Configure Renovate to handle nuspec files
source link: https://anthonysimmon.com/configure-renovate-handle-nuspec-files/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Configure Renovate to handle nuspec files
Renovate doesn't handle nuspec files by default, let's configure a custom Renovate Regex manager to support them.
I recently mentioned that Renovate’s NuGet manager only supports certain files by default, and .nuspec
files are not among them. These are XML manifests that describe the metadata of a NuGet package. Although nowadays, SDK-style projects are sufficient for most cases to describe and generate NuGet packages, there are still many very popular projects that rely on .nuspec
files, as shown by this search on GitHub.
.nuspec
files can contain references to dependencies, making them important to consider in the Renovate update process, primarily for security reasons. Once again, we will use Renovate’s extensibility with regular expressions to enable it to handle these files.
# Renovate configuration for handling nuspec files
The following Renovate configuration:
- Detects files with the
.nuspec
extension, - Uses a regex to parse the dependencies and their versions,
- Applies the update management that would be used for NuGet.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:best-practices"
],
"enabledManagers": [
"nuget",
"custom.regex"
],
"customManagers": [
{
"description": "Nuspec files manager",
"customType": "regex",
"fileMatch": ["\\.nuspec$"],
"matchStringsStrategy": "any",
"matchStrings": [
"<dependency\\s+id=\"(?<depName>.*?)\"\\s+version=\"(?<currentValue>.*?)\"\\s*\\/>"
],
"datasourceTemplate": "nuget",
"versioningTemplate": "nuget"
}
]
}
# Testing the configuration
We can validate this configuration against a .nuspec
file containing a reference to an old version of the C# MongoDB driver which contains a security vulnerability:
<?xml version="1.0" encoding="utf-8"?>
<package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
<metadata>
<id>MyLibrary</id>
<version>$version$</version>
<description>Example nuspec file with an outdated, vulnerable dependency</description>
<authors>johndoe</authors>
<dependencies>
<dependency id="MongoDB.Driver" version="2.18.0" />
</dependencies>
</metadata>
</package>
When running Renovate locally, we can see that the MongoDB.Driver
dependency is detected and Renovate recommends updating it to version 2.25.0
:
DEBUG: packageFiles with updates (repository=local)
"config": {
"regex": [
{
"deps": [
{
"depName": "MongoDB.Driver",
"currentValue": "2.18.0",
"datasource": "nuget",
"versioning": "nuget",
"replaceString": "<dependency id=\"MongoDB.Driver\" version=\"2.18.0\" />",
"updates": [
{
"bucket": "non-major",
"newVersion": "2.25.0",
"newValue": "2.25.0",
"releaseTimestamp": "2024-04-12T21:27:47.967Z",
"newMajor": 2,
"newMinor": 25,
"updateType": "minor",
"branchName": "renovate/mongo-csharp-driver-monorepo"
}
],
"packageName": "MongoDB.Driver",
"warnings": [],
"sourceUrl": "https://github.com/mongodb/mongo-csharp-driver",
"registryUrl": "https://api.nuget.org/v3/index.json",
"homepage": "https://www.mongodb.com/docs/drivers/csharp/",
"currentVersion": "2.18.0",
"isSingleVersion": true,
"fixedVersion": "2.18.0"
}
],
"matchStrings": [
"<dependency\\s+id=\"(?<depName>.*?)\"\\s+version=\"(?<currentValue>.*?)\"\\s*\\/>"
],
"matchStringsStrategy": "any",
"datasourceTemplate": "nuget",
"versioningTemplate": "nuget",
"packageFile": "MyLibrary.nuspec"
}
]
}
# References
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK