Dependabot Fails with ERR_UNKNOWN_ENCODING: sha256 After Commenting Experiment Flag

[vishnuprakash9845]

Categorization

• This is not a permissions issue (Seek help at 403 error when Dependabot tries to create a pull request #1245)

• This is an issue specific to Azure DevOps or this repository and does not belong in dependabot-core.
  Specific issues for dependabot are solved faster in the core repository. For example, why a package version is skipped.
  Trying out this behaviour in the GitHub Hosted version can help you pinpoint where it lies.

• I have linked a public reproduction of the specific issue or none is required because the issue is not specific to me.
  Please note that you can create a public organization/project and repository to show the issue. This tends to accelerate resolution.

Repository

No response

Steps to reproduce

1. Use Dependabot Task v2.54.0 in Azure DevOps
2. Comment out the experiments line in the configuration
3. Run the pipeline
4. Observe the error related to unknown encoding and failed dependency update

dependabot.yml config content

version: 2
updates:
- package-ecosystem: "nuget"
  directories:
    - "/BackEnd"
  target-branch: "main"
  labels:
    - "Nuget dependencies"
  commit-message:
      prefix: "Nuget Dependency Update"
      include: "scope"
  groups:
    project-server-dependencies:
      applies-to: version-updates # Applies the group rule to version updates
      patterns:
        - "Aggregates.Config"
        - "Aggregates.Client"
        - "Aggregates.ObjDir"
        - "xxxxx.OpcUaServer"
  ignore:
    - dependency-name: 'LiteDB'
    - dependency-name: 'Microsoft.*' 
    - dependency-name: 'NWebsec.AspNetCore.Middleware'
    - dependency-name: 'Newtonsoft.Json'
    - dependency-name: 'OpenTelemetry.*'   
    - dependency-name: 'Serilog.*'  
    - dependency-name: 'StyleCop.Analyzers'
    - dependency-name: 'Swashbuckle.*' 
    - dependency-name: 'System.IdentityModel.Tokens.Jwt'
    - dependency-name: 'xunit'
    - dependency-name: 'xunit.*'
    - dependency-name: 'SolidToken.SpecFlow.DependencyInjection'
    - dependency-name: 'AutoFixture'
    - dependency-name: 'AutoFixture.*'
    - dependency-name: 'coverlet.*'
    - dependency-name: 'IdentityModel'
  open-pull-requests-limit: 2
  registries:
      - azure_artifacts

registries:
  azure_artifacts:
    type: "nuget-feed"
    url: "https://pkgs.dev.azure.com/{org}/{proj}/_packaging/{feedname}/nuget/v3/index.json"
    token: PAT:${{TOKEN}}

Task Details

  - task: dependabot@2
                displayName: Run Dependabot on ${{repositoryName.name}}
                continueOnError: true
                inputs:
                  targetRepositoryName: ${{repositoryName.name}}
                  setAutoComplete: false
                  mergeStrategy: 'squash'
                  autoApprove: false 
                  autoApproveUserToken: $(DEPENDABOT_PAT)
                  azureDevOpsAccessToken: $(DEPENDABOT_PAT)
                  # experiments: 'nuget-use-legacy-updater-when-updating-pr: false'
                timeoutInMinutes: 30
                env:
                  TOKEN: $(DEPENDABOT_PAT)

It's unclear whether this issue originates from Dependabot Core or the Azure DevOps extension. If this is not the right place to report it, please advise.

Expected behavior

Dependabot should run without errors and update dependencies as configured, regardless of the experiment flag being enabled or disabled.

