I recently mentioned that Renovate’s NuGet manager only supports certain files by default, and .nuspec
files are not among them. These are XML manifests that describe the metadata of a NuGet package. Although nowadays, SDK-style projects are sufficient for most cases to describe and generate NuGet packages, there are still many very popular projects that rely on .nuspec
files, as shown by this search on GitHub.
.nuspec
files can contain references to dependencies, making them important to consider in the Renovate update process, primarily for security reasons. Once again, we will use Renovate’s extensibility with regular expressions to enable it to handle these files.
Renovate configuration for handling nuspec files
The following Renovate configuration:
- Detects files with the
.nuspec
extension, - Uses a regex to parse the dependencies and their versions,
- Applies the update management that would be used for NuGet.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:best-practices"
],
"enabledManagers": [
"nuget",
"custom.regex"
],
"customManagers": [
{
"description": "Nuspec files manager",
"customType": "regex",
"fileMatch": ["\\.nuspec$"],
"matchStringsStrategy": "any",
"matchStrings": [
"<dependency\\s+id=\"(?<depName>.*?)\"\\s+version=\"(?<currentValue>.*?)\"\\s*\\/>"
],
"datasourceTemplate": "nuget",
"versioningTemplate": "nuget"
}
]
}
Testing the configuration
We can validate this configuration against a .nuspec
file containing a reference to an old version of the C# MongoDB driver which contains a security vulnerability:
<?xml version="1.0" encoding="utf-8"?>
<package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
<metadata>
<id>MyLibrary</id>
<version>$version$</version>
<description>Example nuspec file with an outdated, vulnerable dependency</description>
<authors>johndoe</authors>
<dependencies>
<dependency id="MongoDB.Driver" version="2.18.0" />
</dependencies>
</metadata>
</package>
When running Renovate locally, we can see that the MongoDB.Driver
dependency is detected and Renovate recommends updating it to version 2.25.0
:
DEBUG: packageFiles with updates (repository=local)
"config": {
"regex": [
{
"deps": [
{
"depName": "MongoDB.Driver",
"currentValue": "2.18.0",
"datasource": "nuget",
"versioning": "nuget",
"replaceString": "<dependency id=\"MongoDB.Driver\" version=\"2.18.0\" />",
"updates": [
{
"bucket": "non-major",
"newVersion": "2.25.0",
"newValue": "2.25.0",
"releaseTimestamp": "2024-04-12T21:27:47.967Z",
"newMajor": 2,
"newMinor": 25,
"updateType": "minor",
"branchName": "renovate/mongo-csharp-driver-monorepo"
}
],
"packageName": "MongoDB.Driver",
"warnings": [],
"sourceUrl": "https://github.com/mongodb/mongo-csharp-driver",
"registryUrl": "https://api.nuget.org/v3/index.json",
"homepage": "https://www.mongodb.com/docs/drivers/csharp/",
"currentVersion": "2.18.0",
"isSingleVersion": true,
"fixedVersion": "2.18.0"
}
],
"matchStrings": [
"<dependency\\s+id=\"(?<depName>.*?)\"\\s+version=\"(?<currentValue>.*?)\"\\s*\\/>"
],
"matchStringsStrategy": "any",
"datasourceTemplate": "nuget",
"versioningTemplate": "nuget",
"packageFile": "MyLibrary.nuspec"
}
]
}