Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom nuget-feed no longer used, breaking package updates #11525

Open
1 task done
chris-smith-zocdoc opened this issue Feb 7, 2025 · 15 comments · May be fixed by #11659
Open
1 task done

Custom nuget-feed no longer used, breaking package updates #11525

chris-smith-zocdoc opened this issue Feb 7, 2025 · 15 comments · May be fixed by #11659
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet T: bug 🐞 Something isn't working

Comments

@chris-smith-zocdoc
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

Our repos have multiple csproj files (under various subfolders like src/ and test/) and Directory.Build.props at the root

dependabot.yml content

version: 2
registries:
  my-artifactory-nuget:
    type: nuget-feed
    url: https://my-artifactory-url
    username: username
    password: password

updates:
- package-ecosystem: nuget
  directory: /
  schedule:
    interval: daily
    time: "21:00"
    timezone: America/New_York
  allow:
  - dependency-name: MyPackage.Name
  registries:
  - my-artifactory-nuget

Updated dependency

No response

What you expected to see, versus what you actually saw

On Feb 4th we starting seeing dependabot failures reporting "Dependabot couldn't find any dependency files in the directory"

Reading the logs however, you can see that dependabot is no longer accessing our custom nuget feed, and instead using nuget.org. This obviously doesn't work for us as our internal packages are only on our internal feed.

Eventually in the logs you see errors like

error NU1101: Unable to find package <MyPackage>. No packages exist with this id in source(s): nuget.org

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Image

Smallest manifest that reproduces the issue

No response
@chris-smith-zocdoc chris-smith-zocdoc added the T: bug 🐞 Something isn't working label Feb 7, 2025
@github-actions github-actions bot added the L: dotnet:nuget NuGet packages via nuget or dotnet label Feb 7, 2025
@edh519 edh519 mentioned this issue Feb 10, 2025
Open
3 tasks
@mjfpalmer
Copy link

Same here, for all projects with packages referenced in a private repository, since sometime last week.

@ChansiJames
Copy link

I have seen the "NU1101" error you mention months ago. The "dependency_file_not_found" error however started occurring for me as well a few days ago. #11520

@alexey62soft
Copy link

I have seen the "NU1101" error you mention months ago. The "dependency_file_not_found" error however started occurring for me as well a few days ago. #11520

I also receiving the same error on my Dependabot weekly job now.

@alexey62soft
Copy link

alexey62soft commented Feb 11, 2025
edited
Loading

@sachin-sandhu or @SeanFeldman or @brettfo can you take a look on that, please? It starts failing from v0.296.0.

@cig-jaystevenson
Copy link

Chiming in to say we're also experiencing it. Our packages are hosted at nuget.pkg.github.com so I'm presuming this affects any projects with a custom feed.

Excerpt of our logs, if it helps

2025/02/13 11:06:45 INFO Temporarily removing `global.json` from `/home/dependabot/dependabot-updater/repo`.
2025/02/13 11:06:45 INFO Restoring `global.json` to `/home/dependabot/dependabot-updater/repo`.
2025/02/13 11:06:45 INFO Discovering build files in workspace [/home/dependabot/dependabot-updater/repo].
2025/02/13 11:06:45 INFO   No dotnet-tools.json file found.
2025/02/13 11:06:45 INFO   Discovered [global.json] file.
2025/02/13 11:06:45 INFO   Discovering projects beneath [.].
2025/02/13 11:06:46 INFO   No packages.config file found.
2025/02/13 11:06:46 INFO InstallDotnetSdks == true; retaining `global.json` contents.
2025/02/13 11:06:47 INFO InstallDotnetSdks == true; retaining `global.json` contents.
2025/02/13 11:07:03 WARN   Error determining dependencies from `/home/dependabot/dependabot-updater/repo/MyProject.Tests/MyProject.Tests.csproj`:
STDOUT:
  Determining projects to restore...
/home/dependabot/dependabot-updater/repo/MyProject.Tests/MyProject.Tests.csproj : error NU1101: Unable to find package MyPackage.Shared.Common. No packages exist with this id in source(s): nuget.org
/home/dependabot/dependabot-updater/repo/MyProject/MyProject.csproj : error NU1101: Unable to find package MyPackage.Shared.Common. No packages exist with this id in source(s): nuget.org [/home/dependabot/dependabot-updater/repo/MyProject.Tests/MyProject.Tests.csproj]
  Failed to restore /home/dependabot/dependabot-updater/repo/MyProject/MyProject.csproj (in 14.02 sec).
  Failed to restore /home/dependabot/dependabot-updater/repo/MyProject.Tests/MyProject.Tests.csproj (in 14.02 sec).