Logs and screenshots

Please refer to the following logs for context:

updater | 2025/07/04 09:38:35 INFO Re-added SDK managed package [System.Security.Cryptography.ProtectedData/8.0.0] to project [../../../../tmp/package-dependency-resolution_0NyTLb/Project.csproj]
updater | 2025/07/04 09:38:37 INFO     Saved [BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj].
updater | 2025/07/04 09:38:37 INFO Update complete.
updater | 2025/07/04 09:38:37 INFO Update operation performed: Updated xxxxxx.Lib.WebsocketAuth from 2.0.33.537382 to 2.0.35.567169 in /BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj, /Directory.Build.props
updater | 2025/07/04 09:38:37 INFO Starting analysis of xxxxxx.OpcUaClient...
updater | 2025/07/04 09:38:37 INFO   Determining multi-dependency property.
updater | 2025/07/04 09:38:37 INFO   Finding updated version.
updater | 2025/07/04 09:38:37 INFO   Finding updated peer dependencies.
updater | 2025/07/04 09:38:37 INFO Analysis complete.
updater | 2025/07/04 09:38:37 INFO No updatable version found for xxxxxx.OpcUaClient in /BackEnd/src/Repository/xxxxxx.App.ALEvent.ServerConfiguration/xxxxxx.App.ALEvent.ServerConfiguration.csproj.
updater | 2025/07/04 09:38:37 INFO Starting analysis of xxxxxx.OpcUaClient...
updater | 2025/07/04 09:38:37 INFO   Determining multi-dependency property.
updater | 2025/07/04 09:38:37 INFO   Finding updated version.
updater | 2025/07/04 09:38:37 INFO   Finding updated peer dependencies.
updater | 2025/07/04 09:38:37 INFO Analysis complete.
updater | 2025/07/04 09:38:37 INFO No updatable version found for xxxxxx.OpcUaClient in /BackEnd/src/Service/Common/xxx.xxx.ALEvent.Policy/xxx.xxx.ALEvent.Policy.csproj.
{"data":{"base-commit-sha":"c9d707c02032e26dc7914703d6eb2df504ac2096","dependencies":[{"name":"Microsoft.AspNetCore.Authentication.JwtBearer","previous-requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"8.0.16","source":null}],"previous-version":"8.0.16","requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"8.0.17","source":{"source_url":"https://github.com/dotnet/aspnetcore","type":"nuget_repo"}}],"version":"8.0.17"},{"name":"xxxxxx.Lib.ConfigurationServiceApi","previous-requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"3.0.48","source":null}],"previous-version":"3.0.48","requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"3.0.49","source":{"source_url":null,"type":"nuget_repo"}}],"version":"3.0.49"},{"name":"xxxxxx.Lib.OpcUaServer","previous-requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"1.0.78","source":null}],"previous-version":"1.0.78","requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"1.0.87","source":{"source_url":"https://dev.azure.com/xxx-BCI-PCP/PCP/_git/xxxxxx.Lib.OpcUaServer","type":"nuget_repo"}}],"version":"1.0.87"},{"name":"System.IdentityModel.Tokens.Jwt","previous-requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"8.11.0","source":null}],"previous-version":"8.11.0","requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"8.12.1","source":{"source_url":"https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet","type":"nuget_repo"}}],"version":"8.12.1"},{"name":"xxxxxx.Lib.OpcUaServer","previous-requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"1.0.78","source":null}],"previous-version":"1.0.78","requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