Skip to content

[deps] Tools: Pin dependencies #6204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[deps] Tools: Pin dependencies #6204

renovate wants to merge 2 commits into from
+108 −104

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 18, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
AWSSDK.SQS nuget pin 4.0.2.5 -> [4.0.2.5]
AWSSDK.SimpleEmail nuget pin 4.0.2.5 -> [4.0.2.5]
AngleSharp (source) nuget pin 1.2.0 -> [1.2.0]
AspNetCore.HealthChecks.SqlServer nuget pin 8.0.2 -> [8.0.2]
AspNetCore.HealthChecks.Uris nuget pin 8.0.1 -> [8.0.1]
AspNetCoreRateLimit nuget pin 5.0.0 -> [5.0.0]
AspNetCoreRateLimit.Redis nuget pin 2.0.0 -> [2.0.0]
AutoMapper.Extensions.Microsoft.DependencyInjection (source) nuget pin 12.0.1 -> [12.0.1]
Azure.Data.Tables (source) nuget pin 12.11.0 -> [12.11.0]
Azure.Extensions.AspNetCore.DataProtection.Blobs (source) nuget pin 1.3.4 -> [1.3.4]
Azure.Messaging.EventGrid (source) nuget pin 5.0.0 -> [5.0.0]
Azure.Messaging.ServiceBus (source) nuget pin 7.20.1 -> [7.20.1]
Azure.Storage.Blobs (source) nuget pin 12.26.0 -> [12.26.0]
Azure.Storage.Queues (source) nuget pin 12.24.0 -> [12.24.0]
BenchmarkDotNet nuget pin 0.15.3 -> [0.15.3]
BitPay.Light (source) nuget pin 1.0.1907 -> [1.0.1907]
Braintree nuget pin 5.36.0 -> [5.36.0]
CommandDotNet nuget pin 7.0.5 -> [7.0.5]
CsvHelper (source) nuget pin 33.1.0 -> [33.1.0]
Dapper nuget pin 2.1.66 -> [2.1.66]
DnsClient (source) nuget pin 1.8.0 -> [1.8.0]
Duende.IdentityServer (source) nuget pin 7.2.4 -> [7.2.4]
DuoUniversal nuget pin 1.3.1 -> [1.3.1]
Fido2.AspNet nuget pin 3.0.1 -> [3.0.1]
Handlebars.Net (source) nuget pin 2.1.6 -> [2.1.6]
Kralizek.AutoFixture.Extensions.MockHttp nuget pin 2.1.0 -> [2.1.0]
LaunchDarkly.ServerSdk nuget pin 8.10.4 -> [8.10.4]
MailKit (source) nuget pin 4.14.0 -> [4.14.0]
MarkDig nuget pin 0.44.0 -> [0.44.0]
MartinCostello.Logging.XUnit nuget pin 0.7.0 -> [0.7.0]
MessagePack nuget pin 2.5.192 -> [2.5.192]
Microsoft.AspNetCore.Authentication.JwtBearer (source) nuget pin 8.0.10 -> [8.0.10]
Microsoft.AspNetCore.DataProtection (source) nuget pin 8.0.10 -> [8.0.10]
Microsoft.AspNetCore.Http (source) nuget pin 2.2.2 -> [2.2.2]
Microsoft.AspNetCore.Mvc.Testing (source) nuget pin 8.0.10 -> [8.0.10]
Microsoft.AspNetCore.SignalR.Protocols.MessagePack (source) nuget pin 8.0.8 -> [8.0.8]
Microsoft.AspNetCore.SignalR.StackExchangeRedis (source) nuget pin 8.0.8 -> [8.0.8]
Microsoft.Azure.Cosmos nuget pin 3.52.0 -> [3.52.0]
Microsoft.Azure.NotificationHubs nuget pin 4.2.0 -> [4.2.0]
Microsoft.Bot.Builder nuget pin 4.23.0 -> [4.23.0]
Microsoft.Bot.Builder.Integration.AspNet.Core nuget pin 4.23.0 -> [4.23.0]
Microsoft.Bot.Connector nuget pin 4.23.0 -> [4.23.0]
Microsoft.Data.SqlClient (source) nuget pin 5.2.2 -> [5.2.2]
