. PackageDownload keeps it in the restore
graph (so Dependabot proposes bumps) without flowing any of its assets into the project.
Without a graph-visible anchor Dependabot never proposed bumps (see #9362).
The anchor MUST be a PackageReference (ExcludeAssets="all" is fine - it only stops the
package's assets from flowing into the project; it does NOT hide the reference from
Dependabot, which reads the PackageReference XML node, not the asset-flow rules). It must
NOT be a PackageDownload: Dependabot does not read PackageDownload items at all
(dependabot/dependabot-core#2502), so a PackageDownload anchor is invisible to it. Using a
PackageDownload as the anchor is exactly why Playwright silently stopped updating (see
#9362 / #9452); the PackageReference anchor is what makes the bumps flow.

Each literal version is duplicated as the matching *Version property (defined near the top of
this file) which is the value actually consumed by the build and baked into the MSTest.Sdk
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,27 +44,33 @@

<!--
Dependabot anchors for the packages bundled by MSTest.Sdk (Microsoft.Playwright.MSTest.v4,
Aspire.Hosting.Testing). The Aspire entry doubles as the download that stages its nupkg for
test assets (see CopyNuGetPackagesForTestAssets below); the Playwright entry is the Dependabot
anchor only. These packages are baked into the shipped SDK templates (Sdk/Features/*.targets)
and are otherwise referenced only there (which Dependabot doesn't restore), so without a
graph-visible reference from a repo project their Central Package Management PackageVersion
entries in Directory.Packages.props are "orphans" that Dependabot ignores (it only updates
package versions that are actually referenced by a restored project).
Aspire.Hosting.Testing). These are baked into the shipped SDK templates (Sdk/Features/*.targets)
and are otherwise referenced only there (which Dependabot doesn't restore), so their Central
Package Management PackageVersion entries in Directory.Packages.props are "orphans" that
Dependabot ignores unless a project references them.

We use PackageDownload (NOT a PackageReference with ExcludeAssets="all") deliberately:
ExcludeAssets="all" removes the reference from the dependency graph Dependabot reads, so the
package stays invisible to it and never gets bumped (Aspire only kept updating because it ALSO
had this PackageDownload; the equivalent Playwright anchor with ExcludeAssets="all" silently did
nothing, see #9362). PackageDownload puts the package into the restore (so Dependabot proposes
bumps) without flowing any of its assets (compile/runtime/build, e.g. Playwright's browser
install) into this test project. The _ValidateBundledSdkFeatureVersions target in
Directory.Packages.props then guards the matching version properties (MicrosoftPlaywrightVersion,
AspireHostingTestingVersion) against drift after a bump.
The PackageReference (with ExcludeAssets="all") is the Dependabot ANCHOR: Dependabot reads the
PackageReference XML node to discover the dependency and bump its CPM PackageVersion.
ExcludeAssets="all" only stops the package's assets (compile/runtime/build, e.g. Playwright's
browser install) from flowing into this test project - it does NOT hide the reference from
Dependabot. A PackageDownload does NOT work as the anchor: Dependabot does not read
PackageDownload items at all (dependabot/dependabot-core#2502). Using PackageDownload as the
anchor is exactly why Playwright silently stopped updating - see #9362 / #9452.

Dependabot only bumps the literal PackageVersion in Directory.Packages.props, not the matching
*Version property the build consumes; the _ValidateBundledSdkFeatureVersions target in
Directory.Build.targets fails the build if the two drift apart, so a maintainer reconciles the
property in the Dependabot PR.
-->
<ItemGroup>
<PackageReference Include="Aspire.Hosting.Testing" ExcludeAssets="all" />
<PackageReference Include="Microsoft.Playwright.MSTest.v4" ExcludeAssets="all" />
</ItemGroup>

<!-- Packages needed to stage nupkgs for the generated test assets (see
CopyNuGetPackagesForTestAssets below) but that we don't want to reference. -->
<ItemGroup>
<PackageDownload Include="Aspire.Hosting.Testing" Version="[$(AspireHostingTestingVersion)]" />
<PackageDownload Include="Microsoft.Playwright.MSTest.v4" Version="[$(MicrosoftPlaywrightVersion)]" />
</ItemGroup>

<Target Name="CopyNuGetPackagesForTestAssets" BeforeTargets="BeforeBuild">
Expand Down