"1.0.88","source":{"source_url":"https://dev.azure.com/xxx-BCI-PCP/PCP/_git/xxxxxx.Lib.OpcUaServer","type":"nuget_repo"}}],"version":"1.0.88"},{"name":"xxxxxx.Lib.OpcUaServer","previous-requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"1.0.78","source":null}],"previous-version":"1.0.78","requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"1.0.88","source":{"source_url":"https://dev.azure.com/xxx-BCI-PCP/PCP/_git/xxxxxx.Lib.OpcUaServer","type":"nuget_repo"}}],"version":"1.0.88"},{"name":"xxxxxx.Lib.WebsocketAuth","previous-requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"2.0.33.537382","source":null}],"previous-version":"2.0.33.537382","requirements":[{"file":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj","groups":["dependencies"],"requirement":"2.0.35.567169","source":{"source_url":"https://dev.azure.com/xxx-BCI-PCP/PCP/_git/xxxxxx.Lib.WebsocketAuth","type":"nuget_repo"}}],"version":"2.0.35.567169"}],"updated-dependency-files":[{"content":"2141160ab447e44c97ed9b2fd2182c5a01a6d2af467c98690b95b4b76a02bd52","content_encoding":"sha256","deleted":false,"directory":"/BackEnd/src/Server/xxxxxx.App.ALEvent.BE","name":"xxxxxx.App.ALEvent.BE.csproj","operation":"update","support_file":false,"type":"file","mode":""},{"content":"\u003cProject Sdk=\"Microsoft.NET.Sdk\"\u003e\n\n  \u003cPropertyGroup\u003e\n    \u003cTargetFramework\u003enet8.0\u003c/TargetFramework\u003e\n    \u003cImplicitUsings\u003eenable\u003c/ImplicitUsings\u003e\n    \u003cNullable\u003eenable\u003c/Nullable\u003e\n  \u003c/PropertyGroup\u003e\n\n  \u003cPropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|AnyCPU'\"\u003e\n    \u003cDebugType\u003enone\u003c/DebugType\u003e\n  \u003c/PropertyGroup\u003e\n\n  \u003cItemGroup\u003e\n    \u003cAdditionalFiles Include=\"SCA\\stylecop.json\" /\u003e\n  \u003c/ItemGroup\u003e\n\n  \u003cItemGroup\u003e\n    \u003cPackageReference Include=\"Microsoft.Extensions.Configuration\" Version=\"9.0.5\" /\u003e\n    \u003cPackageReference Include=\"Microsoft.Extensions.Configuration.Binder\" Version=\"9.0.5\" /\u003e\n    \u003cPackageReference Include=\"xxxxxx.Lib.ConfigurationServiceApi\" Version=\"3.0.49\" /\u003e\n    \n    \u003cPackageReference Include=\"StyleCop.Analyzers\" Version=\"1.1.118\"\u003e\n      \u003cPrivateAssets\u003eall\u003c/PrivateAssets\u003e\n      \u003cIncludeAssets\u003eruntime; build; native; contentfiles; analyzers; buildtransitive\u003c/IncludeAssets\u003e\n    \u003c/PackageReference\u003e\n  \u003c/ItemGroup\u003e\n\n  \n\n  \u003cItemGroup\u003e\n    \u003cProjectReference Include=\"..\\..\\..\\Repository\\xxxxxx.App.ALEvent.ServerConfiguration\\xxxxxx.App.ALEvent.ServerConfiguration.csproj\" /\u003e\n    \u003cProjectReference Include=\"..\\..\\History\\xxx.xxx.EventHistory\\xxx.xxx.EventHistory.csproj\" /\u003e\n    \u003cProjectReference Include=\"..\\..