STDERR:


2025/02/13 11:07:04 INFO   No packages.config file found.
2025/02/13 11:07:04 INFO InstallDotnetSdks == true; retaining `global.json` contents.
2025/02/13 11:07:05 INFO InstallDotnetSdks == true; retaining `global.json` contents.
2025/02/13 11:07:07 WARN   Error determining dependencies from `/home/dependabot/dependabot-updater/repo/MyProject/MyProject.csproj`:
STDOUT:
  Determining projects to restore...
/home/dependabot/dependabot-updater/repo/MyProject/MyProject.csproj : error NU1101: Unable to find package MyPackage.Shared.Common. No packages exist with this id in source(s): nuget.org
  Failed to restore /home/dependabot/dependabot-updater/repo/MyProject/MyProject.csproj (in 1.04 sec).

@dannystaple dannystaple mentioned this issue Feb 13, 2025
Open
1 task
@dannystaple
Copy link

Seems to occur at the same time as #11520

@KieranIrelandPD
Copy link

I'm also experiencing the same issue, no changes were made, but the jobs started failing

@alexey62soft
Copy link

@sachin-sandhu or @SeanFeldman or @brettfo any update on that?

@andyamacdonald
Copy link

We're having exactly the same issue with an almost identical setup to @chris-smith-zocdoc. The issue appears to have started on the 4th of February.

Nothing has changed in our Dependabot config recently.

@cig-jaystevenson
Copy link

cig-jaystevenson commented Feb 18, 2025
edited
Loading

Can confirm this is only occurring on repositories of ours with private registries (using both private and public registries together), other repositories are fine if they use only public registries. All our repositories are Private.

@brettfo
Copy link
Contributor

brettfo commented Feb 19, 2025

This is something I've seen in some internal Microsoft logs recently, but I haven't been able to repro it locally.

Does anybody have a log file of this happening in a public repo? It appears that the NuGet tooling sometimes doesn't find or doesn't honor NuGet.Config so it falls back to the default value of nuget.org which obviously doesn't have any custom or internal packages.

The next step of the failure is that if a restore operation fails, we have no idea what packages were used by a .csproj so we don't report that file and the final step is that if no .csproj files were reproted, the job fails because nothing can be done.

@adriancentrocol
Copy link

adriancentrocol commented Feb 19, 2025
edited
Loading

This is something I've seen in some internal Microsoft logs recently, but I haven't been able to repro it locally.

Does anybody have a log file of this happening in a public repo? It appears that the NuGet tooling sometimes doesn't find or doesn't honor NuGet.Config so it falls back to the default value of nuget.org which obviously doesn't have any custom or internal packages.

The next step of the failure is that if a restore operation fails, we have no idea what packages were used by a .csproj so we don't report that file and the final step is that if no .csproj files were reproted, the job fails because nothing can be done.

Here's a very minimal reproduction using a GitHub NuGet store:

Dependabot log
Repository

Dependabot CLI works just fine, here's the log:
Dependabot CLI log

@LukasMerz LukasMerz mentioned this issue Feb 20, 2025
Open
1 task
@Jackbenfu
Copy link

Encountering the same issue with my projects. Receiving a dependency_not_found error.

@cig-jaystevenson
Copy link

cig-jaystevenson commented Feb 20, 2025
edited
Loading

Please can you react ("👍 ") to the issue as they use that to gauge the impact

@brettfo
Copy link
Contributor

brettfo commented Feb 21, 2025

I think I found it!

I thought the casing of the file NuGet.Config was irrelevant, but it's not. The only allowed names are nuget.config, NuGet.config, and NuGet.Config, but if a repo has that file named Nuget.config or some other unapproved variant the NuGet code won't find the file and will fall back to the default value of api.nuget.org.

The reason dependabot might fail is because it runs in a Linux container with a case-sensitive filesystem and if a customer's repo is only ever built on Windows, then the file casing doesn't matter.

The fix will be to normalize all NuGet.Config file names before any update operation runs, so I'll get started on that.

@brettfo brettfo linked a pull request Feb 21, 2025 that will close this issue
Open
@rhyskoedijk rhyskoedijk mentioned this issue Feb 22, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet T: bug 🐞 Something isn't working
Projects
Dependabot
Status: No status
Milestone
No milestone