Microsoft.Extensions.Caching.Cosmos nuget pin 1.7.0 -> [1.7.0]
Microsoft.Extensions.Caching.Memory (source) nuget pin 8.0.1 -> [8.0.1]
Microsoft.Extensions.Caching.SqlServer (source) nuget pin 8.0.10 -> [8.0.10]
Microsoft.Extensions.Caching.StackExchangeRedis (source) nuget pin 8.0.10 -> [8.0.10]
Microsoft.Extensions.Configuration (source) nuget pin 8.0.0 -> [8.0.0]
Microsoft.Extensions.Configuration.EnvironmentVariables (source) nuget pin 8.0.0 -> [8.0.0]
Microsoft.Extensions.Configuration.UserSecrets (source) nuget pin 8.0.0 -> [8.0.0]
Microsoft.Extensions.DependencyInjection (source) nuget pin 8.0.1 -> [8.0.1]
Microsoft.Extensions.DependencyInjection.Abstractions (source) nuget pin 8.0.2 -> [8.0.2]
Microsoft.Extensions.Diagnostics.Testing (source) nuget pin 9.3.0 -> [9.3.0]
Microsoft.Extensions.Identity.Stores (source) nuget pin 8.0.10 -> [8.0.10]
Microsoft.Extensions.Logging (source) nuget pin 8.0.1 -> [8.0.1]
Microsoft.Extensions.Logging.Console (source) nuget pin 8.0.1 -> [8.0.1]
Microsoft.Extensions.TimeProvider.Testing (source) nuget pin 8.10.0 -> [8.10.0]
Neovolve.Logging.Xunit nuget pin 6.3.0 -> [6.3.0]
Newtonsoft.Json (source) nuget pin 13.0.3 -> [13.0.3]
OneOf nuget pin 3.0.271 -> [3.0.271]
Otp.NET nuget pin 1.4.0 -> [1.4.0]
Quartz (source) nuget pin 3.15.1 -> [3.15.1]
Quartz.Extensions.DependencyInjection (source) nuget pin 3.15.1 -> [3.15.1]
Quartz.Extensions.Hosting (source) nuget pin 3.15.1 -> [3.15.1]
RabbitMQ.Client (source) nuget pin 7.1.2 -> [7.1.2]
RichardSzalay.MockHttp nuget pin 7.0.0 -> [7.0.0]
Rnwood.SmtpServer (source) nuget pin 3.1.0-ci0868 -> [3.1.0-ci0868]
SendGrid (source) nuget pin 9.29.3 -> [9.29.3]
Serilog.Extensions.Logging.File nuget pin 3.0.0 -> [3.0.0]
Stripe.net nuget pin 48.5.0 -> [48.5.0]
Sustainsys.Saml2.AspNetCore2 nuget pin 2.11.0 -> [2.11.0]
Swashbuckle.AspNetCore nuget pin 9.0.4 -> [9.0.4]
Swashbuckle.AspNetCore.SwaggerGen nuget pin 9.0.4 -> [9.0.4]
System.Text.Json (source) nuget pin 8.0.5 -> [8.0.5]
YamlDotNet (source) nuget pin 11.2.1 -> [11.2.1]
YubicoDotNetClient nuget pin 1.2.0 -> [1.2.0]
ZiggyCreatures.FusionCache nuget pin 2.0.2 -> [2.0.2]
ZiggyCreatures.FusionCache.Backplane.StackExchangeRedis nuget pin 2.0.2 -> [2.0.2]
ZiggyCreatures.FusionCache.Serialization.SystemTextJson nuget pin 2.0.2 -> [2.0.2]
base64 dependencies pin 0.22.1 -> =0.22.1
coverlet.collector nuget pin 6.0.4 -> [6.0.4]
dbup-sqlserver (source) nuget pin 6.0.0 -> [6.0.0]
linq2db (source) nuget pin 5.4.1 -> [5.4.1]
xunit nuget pin 2.9.3 -> [2.9.3]
xunit.runner.visualstudio nuget pin 3.1.4 -> [3.1.4]
xunit.runner.visualstudio nuget pin 3.1.2 -> [3.1.2]
xunit.runner.visualstudio nuget pin 3.1.5 -> [3.1.5]
xunit.v3 nuget pin 3.0.1 -> [3.0.1]

