dynamic / submit-nuget (dynamic) check uses version from global.json but ignores rollForward installing vulnerable .NET SDK 8.0.100 #12842
Description
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
NuGet
Package manager version
Unclear
Language version
C# 13
Manifest location and content before the Dependabot update
Not sure if this is the right repo to report this but based on these PRs from the latest release https://github.com/dependabot/dependabot-core/releases/tag/v0.326.0 it could be
#12768
#12791
It seems to be using just the version from my global.json file
{
"sdk": {
"version": "8.0.100",
"rollForward": "latestMajor",
"allowPrerelease": true
}
}Which means it uses a .NET SDK version with known vulnerabilities and also therefore fails to target my .NET 9 projects.
Here's the log from the validate-project step which fails with error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0
Run # Find all project files
# Find all project files
project_files=$(find . -type f \( -name "*.csproj" -o -name "*.sln" -o -name "*.vbproj" -o -name "*.vcxproj" -o -name "*.fsproj" \) | grep -v '/obj/' | grep -v '/bin/' | head -20)
if [ -z "$project_files" ]; then
echo "valid-project=false" >> "$GITHUB_OUTPUT"
echo "### :warning: No .NET project files found" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**This repository does not appear to contain any .NET project files.**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Searched for: *.csproj, *.sln, packages.config, *.vbproj, *.vcxproj, *.fsproj" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "If this is a .NET project, ensure your project files are committed to the repository." >> $GITHUB_STEP_SUMMARY
echo "::error::No .NET project files found in repository"
exit 1
fi
echo "Found project files:"
echo "$project_files"
# Restore all projects
while IFS= read -r project; do
echo "Restoring project: $project"
if ! dotnet restore "$project"; then
echo "::error::Failed to restore project: $project"
echo "valid-project=false" >> "$GITHUB_OUTPUT"
exit 1
fi
done <<< "$project_files"
echo "::debug::All projects restored successfully"
echo "valid-project=true" >> "$GITHUB_OUTPUT"
shell: /usr/bin/bash -e {0}
env:
SKIP_CACHE:
DOTNET_ROOT: /usr/share/dotnet
Found project files:
<Redacted>
Restoring project: ./<Redacted>.sln
Determining projects to restore...
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: Failed to restore project: ./<Redacted>.sln
Error: Process completed with exit code 1.
dependabot.yml content
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2 # Required. The file must start with version: 2
updates: # Required
# GitHub Actions
- package-ecosystem: "github-actions" # Required
directory: "/" # Required (or directories). Location of package manifests. You must define the location of the package manifests for each package manager. For GitHub Actions, you do not need to set the directory to /.github/workflows. Configuring the key to / automatically instructs Dependabot to search the /.github/workflows directory, as well as the action.yml / action.yaml file from the root directory
schedule:
interval: "weekly" # Required. By default, Dependabot randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use schedule.time and schedule.timezone
day: "tuesday" # When you set a weekly update schedule, by default, Dependabot checks for new versions on Monday at a random set time for the repository. Use schedule.day to specify an alternative day to check for updates.
time: "10:15" # Note: The schedule.time option is a best effort, and it may take some time before Dependabot opens pull requests to update to newer dependency versions. Patch Tuesday begins at 10:00 a.m. Pacific Time.
timezone: "US/Pacific" # The time zone identifier must be from the Time Zone database maintained by IANA.
commit-message:
prefix: "build"
include: "scope"
labels:
- "github-actions"
- "dependencies"
# Associate pull requests with milestone "1" which is the "Dependencies" milestone
milestone: 1
open-pull-requests-limit: 10 # By default, Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests from Dependabot, Dependabot will not open any new requests until some of those open requests are merged or closed.
