generate and submit dependency graphs#14956
Merged
Merged
Conversation
brettfo
force-pushed
the
dev/brettfo/nuget-dependency-graph
branch
from
c413eae to
26a9f80
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds dependency graph generation and submission support to the NuGet updater by introducing a new graph execution path that converts existing discovery output into a dependency submission payload and posts it to the Dependabot service (create_dependency_submission). It also enhances discovery to extract direct dependency edges from project.assets.json, enabling richer graph output without additional project analysis work.
Changes:
- Add a
graphcommand end-to-end (PowerShell entrypoint → CLI command → CoreGraphWorker→ API submission). - Extend discovery results to include a per-project dependency graph extracted from
project.assets.json, and merge it across discovery sources. - Add API model + serialization/reporting tests for dependency submission payloads, plus new CLI/core tests for graph execution.
Show a summary per file
| File | Description |
|---|---|
| nuget/updater/main.ps1 | Adds update_graph command support and routes to native helper graph subcommand. |
| nuget/script/run | Exports DEPENDABOT_VERSION for detector version reporting. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/IApiHandler.cs | Adds API call helper for create_dependency_submission. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/CreateDependencySubmission.cs | Introduces the dependency submission API model + report formatting. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/NuGetUpdater.Core.csproj | Adds packageurl-dotnet dependency for PURL generation. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/IGraphWorker.cs | Adds graph worker interface for dependency submission runs. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Graph/GraphWorker.cs | Implements graph generation/submission from discovery output. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs | Extracts dependency edges from project.assets.json into a graph structure. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/ProjectDiscoveryResult.cs | Adds DependencyGraph (and pinning flag) to discovery results. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs | Populates/merges DependencyGraph, including packages.config scenarios. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/SerializationTests.cs | Adds serialization coverage for dependency submission payloads. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/MessageReportTests.cs | Adds report formatting coverage for dependency submission messages. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Graph/GraphWorkerTests.cs | Adds unit tests for converting discovery results to submission payloads. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Discover/ExpectedDiscoveryResults.cs | Extends expected discovery result shape to include dependency graph expectations. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Discover/DiscoveryWorkerTests.cs | Adds discovery tests validating dependency graph population. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Discover/DiscoveryWorkerTestBase.cs | Validates dependency graph contents during discovery test assertions. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Program.cs | Registers the new graph CLI command. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/SharedOptions.cs | Deduplicates common CLI options across commands. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/RunCommand.cs | Switches to shared CLI options. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/GraphCommand.cs | Adds CLI entrypoint for dependency graph generation/submission. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/CloneCommand.cs | Switches to shared CLI options. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Run.cs | Refactors run entrypoint tests to use shared helper. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Graph.cs | Adds CLI entrypoint test coverage for graph. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTestHelper.cs | Adds shared harness for CLI entrypoint tests. |
| nuget/helpers/lib/NuGetUpdater/Directory.Packages.props | Pins packageurl-dotnet version. |
| nuget/Dockerfile | Writes .dependabot-version at build time for runtime detector version reporting. |
Copilot's findings
Comments suppressed due to low confidence (2)
nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Graph/GraphWorker.cs:37
erroris declared and assigned (includingerror = discoveryResult.Errorand in the catch), but never read. WithTreatWarningsAsErrorsenabled this will break the build; consider removing the outererrorvariable and using a scoped variable inside the catch/if blocks where needed.
int result = 0;
JobErrorBase? error = null;
nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Graph/GraphWorker.cs:90
repoRootparameter is never used inBuildDependencySubmission. Because warnings are treated as errors, this unused parameter will fail the build. Either remove the parameter (and update call sites/tests) or use it (e.g., to compute manifest/source paths).
internal CreateDependencySubmission BuildDependencySubmission(
WorkspaceDiscoveryResult discoveryResult,
Job job,
string baseCommitSha,
string repoRoot,
string directory)
{
- Files reviewed: 26/26 changed files
- Comments generated: 5
brettfo
force-pushed
the
dev/brettfo/nuget-dependency-graph
branch
5 times, most recently
from
504ea29 to
126d5f4
Compare
ryanbrandenburg
previously approved these changes
May 21, 2026
| { | ||
| // build a lookup of package name -> resolved version for this TFM | ||
| var resolvedVersions = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase); | ||
| foreach (var packageObject in tfmObject.Value.EnumerateObject()) |
Contributor
There was a problem hiding this comment.
tfmObject.Value is getting enumerated twice here. It seems like we could delete this foreach and just copy L652 onto L663 instead, is there a reason that wouldn't work?
Contributor
Author
There was a problem hiding this comment.
The second loop checks the dependencies just by name (resolvedVersions.ContainsKey(...)) so we need to have already processed the versions in the first loop. Added comments to that effect.
brettfo
force-pushed
the
dev/brettfo/nuget-dependency-graph
branch
from
126d5f4 to
9716f9c
Compare
ryanbrandenburg
approved these changes
May 22, 2026
- Remove unused experimentsManager variable (TreatWarningsAsErrors) - Normalize branch ref to avoid double-prefixing refs/heads/ - Hash long directory names in correlator (matching Ruby's 32-byte threshold) - Use string.IsNullOrWhiteSpace for DEPENDABOT_VERSION fallback - Guard nuget/script/run against missing/empty version file Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…dkProjectDiscovery Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
brettfo
force-pushed
the
dev/brettfo/nuget-dependency-graph
branch
from
9716f9c to
308e9cb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow the NuGet updater to respond to the
update_graphcommand.Most of this is just converting the existing project discovery results to a different format, with the exception that we now track dependency requirements in a new dictionary. This new object doesn't slow down discovery because the information was already there, we're just pulling it out of the generated
project.assets.jsonfile.