Rocolatey seems to slow down when dealing with 'many' (let's say more than 5) feeds - this is most likely due to the optimization that's been introduced in version 0.9 in order to counteract degradation of performance when dealing with the CCR.

See this -> will most likely need to put an upper end of chunks here just in case...

currently, roco outdated somepkg always "succeeds" if somepkg is not present on the local system.
usability improvement: early failure if somepkg is currently not installed (cannot be outdated)

check all unsafe unwrap / expect calls and replace with proper error handling/messages.

something seems to be wrong with the semver comparison

choco does not ..

choco output

a-test-pkg|6.0.0.20200617|7.0.0.202101113|false
...

roco output

...

see GH-68

roco outdated -l should simply output a whitespace-separated list of packages that could be updated.

i.e.:

• display timestamps/duration for each command.
• roco outdated could/should display ODATA query URLs.
• roco list should print paths of nuspecs found/read
• ...

... only pass credentials to remote server/feed if first request (without creds) returns a 401

most bits should already be in place (configured feeds are already extracted in roco outdated)

Would like this.. so used to typing choco outtab 🙂

i.e.
local installed firefox-0.85-beta2 will be listed as outdated, even if firefox-0.84.1 is the latest available on remote feeds.

minimal failing test case:

assert!(semver_is_newer("1.11-alpha", "1.07"));

it occurs some people still have to use 32 bit Windows OS :-/
-> building a x86 executable and including it in the choco package should be trivial.

I use PSLazyCompletion and would much prefer to symlink it, but everytime this package updates, it adds this line to my $profile that I have to delete.

"Import-Module '$rocoTabCompletion' -ErrorAction SilentlyContinue"

or

"Import-Module '$rocoTabCompletion' -ErrorAction Ignore"

I am using the following versions:

• Chocolatey v2.2.2
• Rocolatey v0.8.2

Recently, rocolatey is unable to detect outdated chocolatey packages & is failing with the following error:

failed to fetch packages: failed to receive packages from NuGet v2 feed 'https://community.chocolatey.org/api/v2/'

This can can be seen from the below screenshot:

To investigate further I did the following:

• I executed the roco outdated -v to get verbose output which gave the following result (partial screenshot below):

Please let me know in case of any further info.

When running roco outdated I received the following error:

[00:00:08] =================================================================================================================     206/206     receive packages from 'chocolatey'
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: ParseError("expected more input")', rocolatey-lib\src\roco\remote.rs:187:58

Happy to provide debug info if you let me know what you need.

UPDATE: Debug info is in this gist

❯ Compare-Object $r $c  
InputObject SideIndicator 
----------- ------------- 
Chocolatey v0.10.15 Business => 
Chocolatey has determined 57 package(s) are outdated. => 
7 package(s) had warnings. => 
 Rocolatey has determined 57 package(s) are outdated. <= 
7 packages(s) had warnings. <= 

packages(s)

as discussed via slack, please implement colored text output like choco.exe supports for subcommands (yellow, green, magenta, etc.)

When running roco outdated on a machine that has an authenticated nexus repository as the only source, it does not find any updates and gives warnings for all packages installed. There are a number of outdated packages found when running choco outdated.

Also, this lives up to the hype and is super fast compared to choco with checking the chocolatey.org repo.

Hey, thanks for building this!

Do you plan to add support for upgrading packages? roco upgrade all etc?

Background: many times a user just want's to know if a new version of a specific package is available.
Doing this with Chocolatey like so: choco upgrade <pkgid> --noop takes much longer than necessary, getting worse when dealing with multiple feeds.
As roco does not feature upgrade functionality, extending the outdated command to take in an additional parameter seems to be a good choice.

