NuGet does not deal with blocking version conflicts from existing installed packages

[ferventcoder]

1. Conflicting dependencies - When installing a package that has dependencies on a newer version of a package than are allowed by an existing package with that dependency - it just allows the install/upgrade without any warning.

[ferventcoder]

😢 🐼

[ferventcoder]

I believe this is because NuGet doesn't seem to take into account all of the existing packages in the local repository, ONLY the ones it is currently dealing with (installing / upgrading).

[gregsdennis]

I, too, just experienced this. Our application needs this to be handled, can the priority on this be bumped up?

In the meantime, we'll have to write custom logic to facilitate this.

[ferventcoder]

It was a lower priority at one point - once we realized it has other issues, we bumped the priority of this (but not on the ticket). Follow #508 where I will be hopefully taking on a newer dependency of NuGet that does better at this. Otherwise we will start working into the dependency resolver and walker and making it know about every existing package as well because this is just... just not good.

[ferventcoder]

#507 is a hoot as well 👎

[ferventcoder]

This requires .NET 4.5, so will need to be implemented with 0.9.11.

[jberezanski]

Is this still on the radar? I just ran into it while testing new .NET Core packages.

Given this dependency graph:
dotnetcore-3.0-windowshosting 3.0.3 -> <dependency id="dotnet-aspnetcoremodule-v2" version="[13.0.20023,13.0.20024)" />
dotnetcore-3.1-windowshosting 3.1.9 -> <dependency id="dotnet-aspnetcoremodule-v2" version="[13.1.20268,13.1.20269)" />

this sequence:

cinst -y dotnetcore-3.0-windowshosting
cinst -y dotnetcore-3.1-windowshosting

should fail on the second choco invocation, but instead proceeds to upgrade dotnet-aspnetcoremodule-v2 to 13.1.20268, violating the dependency constraint of dotnetcore-3.0-windowshosting.

[jberezanski]

From NuGet/Home#1870 (comment) it seems it could be fixed even with NuGet v2, without spending the major effort of upgrading to NuGet v3+.

[TheCakeIsNaOH]

This appears to have been fixed as a part of #2740, and the below test was enabled to cover it:

choco/src/chocolatey.tests.integration/scenarios/InstallScenarios.cs

Lines 3136 to 3249 in c0e2f84

	public class when_installing_a_package_with_dependencies_on_a_newer_version_of_a_package_than_are_allowed_by_an_existing_package_with_that_dependency : ScenariosBase
	{
	public override void Context()
	{
	base.Context();
	Configuration.PackageNames = Configuration.Input = "conflictingdependency";
	Scenario.add_packages_to_source_location(Configuration, "hasdependency.1.0.0*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "conflictingdependency.2.1.0*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "isdependency.*" + NuGetConstants.PackageExtension);
	Scenario.add_packages_to_source_location(Configuration, "isexactversiondependency*" + NuGetConstants.PackageExtension);
	Scenario.install_package(Configuration, "isdependency", "1.0.0");
	Scenario.install_package(Configuration, "hasdependency", "1.0.0");
	}
	public override void Because()
	{
	Results = Service.install_run(Configuration);
	}
	[Fact]
	public void should_not_install_the_conflicting_package()
	{
	foreach (var packageResult in Results)
	{
	DirectoryAssert.DoesNotExist(packageResult.Value.InstallLocation);
	}
	}
	[Fact]
	public void should_not_install_the_conflicting_package_in_the_lib_directory()
	{
	var packageDir = Path.Combine(Scenario.get_top_level(), "lib", Configuration.PackageNames);
	DirectoryAssert.DoesNotExist(packageDir);
	}
	[Fact]
	public void should_not_upgrade_the_minimum_version_dependency()
	{
	var packageFile = Path.Combine(Scenario.get_top_level(), "lib", "isdependency", "isdependency.nupkg");
	using (var packageReader = new PackageArchiveReader(packageFile))
	{
	packageReader.NuspecReader.GetVersion().to_string().ShouldEqual("1.0.0");
	}
	}
	[Fact]
	public void should_not_upgrade_the_exact_version_dependency()
	{
	var packageFile = Path.Combine(Scenario.get_top_level(), "lib", "isexactversiondependency", "isexactversiondependency.nupkg");
	using (var packageReader = new PackageArchiveReader(packageFile))
	{
	packageReader.NuspecReader.GetVersion().to_string().ShouldEqual("1.0.0");
	}
	}
	[Fact]
	public void should_contain_a_message_that_it_was_unable_to_install_any_packages()
	{
	bool expectedMessage = false;
	foreach (var message in MockLogger.MessagesFor(LogLevel.Warn).or_empty_list_if_null())
	{
	if (message.Contains("installed 0/1")) expectedMessage = true;
	}
	expectedMessage.ShouldBeTrue();
	}
	[Fact]
	public void should_not_have_a_successful_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Success.ShouldBeFalse();
	}
	}
	[Fact]
	public void should_not_have_inconclusive_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Inconclusive.ShouldBeFalse();
	}
	}
	[Fact]
	public void should_not_have_warning_package_result()
	{
	foreach (var packageResult in Results)
	{
	packageResult.Value.Warning.ShouldBeFalse();
	}
	}
	[Fact]
	public void should_have_an_error_package_result()
	{
	bool errorFound = false;
	foreach (var packageResult in Results)
	{
	foreach (var message in packageResult.Value.Messages)
	{
	if (message.MessageType == ResultType.Error)
	{
	errorFound = true;
	}
	}
	}
	errorFound.ShouldBeTrue();
	}
	}

[choco-bot]

🎉 This issue has been resolved in version 2.0.0 🎉

The release is available on:

• GitHub Release
• Chocolatey Package

Your GitReleaseManager bot 📦🚀