\\Subscription\\xxx.xxx.ALEvent.Subscription\\xxx.xxx.ALEvent.Subscription.csproj\" /\u003e\n  \u003c/ItemGroup\u003e\n\n\u003c/Project\u003e\n","content_encoding":"utf-8","deleted":false,"directory":"/BackEnd/src/Service/Connection/xxx.xxx.ALEvent.ConnectionManager","name":"xxx.xxx.ALEvent.ConnectionManager.csproj","operation":"update","support_file":false,"type":"file","mode":""}],"pr-title":"Dependabot Nuget Update: Bump the project-server-dependencies group with 5 updates","pr-body":"Performed the following updates:\n- Updated Microsoft.AspNetCore.Authentication.JwtBearer from 8.0.16 to 8.0.17 in /BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj\n- Updated xxxxxx.Lib.ConfigurationServiceApi from 3.0.48 to 3.0.49 in /BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj, /BackEnd/src/Service/Connection/xxx.xxx.ALEvent.ConnectionManager/xxx.xxx.ALEvent.ConnectionManager.csproj, /Directory.Build.props\n- Updated xxxxxx.Lib.OpcUaServer from 1.0.78 to 1.0.87 in /BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj\n- Updated System.IdentityModel.Tokens.Jwt from 8.11.0 to 8.12.1 in /BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj\n- Updated xxxxxx.Lib.OpcUaServer from 1.0.78 to 1.0.88 in /BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj, /Directory.Build.props\n- Pinned xxxxxx.Lib.OpcUaServer at 1.0.88 in /BackEnd/src/Service/Connection/xxx.xxx.ALEvent.ConnectionManager/xxx.xxx.ALEvent.ConnectionManager.csproj, /Directory.Build.props\n- Updated xxxxxx.Lib.WebsocketAuth from 2.0.33.537382 to 2.0.35.567169 in /BackEnd/src/Server/xxxxxx.App.ALEvent.BE/xxxxxx.App.ALEvent.BE.csproj, /Directory.Build.props","commit-message":"Dependabot Nuget Update: Bump the project-server-dependencies group with 5 updates\n\nBumps Microsoft.AspNetCore.Authentication.JwtBearer from 8.0.16 to 8.0.17\nBumps xxxxxx.Lib.ConfigurationServiceApi from 3.0.48 to 3.0.49\nBumps xxxxxx.Lib.OpcUaServer to 1.0.87, 1.0.88\nBumps xxxxxx.Lib.WebsocketAuth from 2.0.33.537382 to 2.0.35.567169\nBumps System.IdentityModel.Tokens.Jwt from 8.11.0 to 8.12.1","dependency-group":{"name":"project-server-dependencies"}},"type":"create_pull_request"}
{"data":{"base-commit-sha":"c9d707c02032e26dc7914703d6eb2df504ac2096"},"type":"mark_as_processed"}
Processing job outputs from '/tmp/dependabot-jobs/update-0-nuget-all/scenario.yaml'
Processing 'update_dependency_list'
Processing 'create_pull_request'
Creating pull request 'Dependabot Nuget Update: Bump the project-server-dependencies group with 5 updates'...
 - Pushing 2 file change(s) to branch 'dependabot/nuget/main/BackEnd/src/project-server-dependencies-f4d1142d68'...
##[error]Failed to create pull request: TypeError [ERR_UNKNOWN_ENCODING]: Unknown encoding: sha256
TypeError [ERR_UNKNOWN_ENCODING]: Unknown encoding: sha256
    at fromString (node:buffer:482:13)
    at Function.from (node:buffer:295:12)
    at /home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.54.0/dist/task-v2.js:112774:37
    at Array.map (<anonymous>)
    at _AzureDevOpsWebApiClient.createPullRequest (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.54.0/dist/task-v2.js:112767:35)
    at async _DependabotOutputProcessor.process (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.54.0/dist/task-v2.js:113457:34)
    at async DependabotCli.update (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.54.0/dist/task-v2.js:113839:49)
    at async performDependabotUpdatesAsync (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.54.0/dist/task-v2.js:114256:25)
    at async run (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.54.0/dist/task-v2.js:114121:9) {
  code: 'ERR_UNKNOWN_ENCODING'
}
Processing 'mark_as_processed'
##[warning]Partial success; some update tasks completed with issues. Check the logs for more information

