Nuget automatic update failure

[prajwalkumar9]

Describe the bug
When we run the dependabot on a project which downloads the packages from nuget, its getting failed. Although its working fine with NPM package.

To Reproduce
Steps to reproduce the behavior:

1. Try to run dependabot on any project which is downloading packages from nuget.

Screenshots

Extension (please complete the following information):

• Host: Azure DevOps
• Version : 1.29.5.760

[rhyskoedijk]

I had this issue too, it is caused by a bug in dependabot-core, see: dependabot/dependabot-core#10156 and dependabot/dependabot-core#10159

It was happening for me because I had a vulnerable package that could only become nonvulernable if it upgrade to the next major version. However, I had "ignore" restrictions in dependabot.yml that prevented it from upgrading to major versions, so it ended up not being able to resolve "lowest_security_fix_version". I worked around it by manually updating the problematic package.

It looks like they [dependabot-core] have patched the bug in the base updater, but I am not sure if it is fully fixed in the NuGet updater or not.

[tyler-hagen]

I have this same issue even without any ignore restrictions in my dependabot.yml

[prajwalkumar9]

@tyler-hagen : Same here, still facing the issue.

[rhyskoedijk]

@prajwalkumar9 @tyler-hagen does it work on tag 1.29.6?
I just ran it and am no longer having the error; seems dependabot-core 0.265.0 fixed it for me.

[prajwalkumar9]

@rhyskoedijk : No it did not fix for me

[rhyskoedijk]

@prajwalkumar9 are you able to share your dependabot.yml config and the name of the package it is failing on, it should mention it above the error/stack trace.

[tyler-hagen]

@prajwalkumar9 @rhyskoedijk

I solved my problem, it was actually solved by the workaround you (@rhyskoedijk) commented here: #921 (comment)
Huge props

@prajwalkumar9 Are you getting nuget errors when dependabot tries to build your projects? If so, try this out.

[prajwalkumar9]

@tyler-hagen @rhyskoedijk With the latest build of dependabot and core i see this following issue. It says Authentication Failure. Attaching the log from the pipeline for reference,

[rhyskoedijk]

@prajwalkumar9 are you using private Azure DevOps NuGet feeds in that project? If yes, have you tried the workaround in #921 (comment)?

[prajwalkumar9]

@rhyskoedijk : Yes using the private azure devops nuget feeds. is it about passing the extra environment variable to the dependabot tag?

[rhyskoedijk]

@prajwalkumar9 yes, until dependabot/dependabot-core#8927 is resolved, you have to use the WORKAROUND_CMD hack from #921 (comment) if your project uses Azure DevOps NuGet feeds.

[prajwalkumar9]

Thank you @rhyskoedijk that fixed my issue. Now i am able to run the dependabot on nuget packages. Thank you so much for the help.