Merge pull request dependabot#8901 from dependabot/dev/brettfo/no-nug…

…et-versions

search all candidate packages for compatibility in descending version order

nuget/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -81,9 +81,10 @@ def find_compatible_version(sorted_versions)
           # If the current package version is incompatible, then we don't enforce compatibility.
           # It could appear incompatible because they are ignoring NU1701 or the package is poorly authored.
           return first_version unless version_compatible?(dependency.version)
-          return first_version if version_compatible?(first_version.fetch(:version))
 
-          sorted_versions.bsearch { |v| version_compatible?(v.fetch(:version)) }
+          # once sorted by version, the best we can do is search every package, because it's entirely possible for there
+          # to be incompatible packages both with a higher and lower version number, so no smart searching can be done.
+          sorted_versions.find { |v| version_compatible?(v.fetch(:version)) }
         end
 
         def version_compatible?(version)

nuget/spec/dependabot/nuget/update_checker/version_finder_spec.rb

@@ -432,6 +432,59 @@
       #   expect(subject[:version]).to eq(version_class.new("6.5.0"))
       # end
     end
+
+    context "when the package can't be meaninfully sorted by just version" do
+      before do
+        allow(finder).to receive(:str_version_compatible?).and_call_original
+        reported_versions = [
+          "2.6.1",
+          "2.7.1",
+          "3.4.0",
+          "3.14.0",
+          "4.0.1"
+        ]
+        stub_request(:get, "https://api.nuget.org/v3/registration5-gz-semver2/nunit/index.json")
+          .to_return(
+            status: 200,
+            body: {
+              items: [
+                items: reported_versions.map { |v| { catalogEntry: { listed: true, version: v } } }
+              ]
+            }.to_json
+          )
+        stub_request(:get, "https://api.nuget.org/v3-flatcontainer/nunit/3.14.0/nunit.nuspec")
+          .to_return(status: 200, body: fixture("nuspecs", "nunit.3.14.0_faked.nuspec"))
+        stub_request(:get, "https://api.nuget.org/v3-flatcontainer/nunit/4.0.1/nunit.nuspec")
+          .to_return(status: 200, body: fixture("nuspecs", "nunit.4.0.1_faked.nuspec"))
+      end
+
+      let(:csproj_body) do
+        <<~XML
+          <Project Sdk="Microsoft.NET.Sdk">
+            <PropertyGroup>
+              <TargetFramework>netcoreapp3.1</TargetFramework>
+            </PropertyGroup>
+            <ItemGroup>
+              <PackageReference Include="nunit" Version="3.14.0" />
+            </ItemGroup>
+          </Project>
+        XML
+      end
+      let(:expected_version) { version_class.new("3.14.0") }
+      let(:dependency_version) { "3.14.0" }
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "nunit",
+          version: dependency_version,
+          requirements: [{ file: "my.csproj", requirement: "3.14.0", groups: ["dependencies"], source: nil }],
+          package_manager: "nuget"
+        )
+      end
+
+      it "returns the expected version" do
+        expect(subject[:version]).to eq(version_class.new("3.14.0"))
+      end
+    end
   end
 
