Remove NuGet.Core package dependency#15037
Merged
Merged
Conversation
brettfo
force-pushed
the
dev/brettfo/nuget-old-package
branch
from
cd3d51c to
3c6ff8f
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes the legacy NuGet.Core (v2) package dependency from the NuGet helper projects by replacing the few required types/usages with local implementations and by vendoring/stubbing upstream NuGet.CommandLine sources that previously depended on extern alias CoreV2. It also documents the NU1701 suppression limitation to clarify why Dependabot treats target framework incompatibilities as fatal.
Changes:
- Removed
NuGet.Corepackage references and theNU1701suppression from NuGetUpdater build configuration. - Introduced local equivalents for NuGet runtime binding-redirect types (
IAssembly,AssemblyBinding) and updated redirect logic to use them. - Added/updated documentation and maintainer guidance for vendored
NuGetProjects/sources andNU1701behavior.
Show a summary per file
| File | Description |
|---|---|
| nuget/README.md | Documents NU1701 suppression as a known limitation for Dependabot NuGet updates. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/IAssembly.cs | Adds local IAssembly abstraction to replace NuGet.Core runtime interface usage. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/AssemblyBinding.cs | Adds local AssemblyBinding implementation for binding redirect parsing/serialization. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/BindingRedirectResolver.cs | Removes NuGet.Core alias usage and returns local AssemblyBinding instances. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/BindingRedirectManager.cs | Switches redirect management from NuGet.Core runtime types to local AssemblyBinding. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/NuGetUpdater.Core.csproj | Drops the NuGet.Core package dependency. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/StreamExtensions.cs | Adds a small test helper for reading streams to byte arrays. |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/README.md | Adds maintenance rules for the vendored NuGetProjects code (incl. removing NuGet.Core). |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/NuGet.CommandLine.csproj | Removes NuGet.Core dependency and excludes upstream files that relied on CoreV2. |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/Program.cs | Adds a local replacement for upstream NuGet.CommandLine program entrypoint without CoreV2. |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/SettingsCredentialProvider.cs | Adds a local replacement provider (removing legacy dependencies). |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/Commands/Command.cs | Adds a local replacement for upstream command base without CoreV2 usage. |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/Commands/ProjectFactory.cs | Adds a local replacement for upstream project factory without CoreV2 usage. |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/NuGet.CommandLine/Commands/UpdateCommand.cs | Adds a local replacement for upstream update command without CoreV2 usage. |
| nuget/helpers/lib/NuGetUpdater/NuGetProjects/Directory.Build.props | Removes NU1701 suppression in the vendored projects build. |
| nuget/helpers/lib/NuGetUpdater/Directory.Packages.props | Removes centralized NuGet.Core package version entry. |
| nuget/helpers/lib/NuGetUpdater/Directory.Build.props | Removes global NU1701 suppression for NuGetUpdater projects. |
| .github/instructions/nuget-projects.instructions.md | Adds GitHub instructions/checklist for maintaining NuGetProjects/ after submodule updates. |
Copilot's findings
- Files reviewed: 18/18 changed files
- Comments generated: 2
sebasgomez238
requested changes
May 18, 2026
Contributor
sebasgomez238
left a comment
sebasgomez238
left a comment
There was a problem hiding this comment.
A couple of the copilot suggestions seem reasonable, feel free to ping for approval once addressed or ignored
brettfo
force-pushed
the
dev/brettfo/nuget-old-package
branch
from
1ea3b00 to
2c933e2
Compare
Replace all usages of the NuGet.Core (v2) package with local implementations: - Remove NuGet.Core from Directory.Packages.props, NuGet.CommandLine.csproj, and NuGetUpdater.Core.csproj - Add local AssemblyBinding and IAssembly types in NuGetUpdater.Core/Updater/ - Exclude 8 CoreV2-dependent files from NuGet.CommandLine and provide replacement stubs (Program.cs, Command.cs, UpdateCommand.cs, ProjectFactory.cs, SettingsCredentialProvider.cs) - Remove NU1701 warning suppression (no longer needed) - Add maintenance instructions for NuGetProjects directory - Add StreamExtensions.cs for pre-existing test gap Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: brettfo <926281+brettfo@users.noreply.github.com>
Co-authored-by: brettfo <926281+brettfo@users.noreply.github.com>
brettfo
force-pushed
the
dev/brettfo/nuget-old-package
branch
from
2c933e2 to
82d1ee2
Compare
sebasgomez238
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR will allow dependabot to update dependabot again :)
Replace all usages of the NuGet.Core (v2) package with local implementations. That package is a transitive dependency of the
NuGet.Clientsubmodule and the assembly targetsnet40-Clientwhich is technically incompatible with the target framework used by dependabot. Because of that,<NoWarn>NU1701</NoWarn>was present telling NuGet to ignore target framework compatibility checks. This was a very specific case where the few types necessary from that assembly were compatible with .NET Core, but by having that suppression, it made it so that dependabot couldn't update dependabot because when determining package compatibility, we do not take into considerationNU1701because we have no way of knowing what packages that was for or in what circumstances it would be considered OK so we have to consider any target framework incompatibility as fatal.Various documents were updated to help future maintainers and bots understand the limitations.