Where is donet nuget update?

[a-h]

I've got a solution which fails to build, the error is:

Controllers/AccountController.cs(40,34): error CS1705: Assembly 'xxx.Api.ClientLibrary' with identity 'xxx.Api.ClientLibrary, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' uses 'System.Net.Http, Version=4.1.1.1, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' which has a higher version than referenced assembly 'System.Net.Http' with identity 'System.Net.Http, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' [/sln/src/xxx.Web/xxx.Web.csproj]

Ah, OK, there's a dependency problem. Fortunately, I've been developing in .Net for for years and so I've seen these before. The quick solution is probably to upgrade all of the packages in the solution to the same versions.

Since I used the dotnet add command line to add a package, there must be a dotnet update to update packages. I'll take a look at the dotnet nuget command, hmm. Can't see anything to update packages in the documentation, it mustn't have been done yet.

Right, since there's no nuget for OSX and Linux yet, I'll need to install Mono on OSX, then run nuget.exe.

I'll run it against the solution and update everything...

$ nuget update ./westfield-wellness-sso.sln
Scanning for projects...
No projects found with packages.config.

Oh, it mustn't work against solutions for dotnet core, I'll try it against the project.

$ nuget update ./xxx.Web.csproj
MSBuild auto-detection: using msbuild version '14.1' from '/Library/Frameworks/Mono.framework/Versions/Current/lib/mono/msbuild/14.1/bin/'.
Exception has been thrown by the target of an invocation.
  The default XML namespace of the project must be the MSBuild XML namespace. If the project is authored in the MSBuild 2003 format, please add xmlns="http://schemas.microsoft.com/developer/msbuild/2003" to the <Project> element. If the project has been authored in the old 1.0 or 1.2 format, please convert it to MSBuild 2003 format.  /Users/xxx/xxx/src/xxx.Web/xxx.Web.csproj

Oh, well now I'm stuck. Ideally, I'd like a graphviz file showing all the dependencies, highlighting version mismatches.

Do I have to go look at each NuGet package in each csproj, look it up and stick the new version number in the PackageReference element? Doing a trial and error thing?

<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.3" />

• I'm running nuget 3.5.0.1996
• dotnet CLI 1.0.1
• OSX

The issue is I can't find a way to:

• View the project / package dependency graph
• Update nuget packages which likely resolve mismatched dependencies

Is there a solution for this?

[mishra14]

@a-h : You can use dotnet add as update for now.

You can say dotnet add package <package_id> --version higher_version.
Or you could also use dotnet add package <package_id> to update to the latest stable package.

We also have a backlog item for a dedicated dotnet update package command at: #4103

Please let us know if this unblocks you.

[a-h]

Thanks, I hand cranked the XML which fixed the issue. The workflow was tedious though:

There's a dotnet list reference command, but sadly it only shows the project references, not the nuget packages. I was hoping there would be dotnet list packages command, then I could pipe the output of that into some sort of nuget find command and find packages which need updating.

So I ended up copying and pasting each reference ID into the URL bar of a browser to find the latest version, e.g.:

• For each package:
  • Access https://www.nuget.org/packages/newtonsoft.json/ - shows that the latest version of that is 10.0.2
  • Copy and paste 10.0.2 into the XML and move onto the next item.
• Run dotnet restore

There really needs to be a way to look for outdated packages that are applied to a solution easily. Ideally it would be possible to mark NuGet packages as containing known vulnerabilities, then you could run something like dotnet update packages app.sln --dry-run --insecure-only against old solutions regularly to automatically discover security vulnerabilities in code you've previously deployed.

I've started watching 4103, thanks for that.

[mishra14]

@a-h thanks for closing this. There is a backlog for list as well: #4102.

[johnkors]

View the project / package dependency graph

+1 on this. A huge miss.

@a-h

Re: insecure packages. I'm trying to acheive exactly that. I want to list what packages I have referenced (directly, indirectly or transitively) that match a given list of known insecure ones. I started off manually going thru it on nuget.org, but ended up writing a CLI tool that parses the project.assets.json / project.lock.json files instead.

Source: https://github.com/retirenet/dotnet-retire