   describe "#lowest_security_fix_version_details" do

nuget/spec/fixtures/nuspecs/nunit.3.14.0_faked.nuspec

@@ -0,0 +1,37 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+  <metadata minClientVersion="2.12">
+    <id>NUnit</id>
+    <version>3.14.0</version>
+    <title>NUnit</title>
+    <authors>Charlie Poole, Rob Prouse</authors>
+    <owners>Charlie Poole, Rob Prouse</owners>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <license type="file">LICENSE.txt</license>
+    <licenseUrl>https://aka.ms/deprecateLicenseUrl</licenseUrl>
+    <icon>icon.png</icon>
+    <readme>README.md</readme>
+    <projectUrl>https://nunit.org/</projectUrl>
+    <iconUrl>https://cdn.rawgit.com/nunit/resources/master/images/icon/nunit_256.png</iconUrl>
+    <description>NUnit features a fluent assert syntax, parameterized, generic and theory tests
+      and is user-extensible. This package includes the NUnit 3 framework assembly, which is
+      referenced by your tests. You will need to install version 3 of the nunit3-console
+      program or a third-party runner that supports NUnit 3 in order to execute tests. Runners
+      intended for use with NUnit 2.x will not run NUnit 3 tests correctly. Supported
+      platforms: - .NET Framework 3.5+ - .NET Standard 2.0+</description>
+    <summary>NUnit is a unit-testing framework for all .NET languages with a strong TDD focus.</summary>
+    <releaseNotes>This package includes the NUnit 3 framework assembly, which is referenced by
+      your tests. You will need to install version 3 of the nunit3-console program or a
+      third-party runner that supports NUnit 3 in order to execute tests. Runners intended for
+      use with NUnit 2.x will not run NUnit 3 tests correctly.</releaseNotes>
+    <copyright>Copyright (c) 2023 Charlie Poole, Rob Prouse</copyright>
+    <language>en-US</language>
+    <tags>nunit test testing tdd framework fluent assert theory plugin addin</tags>
+    <repository type="git" url="https://github.com/nunit/nunit" />
+    <dependencies>
+      <group targetFramework=".NETFramework3.5" />
+      <group targetFramework=".NETFramework4.0" />
+      <group targetFramework=".NETFramework4.5" />
+      <group targetFramework=".NETStandard2.0" />
+    </dependencies>
+  </metadata>
+</package>

nuget/spec/fixtures/nuspecs/nunit.4.0.1_faked.nuspec

@@ -0,0 +1,40 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/01/nuspec.xsd">
+  <metadata minClientVersion="2.12">
+    <id>NUnit</id>
+    <version>4.0.1</version>
+    <title>NUnit</title>
+    <authors>Charlie Poole, Rob Prouse</authors>
+    <owners>Charlie Poole, Rob Prouse</owners>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <license type="file">LICENSE.txt</license>
+    <licenseUrl>https://aka.ms/deprecateLicenseUrl</licenseUrl>
+    <icon>icon.png</icon>
+    <readme>README.md</readme>
+    <projectUrl>https://nunit.org/</projectUrl>
+    <description>NUnit is a unit-testing framework for all .NET languages. It can run on macOS,
+      Linux and Windows operating systems. NUnit can be used for a wide range of testing, from unit
+      testing with TDD to full fledged system and integration testing. It is a non-opinionated,
+      broad and deep framework with multiple different ways to assert that your code behaves as
+      expected. Many aspects of NUnit can be extended to suit your specific purposes. The latest
+      version, version 4, is an upgrade from the groundbreaking NUnit 3 framework. It is a
+      modernized version, aimed at taking advantage of the latest .NET features and C# language
+      constructs. If you are upgrading from NUnit 3, be aware of the breaking changes
+      (https://docs.nunit.org/articles/nunit/release-notes/breaking-changes.html#nunit-40). Please
+      see the NUnit 4 Migration Guide
+      (https://docs.nunit.org/articles/nunit/release-notes/Nunit4.0-MigrationGuide.html) and take
+      care to prepare your NUnit 3 code before you do the upgrade. Supported platforms: - .NET
+      Framework 4.6.2+ - .NET 6.0+</description>
+    <summary>NUnit is a unit-testing framework for all .NET languages with a strong TDD focus.</summary>
+    <releaseNotes>
+      See release notes at
+      https://docs.nunit.org/articles/nunit/release-notes/framework.html#nunit-400---november-26-2023</releaseNotes>
+    <copyright>Copyright (c) Charlie Poole, Rob Prouse and Contributors. MIT License.</copyright>
+    <language>en-US</language>
+    <tags>nunit test testing tdd framework fluent assert theory plugin addin</tags>
+    <repository type="git" url="https://github.com/nunit/nunit" />
+    <dependencies>
+      <group targetFramework=".NETFramework4.6.2" />
+      <group targetFramework="net6.0" />
+    </dependencies>
+  </metadata>
+</package>