Feature/license cleanup version bump#169
Merged
Merged
Conversation
Two dependencies recently transitioned away from permissive licensing; this pins both to the last release that ships under Apache-2.0 so RCommon (Apache-2.0) can continue to redistribute them without forcing downstream consumers onto RPL-1.5 / commercial terms. - MediatR: 14.0.0 -> [12.5.0,13.0.0). v13.0 (Jul 2025) moved to dual-license RPL-1.5 / Lucky Penny Commercial. v12.5.0 is the last Apache-2.0 release. The MediatR API surface we use (IRequest, INotification, IPipelineBehavior, IMediator, AddMediatR, MediatRServiceConfiguration, RegisterServicesFromAssemblies) is stable from v11 onwards, so no source changes are required. - MassTransit / MassTransit.EntityFrameworkCore: 8.5.8 -> 8.5.9. v9.x (Massient) is commercial; 8.x stays Apache-2.0 with support through end-of-2026. The comment on the package references documents the ceiling. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Refreshes the .NET 10 target dependency set to current stable patch releases. Source code requires no changes — the API surface used by RCommon is unchanged across all bumps. Library deps (.NET 10 conditional groups + non-conditional refs): - Microsoft.Extensions.* 10.0.2 -> 10.0.8 - Microsoft.Extensions.Caching.Memory 10.0.0/10.0.2 -> 10.0.8 - Microsoft.EntityFrameworkCore.* 10.0.2 -> 10.0.8 - Microsoft.Data.Sqlite 10.0.0 -> 10.0.8 - Swashbuckle.AspNetCore.SwaggerGen 10.1.1 -> 10.1.7 - Finbuckle.MultiTenant 10.0.3 -> 10.0.8 - Azure.Storage.Blobs 12.24.0 -> 12.28.0 - Dapper / Dommel 2.1.66 / 3.5.1 -> 2.1.79 / 3.5.2 - WolverineFx / WolverineFx.EFCore 5.13.0 -> 5.39.1 - linq2db.Extensions / linq2db.SQLite 6.1.0 -> 6.3.0 Test infrastructure (Tests/Directory.Build.props + per-project test refs): - xunit.runner.visualstudio 3.0.2 -> 3.1.5 - Microsoft.NET.Test.Sdk 18.0.1 -> 18.5.1 - coverlet.collector / coverlet.msbuild 6.0.4 -> 10.0.0 - MinVer 5.0.0/6.0.0 -> 7.0.0 Assertion library migration: - FluentAssertions 8.2.0 -> AwesomeAssertions 9.4.0. FluentAssertions 8.x switched to the Xceed commercial license. AwesomeAssertions is the Apache-2.0 community fork of FluentAssertions 7.x and preserves the FluentAssertions namespace, so no `using` changes are needed. Out of scope (deferred): - AWSSDK.S3 3.7 -> 4.0 (major break, IAsyncDisposable changes) - xunit v2 -> v3 (separate package id, requires test refactor) - .NET 8 / .NET 9 conditional itemgroups (will patch-bump in a follow-up) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…amespace compat Patches LTS-stream conditional ItemGroups left untouched in the previous .NET 10 pass, and fixes two regressions that the previous test run masked by reusing stale binaries (it used --no-build --no-restore against pre-rebuild dlls). .NET 8.0.x bumps (EF Core line was 11 patches behind): - Microsoft.EntityFrameworkCore 8.0.16 -> 8.0.27 - Microsoft.EntityFrameworkCore.Relational 8.0.16 -> 8.0.27 - Microsoft.Extensions.Caching.StackExchangeRedis 8.0.16 -> 8.0.27 .NET 9.0.x bumps (uniform 6-patch jump across the runtime stack): - Microsoft.Extensions.DependencyInjection / Hosting / Options / Configuration.Binder / Caching.Memory / Caching.StackExchangeRedis / Hosting.Abstractions 9.0.10 -> 9.0.16 - Microsoft.EntityFrameworkCore[.Relational] 9.0.10 -> 9.0.16 Cross-line: - Finbuckle.MultiTenant (net8/net9 groups) 9.1.0 -> 9.1.4 Regression fixes: - AwesomeAssertions 9.4.0 -> 7.2.1. The 8.x/9.x lines rename the namespace to `AwesomeAssertions` (ships AwesomeAssertions.dll). The 7.x line is the true drop-in: ships FluentAssertions.dll, preserves the FluentAssertions namespace, matches the migration version their own README recommends. No `using` changes needed across the test suite. - AzureBlobStorageService.ListBlobsAsync: Azure.Storage.Blobs 12.28.0 made the `states` parameter on BlobContainerClient.GetBlobsAsync required. Passing BlobStates.None preserves the previous behavior (no state filtering). Verified with a clean rebuild + full test run (not --no-build): 34 projects, ~3,100 tests passing, 10 skipped (Integration), 0 failures. