chore(deps): rely on central Pkcs pin, drop redundant VersionOverride (#1328)#1334
Conversation
…#1328) Remove VersionOverride attributes that duplicate the exact central pin in Directory.Packages.props (dependabot mechanical edits from #1288 and c638e16). Resolved versions are unchanged; the references now follow the central pin so future security bumps to Directory.Packages.props cannot silently strand these projects on old versions. - PPDS.Auth: System.Security.Cryptography.Pkcs (central 10.0.9) - PPDS.Migration: Microsoft.Data.SqlClient (central 6.1.4) The differing Microsoft.Extensions.Logging VersionOverride=10.0.5 in PPDS.Auth is left in place; tracked separately in #1330. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughTwo project files remove explicit package version overrides so ChangesCentral package version cleanup
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Code Review
This pull request removes the VersionOverride attribute from the System.Security.Cryptography.Pkcs package reference in PPDS.Auth.csproj and the Microsoft.Data.SqlClient package reference in PPDS.Migration.csproj. There are no review comments, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
@coderabbitai review |
✅ Action performedReview finished.
|
Closes #1328
What
Removes two
VersionOverrideattributes that duplicated the exact central pin inDirectory.Packages.props(this repo uses Central Package Management). ThePackageReferenceitems are kept; only the local version override is dropped, so both projects now follow the central pin.src/PPDS.Auth/PPDS.Auth.csproj:System.Security.Cryptography.Pkcs— override10.0.9== central10.0.9src/PPDS.Migration/PPDS.Migration.csproj:Microsoft.Data.SqlClient— override6.1.4== central6.1.4Why (drift trap)
Both overrides were mechanical dependabot edits (Pkcs: #1288 /
1c42ea1c6; SqlClient:c638e1630) that bumped the centralPackageVersionand injected a same-versionVersionOverridereference in the same commit. Redundant today, but they silently defeat central management: a future security bump that edits onlyDirectory.Packages.props— exactly how dependabot and humans bump CPM repos — would strand the overriding project on the old version with no warning. For Pkcs that means PPDS.Auth, the crypto consumer, silently staying on a superseded patch.Not hypothetical: the third override in the repo has already sprung this trap —
PPDS.Auth.csprojpinsMicrosoft.Extensions.Loggingat10.0.5while central moved to10.0.9. That one differs from central (removing it changes resolved versions), so it is deliberately left untouched here and tracked in #1330.Deliberateness check: no comments, commit rationale, or PR discussion mark either removed override as intentional; sibling projects (
PPDS.Dataverse,PPDS.Cli) already consume the same packages via the central pin with no override, and CodeRabbit's review on #1288 flagged the Pkcs line with this exact suggestion before merge.Provenance
Post-merge weekend review of dependabot #1288.
Evidence: resolved versions unchanged
dotnet list <proj> package(requested/resolved), identical before and after on all TFMs (net8.0 / net9.0 / net10.0):Gates
dotnet build PPDS.sln -v q: 0 errors (warnings are pre-existing xUnit analyzer nits in test projects; no RS/NU diagnostics)dotnet test tests/PPDS.Auth.Tests --filter "Category!=Integration" -v q --no-build: 592 passed, 0 failed, 1 skipped on each of net8.0/net9.0/net10.0dotnet test tests/PPDS.Migration.Tests --filter "Category!=Integration" -v q --no-build: 565 passed, 0 failed on each TFMPublicAPI.Shipped.txt/PublicAPI.Unshipped.txtchanges (version alignment does not alter API surface)🤖 Generated with Claude Code
Summary by CodeRabbit