[Bug]: Metadata like PrivateAssets does not flow from parent to transitively pinned dependency in CPM

[AArnott]

Tested and verified to repro on .NET Core SDK versions: 3.1.401, 5.0.100
This is an adoption blocker for our teams.

When CPVM is active, package dependencies are retained to transitive references with pinned versions even if their direct reference had PrivateAssets="all" set on them.

Given this simple csproj:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netstandard2.0</TargetFramework>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="MicroBuild.VisualStudio" PrivateAssets="all" />
  </ItemGroup>
</Project>

and a Directory.Packages.props file with this content:

<Project>
    <ItemGroup>
        <PackageVersion Include="MicroBuild" Version="2.0.61" />
        <PackageVersion Include="MicroBuild.VisualStudio" Version="2.0.61" />
    </ItemGroup>
</Project>

and a Directory.Build.props file with this content:

<Project>
    <PropertyGroup>
        <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
        <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
    </PropertyGroup>
</Project>

EXPECTED

The packed project contains no dependency because its only PackageReference has PrivateAssets="all" metadata.

ACTUAL

The resulting package has a nuspec that expresses a dependency on a transitively referenced package:

    <dependencies>
      <group targetFramework=".NETStandard2.0">
        <dependency id="MicroBuild" version="2.0.61" exclude="Build,Analyzers" />
      </group>
    </dependencies>

Sample Project

Minimal repro: issue10311.zip

[AArnott]

Just a note on this: this issue is blocking our adoption of CPVM.

[AArnott]

This repro'd with .NET SDK 5.0.100, but it no longer repros in 6.0.103. I'm not sure what the first version that fixed this was.
Even with <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled> set, the problem doesn't repro. Yay!

[marcin-krystianc]

@AArnott I think that this issue was closed prematurely. The change that re-adds the "transitive dependency pinning" functionality (NuGet/NuGet.Client#4025) was merged at the beginning of March and I believe it wasn't released yet. So what you actually observe is just a consequence of missing the "transitive dependency pinning" feature.

[AArnott]

Quite right, @marcin-krystianc : it does still repro.
Updated repro: issue10311.zip

[jeffkl]

@AArnott unfortunately this bug fix won't be available in 17.3 since its taking longer than expected to get it right. My PR is going to be merged for 17.4 which means the functionality will only be available in .NET 7. Is that going to be a problem for your build environment? You'll need to use .NET 7 to restore/build but of course can target any framework still.

[AArnott]

Thanks for trying. I suppose we'll get by till our build environment can target .NET 7 (sometime after GA, presumably). We just won't be able to set CentralPackageTransitivePinningEnabled=true till then.