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ions 8.x The .NET 10 / .NET 8/9 patch bumps in the Src library caused NU1605 package downgrade errors in Examples projects that still pinned explicit references at 10.0.2 (or 18.0.1 for the test SDK). Bumps applied to align with the library: Microsoft.Extensions.* and EF Core SqlServer: 10.0.2 -> 10.0.8 across: - Examples.Messaging.MassTransit / Wolverine / SubscriptionIsolation - HR.LeaveManagement.API / Identity / MVC / Persistence - HR.LeaveManagement.Application.UnitTests Microsoft.AspNetCore.* (Identity, Authentication, Mvc.NewtonsoftJson): 10.0.2 -> 10.0.8 in HR.LeaveManagement.Identity / MVC. Swashbuckle.AspNetCore: 10.1.1 -> 10.1.7 in HR.LeaveManagement.API. Test infra (HR.LeaveManagement.Application.UnitTests): - Microsoft.NET.Test.Sdk 18.0.1 -> 18.5.1 - coverlet.collector 6.0.4 -> 10.0.0 - FluentAssertions 8.8.0 -> AwesomeAssertions 7.2.1 (license: 8.x is Xceed commercial; 7.x line preserves the FluentAssertions namespace so no `using` changes required) Not bumped (no 10.0.x existed at the target patch): - Microsoft.VisualStudio.Web.CodeGeneration.Design stays at 10.0.2 (latest stable on the 10.x line). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds explicit PackageReferences to force non-deprecated/non-vulnerable versions
into the transitive graph. NuGet's package-resolution rules ("nearest wins")
let us override stale transitives without touching the upstream packages.
Library (Src):
- System.IO.Pipelines 8.0.0 (net8.0 only) in RCommon.RedisCache. Forced
because StackExchange.Redis 8.x transitively pins 5.0.1 which NuGet marks
Legacy/Other. Also clears the same flag in RCommon.Persistence.Caching.RedisCache
via project-reference closure.
Tests:
- Azure.Identity 1.21.0 + Microsoft.Identity.Client 4.84.0 in
RCommon.TestBase.Data. SqlServer transitively pulls 1.14.2 / 4.73.1 which
NuGet marks deprecated (CriticalBugs on Microsoft.Identity.Client). Closes
the flag in any project that consumes RCommon.TestBase.Data.
Examples:
- HR.LeaveManagement.Persistence + Identity: Azure.Identity 1.21.0 +
Microsoft.Identity.Client 4.84.0 (same SqlServer transitive). API project
picks them up via ProjectReference closure.
- HR.LeaveManagement.MVC: NuGet.Packaging + NuGet.Protocol 6.14.3. Fixes
GHSA-g4vj-cjjj-v7hg (Low severity) in 6.12.1 pulled transitively by
Microsoft.VisualStudio.Web.CodeGeneration.Design.
Post-scan state:
- `dotnet list package --vulnerable --include-transitive`: 0 hits on both
Src/RCommon.sln and Examples/Examples.sln.
- `dotnet list package --deprecated --include-transitive`: remaining
entries are all xunit 2.x (Legacy -> xunit.v3), tracked as a separate
future migration.
Note: RCommon.Security.Tests.ClaimTypesConstTests has a pre-existing flake
where shared static state in ClaimTypesConst leaks between tests depending
on xunit run order. Documented in the bootstrapper PR's deferred-items
list; will be addressed on a follow-up branch.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Revised dependencies that are not under permissive licensing. Bumped other dependencies. Updated/removed vulnerable packages.