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team August 18, 2025 02:54
@renovate renovate bot requested review from a team as code owners August 18, 2025 02:54
@bitwarden-bot bitwarden-bot changed the title [deps] Tools: Pin dependencies [PM-24840] [deps] Tools: Pin dependencies Aug 18, 2025
@bitwarden-bot
Copy link

bitwarden-bot commented Aug 18, 2025

Internal tracking:

@renovate renovate bot changed the title [PM-24840] [deps] Tools: Pin dependencies [deps] Tools: Pin dependencies Aug 18, 2025
aj-bw
aj-bw previously approved these changes Aug 18, 2025
View reviewed changes
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 2 times, most recently from dbd9938 to 9ebccff Compare August 18, 2025 15:14
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 11 times, most recently from b83cff3 to a79a884 Compare August 20, 2025 19:13
Patrick-Pimentel-Bitwarden
Patrick-Pimentel-Bitwarden previously approved these changes Aug 21, 2025
View reviewed changes
Copy link
Contributor

@Patrick-Pimentel-Bitwarden Patrick-Pimentel-Bitwarden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Auth changes look good.

@renovate renovate bot force-pushed the renovate/pin-dependencies branch from a79a884 to 59434ce Compare August 21, 2025 14:46
@codecov
Copy link

codecov bot commented Aug 21, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.57%. Comparing base (3486d29) to head (f3e2a91).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6204      +/-   ##
==========================================
+ Coverage   54.73%   58.57%   +3.84%     
==========================================
  Files        1920     1920              
  Lines       85264    85264              
  Branches     7632     7632              
==========================================
+ Hits        46671    49946    +3275     
+ Misses      36820    33473    -3347     
- Partials     1773     1845      +72

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate bot force-pushed the renovate/pin-dependencies branch 17 times, most recently from 0ab29be to 919e1e0 Compare December 23, 2025 16:55
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from 919e1e0 to 5761d2d Compare December 23, 2025 17:16
@renovate
Copy link
Contributor Author

renovate bot commented Dec 23, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 23, 2025

Logo
Checkmarx One – Scan Summary & Details028fb9b6-b2a4-4b4b-8250-022251e03704

Great job! No new security vulnerabilities introduced in this pull request

@justindbaur
Copy link
Member

justindbaur commented Dec 23, 2025

I decided to delete some packages that we already get through the ASP.NET Core reference and decided to explicitly reference it. This fixed the Microsoft.Extensions.Configuration.UserSecrets downgrade. The System.Text.Json downgrade is fixed by just removing our manual reference of it. I wanted to make sure that all projects were getting a non-vulnerable version of STJ though. The below command will show that all projects except Billing.Test reference 8.0.5 and Billing.Test references 9.0.0 because one of their dependencies brings it in. Neither version are vulnerable.

dotnet list package --include-transitive --format json \
  | jq '.projects | .[] | { path: .path, version: .frameworks.[0].transitivePackages | .[]? | select(.id=="System.Text.Json") | .resolvedVersion }'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aj-bw aj-bw aj-bw approved these changes

@harr1424 harr1424 harr1424 approved these changes

@Patrick-Pimentel-Bitwarden Patrick-Pimentel-Bitwarden Patrick-Pimentel-Bitwarden approved these changes

@amorask-bitwarden amorask-bitwarden Awaiting requested review from amorask-bitwarden

+1 more reviewer

@PJHOMEZ PJHOMEZ PJHOMEZ approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@bitwarden-bot @justindbaur @aj-bw @harr1424 @PJHOMEZ @amorask-bitwarden @Patrick-Pimentel-Bitwarden