1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
---
title: NuGet (.NET)
description: NuGet (.NET) dependencies support in Renovate
---
# NuGet
Renovate can upgrade dependencies in these files:
- `.csproj`
- `.fsproj`
- `.vbproj`
## Version Support
Renovate only works with SDK-style `.csproj`, `.fsproj` or `.vbproj` files.
By default, this includes:
- .NET Core 1.0 and above
- .NET Standard class libraries
- `.csproj`, `.fsproj` or `.vbproj` files that use the SDK-style syntax
To convert your .NET Framework `.csproj`, `.fsproj` or `.vbproj` files into an SDK-style project, follow the steps in this [guide](https://natemcmaster.com/blog/2017/03/09/vs2015-to-vs2017-upgrade/).
## How it works
1. Renovate searches in each repository for any files with a `.csproj`, `.fsproj`, or `.vbproj` extension
1. Existing dependencies are extracted from `<PackageReference>` and `<PackageVersion>` tags
1. Renovate looks up the latest version on [nuget.org](https://nuget.org) (or an alternative feed if configured) to see if any upgrades are available
1. If the source package includes a GitHub URL as its source, and has either:
- a "changelog" file, or
- uses GitHub releases
then release notes for each version are embedded in the generated PR
If your project file references a `packages.config` file, no dependencies will be extracted.
Find out here how to [migrate from `packages.config` to `PackageReference`](https://docs.microsoft.com/en-us/nuget/consume-packages/migrate-packages-config-to-package-reference).
## Alternate feeds
By default Renovate performs all lookups on `https://api.nuget.org/v3/index.json`, but you can set alternative NuGet feeds.
You can set alternative feeds:
- in a [`NuGet.config` file](https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#package-source-sections) within your repository (Renovate will not search outside the repository), or
- in a Renovate configuration options file like `renovate.json`
```json
{
"nuget": {
"registryUrls": [
"https://api.nuget.org/v3/index.json",
"https://example1.com/nuget/",
"https://example2.com/nuget/v3/index.json"
]
}
}
```
In the example above we've set three NuGet feeds.
The package resolving process uses the `merge` strategy to handle the three feeds.
All feeds are checked for dependency updates, and duplicate updates are merged into a single dependency update.
<!-- prettier-ignore -->
!!! warning
If your project has lockfile(s), for example a `package.lock.json` file, then you must set alternate feed settings in the `NuGet.config` file only.
`registryUrls` set in other files are **not** passed to the NuGet commands.
### Protocol versions
NuGet supports two protocol versions, `v2` and `v3`.
The NuGet client and server must use the same version.
When Renovate acts as the client, it can use the `v2` and `v3` protocols.
By default, Renovate uses the `v2` protocol.
If the configured feed URL ends with `index.json`, Renovate uses the `v3` protocol.
So Renovate behaves like the official NuGet client.
#### v3 feed URL not ending with index.json
If a `v3` feed URL does not end with `index.json`, you must specify the version explicitly.
- If the feed is defined in a `NuGet.config` file set the `protocolVersion` attribute to `3`:
```xml
<packageSources>
<clear />
<add key="myV3feed" value="http://myV3feed" protocolVersion="3" />
</packageSources>
```
- If the feed is defined via Renovate configuration append `#protocolVersion=3` to the registry URL:
```json
{
"nuget": {
"registryUrls": ["http://myV3feed#protocolVersion=3"]
}
}
```
You may need this workaround when you use the JFrog Artifactory.
## Authenticated feeds
Credentials for authenticated/private feeds can be given via host rules in the configuration options (file or command line parameter).
```json
{
"hostRules": [
{
"hostType": "nuget",
"matchHost": "http://example1.com/nuget",
"username": "root",
"password": "p4$$w0rd"
}
]
}
```
If you use Azure DevOps:
- set `matchHost` to `pkgs.dev.azure.com`
- set the username, so Renovate can build the project when it creates the PR
<!-- prettier-ignore -->
!!! note
Only Basic HTTP authentication (via username and password) is supported.
For Azure DevOps: use a PAT with `read` permissions on `Packaging`.
The username of the PAT must match the username of the _user of the PAT_.
The generated `nuget.config` forces the basic authentication, which cannot be overridden externally!
## Ignoring package files when using presets
Because `nuget` manager has a dedicated `ignorePaths` entry in the `:ignoreModulesAndTests` preset, if you're using any presets that extend it (like `config:recommended`), you need to put your `ignorePaths` inside the `nuget` section for it to be merged.
For example:
```json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"nuget": {
"ignorePaths": ["IgnoreThisPackage/**"]
}
}
```
Otherwise, all `nuget.ignorePaths` values in `:ignoreModulesAndTests` will override values you put inside `ignorePaths` at the top-level config.
## Future work
We welcome contributions or feature requests to support more patterns or use cases.
|