Extension Host

Azure Devops

Extension Version

2.54.0.0

Server Region

West Europe

Server Version

No response

Additional context

This issue appears to recur every few weeks, particularly with NuGet support in Dependabot. While this is not a complaint, it's an observation that frequent breaking changes can impact the automated updates.

If there's a recommended way to lock or revert to a previously stable version when issues arise with the latest release, I would greatly appreciate any guidance from the community or maintainers.

Thank you in advance for your support!

[poyyaren]

Any news on when this issue will be resolved and deployed? Would be greatly appreciated.

[maarten-kieft]

We are having the exact same error. We have version 2.55.0.0. We have not commented out the experiments section (we haven't even defined it, so we use the default experiments). The problem is for us: Some repos are having this issue; others don't. Although more and more repos are facing this issue now.

Edit:
We just found the cause: Turned out that the encoding of some of our csproj files (we are using .net) was incorrect. Some used utf-8-bom instead of utf-8

[james-asebp]

@maarten-kieft what was your solution?
My understanding is that tools like Visual Studio on Windows will default files to UTF-8-BOM encoding.

[maarten-kieft]

@james-asebp we opened the csproj files in a text editor like vs code or notepadd++, changed the encoding back to utf8 and saved the file. Not sure if Visual studio tries to reset it back, for now we haven't noticed it yet, but also not sure why it happened in the first place.

[james-asebp]

@mburumaxwell @rhyskoedijk
Is this something that can be fixed in this repo? Or should I go bug @brettfo over in the dependabot-core repo?

I have 35+ repositories that we have been using dependabot with and it appears to be default behaviour for Visual Studio on Windows to create new csproj files with UTF-8-BOM encoding so I feel that I would have to go touch all of the repos just to strip the BOM off the .csproj files just to make the dependency updates work again. I don't really feel that we should have to make this change where previously this wasn't an issue, and according to this issue #12077 there should have been a fix in place already.

[brettfo]

This behavior is coming from the cli, oddly enough from line 256. The comment indicates that this should be test-only behavior so I'll see how to best mirror that behavior.

[brettfo]

I've created dependabot/cli#486 to fix this. I'll work on getting it merged and released.

[rhyskoedijk]

@mburumaxwell based on this dependabot/cli#486 (comment), looks like we'd need to switch to reading CLI output from directly from stdout instead of the scenario file, like was suggested by @BobSilent in #1839. Alternatively, we need to implement an API server to receive the data directly, which I think is what you suggested by basically replacing the CLI behavior with internal tooling.

TL;DR; for the people watching this, unfortunately, I don't think this is going to be fixed quickly.

[mburumaxwell]

Thanks @brettfo and @rhyskoedijk . It seems this is a fairly recent change.
Since the change was added in v1.67.0, the workaround would be to pin the cli version to 1.66.0 until, either I or a community contribution adds support for an API server.

[BobSilent]

@mburumaxwell @rhyskoedijk

the workaround would be to pin the cli version to 1.66.0 until, either I or a community contribution adds support for an API server.

That's not the whole/only truth. 😉
A workaround would also be to merge PR #1839. Accept that this PR is an intermediate solution, which is better than current implementation🫣, but maybe not as good as a future final contribution which will add support for an API server.
I mean hey, it is just for the time being and it will stop at least new issues with the topic ERR_UNKNOWN_ENCODING: sha256

[vishnuprakash9845]

@mburumaxwell @rhyskoedijk

the workaround would be to pin the cli version to 1.66.0 until, either I or a community contribution adds support for an API server.

That's not the whole/only truth. 😉 A workaround would also be to merge PR #1839. Accept that this PR is an intermediate solution, which is better than current implementation🫣, but maybe not as good as a future final contribution which will add support for an API server. I mean hey, it is just for the time being and it will stop at least new issues with the topic ERR_UNKNOWN_ENCODING: sha256

@mburumaxwell @brettfo @rhyskoedijk

Hi, I understand it's been a while and you're likely busy. The current work has been on hold due to this issue. I tried a workaround by setting the project encoding to UTF-8, but unfortunately, it didn’t resolve the problem. From what I can see, PR #1839 seems to contain a potential fix. I kindly request that this PR be completed, as it would help restore proper functionality to the Dependabot tool and prevent further issues related to ERR_UNKNOWN_ENCODING: sha256. Thank you for your efforts and support!

[johannbrink]

I agree with Vishu. Our pipelines have been broken for a couple of months now.

[CSharpFiasco]

Would also appreciate a fix to this