Chocolatey 2.0 is going to support NuGet v3.
In order to stay compatible/support all feeds from chocolatey.config, rocolatey should also be able to work with v3 feeds.

roco outdated pkgid should only do one http request per configured feed, each taking a couple of milliseconds.

known so far:

• there are done two calls per feed, the first one used to determine the "possible bulk query" size for the feed, the second one with the actual odata query.
• starting a PowerShell executable for decrypting secured feed credentials adds the overhead of 1x PowerShell-startup time for each encrypted feed in chocolatey.config

As of the latest choco update, roco panics on roco outdated, seems like the dirs were changed

thread 'main' panicked at 'failed to get choco dir: NotPresent', rocolatey-lib\src\roco\mod.rs:222:42
stack backtrace:
   0:     0x7ff6180e8402 - <unknown>
   1:     0x7ff61810a48b - <unknown>
   2:     0x7ff6180e086a - <unknown>
   3:     0x7ff6180e814b - <unknown>
   4:     0x7ff6180ead59 - <unknown>
   5:     0x7ff6180ea9db - <unknown>
   6:     0x7ff6180eb5f1 - <unknown>
   7:     0x7ff6180eb37e - <unknown>
   8:     0x7ff6180e90ff - <unknown>
   9:     0x7ff6180eb030 - <unknown>
  10:     0x7ff61811f915 - <unknown>
  11:     0x7ff61811fe16 - <unknown>
  12:     0x7ff617ddf705 - <unknown>
  13:     0x7ff617db95d0 - <unknown>
  14:     0x7ff617dc3b96 - <unknown>
  15:     0x7ff617dd6f54 - <unknown>
  16:     0x7ff617ddbaa9 - <unknown>
  17:     0x7ff617dce546 - <unknown>
  18:     0x7ff617daafcc - <unknown>
  19:     0x7ff6180db1fe - <unknown>
  20:     0x7ff617ddbd4c - <unknown>
  21:     0x7ff618112f60 - <unknown>
  22:     0x7ffe3f23117e - BaseThreadInitThunk
  23:     0x7ffe40ba42db - RtlUserThreadStart

It may be useful to add pin + find/search functionality

• https://docs.chocolatey.org/en-us/choco/commands/pin
• https://docs.chocolatey.org/en-us/choco/commands/find

as discussed on slack, please implement -ip, --ignore-pinned and -iu, --ignore-unfound flags to roco outdated to allow unfound packages to be ignored.

currently supported:

choco outdated --ignore-pinned --ignore-unfound

feature request:

roco outdated --ignore-unfound --ignore-pinned

roco outdated -ip -iu #shorthand

roco outdated -ipu|-iup #combined shorthand

when two packages with the same id have the same version, but one is built with more digits (i.e. 1.0.0 vs 1.0), rocolatey will happily tell you the version with more digits is greater.

Or make a way to configure it as the default.

Personally I always run roco outdated --ignore-pinned so would be nice to not have to type the extra bits 😄

currently feeds are processed sequentially, it should be possible to get a notable performance improvement when doing odata/nugetv3 queries in parallel,- if there are multiple feeds configured.

local repository layout was changed in choco2+; - need to adapt to new layout.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update Rust crate clap to v4.4.14

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

https://blog.malwarebytes.com/detections/backdoor-bladabindi/

I'm sure this is explainable, hopefully false positive?... but I am doing my due diligence by bringing this up.... ?

Malwarebytes Detection upon file system scan.

To be clear, this was on
C:\ProgramData\chocolatey\bin\roco.exe which I believe is the shim?
https://www.virustotal.com/gui/file/8f7460994cb21788c1892b2a2951192dd18a247c7a1bb9fd413cdc9f5d2cbd45

Although on the main executable there was also a detection with a score of 100...
C:\ProgramData\chocolatey\lib\rocolatey\tools\roco.exe
https://www.virustotal.com/gui/file/70d23e81d84c3a6c8a20df51707af4618cd42187d49c6db2d0f539b204ccf0f4

Skimming the source, I don't see anything in the source that looks bad. My guess is that it's due to references here to system cryptography.

https://github.com/mwallner/rocolatey/blob/49b22e4536c9a5fe908513b62c04946fdc2ab760/rocolatey-lib/src/roco/mod.rs#L306-L309

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error near ", ],

roco outdated currently does not validate if a source configured in chocolatey.config is disabled or not - it will always be used.

when a local packages already is installed in a prerelease version (i.e. 1.0.2-beta), roco doesn't recognize the upstream version (i.e. 1.0.2) is newer, if only the prerlease-tag is differnt/missing.

the password that's used for proxy authentication needs to be decrypted prior usage.

see GH-17, will be fixed with GH-17