Skip to content

chore(deps): rely on central Pkcs pin, drop redundant VersionOverride (#1328)#1334

Merged
joshsmithxrm merged 1 commit into
mainfrom
chore/pkcs-central-pin
Jul 12, 2026
Merged

chore(deps): rely on central Pkcs pin, drop redundant VersionOverride (#1328)#1334
joshsmithxrm merged 1 commit into
mainfrom
chore/pkcs-central-pin

Conversation

@joshsmithxrm

@joshsmithxrm joshsmithxrm commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Closes #1328

What

Removes two VersionOverride attributes that duplicated the exact central pin in Directory.Packages.props (this repo uses Central Package Management). The PackageReference items are kept; only the local version override is dropped, so both projects now follow the central pin.

  • src/PPDS.Auth/PPDS.Auth.csproj: System.Security.Cryptography.Pkcs — override 10.0.9 == central 10.0.9
  • src/PPDS.Migration/PPDS.Migration.csproj: Microsoft.Data.SqlClient — override 6.1.4 == central 6.1.4

Why (drift trap)

Both overrides were mechanical dependabot edits (Pkcs: #1288 / 1c42ea1c6; SqlClient: c638e1630) that bumped the central PackageVersion and injected a same-version VersionOverride reference in the same commit. Redundant today, but they silently defeat central management: a future security bump that edits only Directory.Packages.props — exactly how dependabot and humans bump CPM repos — would strand the overriding project on the old version with no warning. For Pkcs that means PPDS.Auth, the crypto consumer, silently staying on a superseded patch.

Not hypothetical: the third override in the repo has already sprung this trap — PPDS.Auth.csproj pins Microsoft.Extensions.Logging at 10.0.5 while central moved to 10.0.9. That one differs from central (removing it changes resolved versions), so it is deliberately left untouched here and tracked in #1330.

Deliberateness check: no comments, commit rationale, or PR discussion mark either removed override as intentional; sibling projects (PPDS.Dataverse, PPDS.Cli) already consume the same packages via the central pin with no override, and CodeRabbit's review on #1288 flagged the Pkcs line with this exact suggestion before merge.

Provenance

Post-merge weekend review of dependabot #1288.

Evidence: resolved versions unchanged

dotnet list <proj> package (requested/resolved), identical before and after on all TFMs (net8.0 / net9.0 / net10.0):

Project Package Before After
PPDS.Auth System.Security.Cryptography.Pkcs 10.0.9 / 10.0.9 10.0.9 / 10.0.9
PPDS.Migration Microsoft.Data.SqlClient 6.1.4 / 6.1.4 6.1.4 / 6.1.4
PPDS.Auth Microsoft.Extensions.Logging (untouched, see #1330) 10.0.5 / 10.0.5 10.0.5 / 10.0.5

Gates

  • dotnet build PPDS.sln -v q: 0 errors (warnings are pre-existing xUnit analyzer nits in test projects; no RS/NU diagnostics)
  • dotnet test tests/PPDS.Auth.Tests --filter "Category!=Integration" -v q --no-build: 592 passed, 0 failed, 1 skipped on each of net8.0/net9.0/net10.0
  • dotnet test tests/PPDS.Migration.Tests --filter "Category!=Integration" -v q --no-build: 565 passed, 0 failed on each TFM
  • Pre-commit hook re-ran the full solution build plus the entire unit-test suite: all green
  • No PublicAPI.Shipped.txt / PublicAPI.Unshipped.txt changes (version alignment does not alter API surface)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated package version management for authentication and migration components.
    • Improved consistency with the project’s centralized versioning configuration.
    • No user-facing feature or behavior changes are included.

…#1328)

Remove VersionOverride attributes that duplicate the exact central pin in
Directory.Packages.props (dependabot mechanical edits from #1288 and
c638e16). Resolved versions are unchanged; the references now follow
the central pin so future security bumps to Directory.Packages.props
cannot silently strand these projects on old versions.

- PPDS.Auth: System.Security.Cryptography.Pkcs (central 10.0.9)
- PPDS.Migration: Microsoft.Data.SqlClient (central 6.1.4)

The differing Microsoft.Extensions.Logging VersionOverride=10.0.5 in
PPDS.Auth is left in place; tracked separately in #1330.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@joshsmithxrm joshsmithxrm added the dependencies Pull requests that update a dependency file label Jul 12, 2026
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Two project files remove explicit package version overrides so System.Security.Cryptography.Pkcs and Microsoft.Data.SqlClient use the repository’s central package version management.

Changes

Central package version cleanup

Layer / File(s) Summary
Remove redundant package overrides
src/PPDS.Auth/PPDS.Auth.csproj, src/PPDS.Migration/PPDS.Migration.csproj
The Pkcs and SqlClient package references no longer specify VersionOverride values.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related issues

  • #1330 — Removes stale VersionOverride attributes from a package reference in PPDS.Auth.csproj to use centrally managed versions.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR matches #1328 by removing both duplicate overrides, preserving resolved versions, and reporting successful build and tests with no API changes.
Out of Scope Changes check ✅ Passed The diff is limited to the two requested csproj dependency edits and does not introduce unrelated code changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title clearly reflects the main change: removing redundant VersionOverride values to rely on central package pins.
Description check ✅ Passed The description covers summary, rationale, testing, and impact, though it doesn't use the template's exact section headings.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/pkcs-central-pin

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the VersionOverride attribute from the System.Security.Cryptography.Pkcs package reference in PPDS.Auth.csproj and the Microsoft.Data.SqlClient package reference in PPDS.Migration.csproj. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@joshsmithxrm

Copy link
Copy Markdown
Owner Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@joshsmithxrm joshsmithxrm marked this pull request as ready for review July 12, 2026 21:46
@joshsmithxrm joshsmithxrm merged commit 2094ca3 into main Jul 12, 2026
30 checks passed
@joshsmithxrm joshsmithxrm deleted the chore/pkcs-central-pin branch July 12, 2026 21:46
@github-project-automation github-project-automation Bot moved this from Todo to Done in PPDS Roadmap Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

CPM hygiene: dependabot-injected VersionOverride duplicates central pin (Pkcs, SqlClient) - silent drift trap

1 participant