# NuGet packages
- package-ecosystem: "nuget" # Required
directories: # Required (or directories). Location of package manifests. You must define the location of the package manifests for each package manager
- "**/*" # Specify all directories from the current layer and below recursively, using globstar, for locations of manifest files.
groups:
xunit:
patterns:
- xunit*
update-types:
- "minor"
- "patch"
System.*:
patterns:
- System.*
update-types:
- "minor"
- "patch"
Microsoft.AspNetCore.*:
patterns:
- Microsoft.AspNetCore.*
update-types:
- "minor"
- "patch"
Microsoft.Azure.*:
patterns:
- Microsoft.Azure.*
update-types:
- "minor"
- "patch"
Microsoft.Extensions.*:
patterns:
- Microsoft.Extensions.*
update-types:
- "minor"
- "patch"
Microsoft.*:
patterns:
- Microsoft.*
update-types:
- "minor"
- "patch"
Azure.*:
patterns:
- Azure.*
update-types:
- "minor"
- "patch"
Roslynator.*:
patterns:
- Roslynator.*
update-types:
- "minor"
- "patch"
schedule:
interval: "weekly" # Required. By default, Dependabot randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use schedule.time and schedule.timezone
day: "tuesday" # When you set a weekly update schedule, by default, Dependabot checks for new versions on Monday at a random set time for the repository. Use schedule.day to specify an alternative day to check for updates.
time: "10:15" # Note: The schedule.time option is a best effort, and it may take some time before Dependabot opens pull requests to update to newer dependency versions. Patch Tuesday begins at 10:00 a.m. Pacific Time.
timezone: "US/Pacific" # The time zone identifier must be from the Time Zone database maintained by IANA.
commit-message:
prefix: "chore"
include: "scope"
labels:
- "nuget"
- "dependencies"
# Associate pull requests with milestone "1" which is the "Dependencies" milestone
milestone: 1
open-pull-requests-limit: 10 # By default, Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests from Dependabot, Dependabot will not open any new requests until some of those open requests are merged or closed.Updated dependency
N/A
What you expected to see, versus what you actually saw
The correct SDK installed (since I allow pre-release versions in my global.json it should install the latest .NET 10 preview currently 10.0.100-preview.7.25380.108)
Native package manager behavior
N/A
Images of the diff or a link to the PR, issue, or logs
Not public but here's the log
Run # Find all project files
# Find all project files
project_files=$(find . -type f \( -name "*.csproj" -o -name "*.sln" -o -name "*.vbproj" -o -name "*.vcxproj" -o -name "*.fsproj" \) | grep -v '/obj/' | grep -v '/bin/' | head -20)
if [ -z "$project_files" ]; then
echo "valid-project=false" >> "$GITHUB_OUTPUT"
echo "### :warning: No .NET project files found" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**This repository does not appear to contain any .NET project files.**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Searched for: *.csproj, *.sln, packages.config, *.vbproj, *.vcxproj, *.fsproj" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "If this is a .NET project, ensure your project files are committed to the repository." >> $GITHUB_STEP_SUMMARY
echo "::error::No .NET project files found in repository"
exit 1
fi
echo "Found project files:"
echo "$project_files"
# Restore all projects
while IFS= read -r project; do
echo "Restoring project: $project"
if ! dotnet restore "$project"; then
echo "::error::Failed to restore project: $project"
echo "valid-project=false" >> "$GITHUB_OUTPUT"
exit 1
fi
done <<< "$project_files"
echo "::debug::All projects restored successfully"
echo "valid-project=true" >> "$GITHUB_OUTPUT"
shell: /usr/bin/bash -e {0}
env:
SKIP_CACHE:
DOTNET_ROOT: /usr/share/dotnet
Found project files:
<Redacted>
Restoring project: ./<Redacted>.sln
Determining projects to restore...
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: /usr/share/dotnet/sdk/8.0.100/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(166,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 9.0. Either target .NET 8.0 or lower, or use a version of the .NET SDK that supports .NET 9.0. Download the .NET SDK from https://aka.ms/dotnet/download [/home/runner/work/<Redacted>.csproj]
Error: Failed to restore project: ./<Redacted>.sln
Error: Process completed with exit code 1.
Smallest manifest that reproduces the issue
I don't think it's manifest related.