Skip to content

Bump the dotnet group with 20 updates#240

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/nuget/dot-config/dotnet-2deaa23698
Open

Bump the dotnet group with 20 updates#240
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/nuget/dot-config/dotnet-2deaa23698

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the dotnet dependency group with 20 updates.

Note

Modified from the original Dependabot update after supply chain review:

  • Removed the AWS major-version bumps (AWSSDK.Core 3.7.201.7 to 4.0.9.5, Amazon.Extensions.Configuration.SystemsManager 5.1.0 to 7.1.0). These are breaking changes and will be handled in a separate PR.
  • Dropped a spurious Microsoft.EntityFrameworkCore.InMemory reference that Dependabot added to web/Viper.csproj (unused in the web project; the test project keeps its existing reference).
  • Added a direct SQLitePCLRaw.bundle_e_sqlite3 3.0.3 pin in the test project to clear GHSA-2m69-gcr7-jv3q / CVE-2025-6965 (high severity; no patched 2.x version exists and EF Sqlite still pulls the vulnerable 2.1.11 transitively).

Updates

Package From To
dotnet-ef 10.0.7 10.0.9
JetBrains.Annotations 2025.2.4 2026.2.0
jetbrains.resharper.globaltools 2026.1.1 2026.1.3
Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore 10.0.8 10.0.9
Microsoft.AspNetCore.JsonPatch 10.0.8 10.0.9
Microsoft.Data.Sqlite.Core 10.0.8 10.0.9
Microsoft.EntityFrameworkCore.Design 10.0.8 10.0.9
Microsoft.EntityFrameworkCore.InMemory 10.0.8 10.0.9
Microsoft.EntityFrameworkCore.Sqlite 10.0.8 10.0.9
Microsoft.EntityFrameworkCore.Sqlite.Core 10.0.8 10.0.9
Microsoft.EntityFrameworkCore.SqlServer 10.0.8 10.0.9
Microsoft.EntityFrameworkCore.Tools 10.0.8 10.0.9
Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore 10.0.8 10.0.9
Microsoft.Extensions.Http.Polly 10.0.8 10.0.9
Microsoft.Extensions.Logging 10.0.8 10.0.9
Microsoft.NET.Test.Sdk 18.6.0 18.7.0
microsoft.web.librarymanager.cli 3.0.71 3.0.114
QuestPDF 2026.5.0 2026.6.0
System.DirectoryServices 10.0.8 10.0.9
System.DirectoryServices.AccountManagement 10.0.8 10.0.9
SQLitePCLRaw.bundle_e_sqlite3 (new, test project only) 2.1.11 (transitive) 3.0.3

The .NET 10.0.9 packages are the June 2026 Patch Tuesday servicing release. They fix CVE-2026-45591 (ASP.NET Core DoS, High), CVE-2026-45491 (tar extraction path traversal, Medium), and CVE-2026-45490 (SDK elevation of privilege, Windows).

Deployment instructions

  • This PR bumps the .NET runtime packages from 10.0.8 to 10.0.9, but the matching SDK is not yet installed on our machines. Before building/deploying this branch, install the .NET SDK 10.0.301 (or 10.0.109 for the VS-aligned band). global.json (10.0.300, rollForward latestFeature) will pick it up automatically.
  • Install the .NET 10.0.9 Hosting Bundle on TEST and PROD before deploying. The servers only receive the runtime security fixes once the hosting bundle is updated.

@dependabot dependabot Bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file labels Jul 1, 2026
@rlorenzo rlorenzo force-pushed the dependabot/nuget/dot-config/dotnet-2deaa23698 branch from 549278b to 7833b88 Compare July 3, 2026 00:13
@codecov-commenter

Copy link
Copy Markdown

Bundle Report

Bundle size has no change ✅

@codecov-commenter

codecov-commenter commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.67%. Comparing base (713e472) to head (b80f5cf).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #240      +/-   ##
==========================================
+ Coverage   44.65%   44.67%   +0.02%     
==========================================
  Files         897      897              
  Lines       51890    51894       +4     
  Branches     4868     4869       +1     
==========================================
+ Hits        23169    23184      +15     
+ Misses      28141    28130      -11     
  Partials      580      580              
Flag Coverage Δ
backend 44.73% <ø> (+0.02%) ⬆️
frontend 43.41% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

Bumps dotnet-ef from 10.0.7 to 10.0.9
Bumps JetBrains.Annotations from 2025.2.4 to 2026.2.0
Bumps jetbrains.resharper.globaltools from 2026.1.1 to 2026.1.3
Bumps Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore from 10.0.8 to 10.0.9
Bumps Microsoft.AspNetCore.JsonPatch from 10.0.8 to 10.0.9
Bumps Microsoft.Data.Sqlite.Core from 10.0.8 to 10.0.9
Bumps Microsoft.EntityFrameworkCore.Design from 10.0.8 to 10.0.9
Bumps Microsoft.EntityFrameworkCore.InMemory from 10.0.8 to 10.0.9
Bumps Microsoft.EntityFrameworkCore.Sqlite from 10.0.8 to 10.0.9
Bumps Microsoft.EntityFrameworkCore.Sqlite.Core from 10.0.8 to 10.0.9
Bumps Microsoft.EntityFrameworkCore.SqlServer from 10.0.8 to 10.0.9
Bumps Microsoft.EntityFrameworkCore.Tools from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Http.Polly from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Logging from 10.0.8 to 10.0.9
Bumps Microsoft.NET.Test.Sdk from 18.6.0 to 18.7.0
Bumps microsoft.web.librarymanager.cli from 3.0.71 to 3.0.114
Bumps QuestPDF from 2026.5.0 to 2026.6.0
Bumps System.DirectoryServices from 10.0.8 to 10.0.9
Bumps System.DirectoryServices.AccountManagement from 10.0.8 to 10.0.9

AWS package bumps (AWSSDK.Core, Amazon.Extensions.Configuration.
SystemsManager) removed from this update; they are semver-major and
will be handled in a separate PR. Spurious
Microsoft.EntityFrameworkCore.InMemory reference added by Dependabot
to web/Viper.csproj dropped (unused in the web project; the test
project keeps it).

---
updated-dependencies:
- dependency-name: dotnet-ef
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: JetBrains.Annotations
  dependency-version: 2026.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dotnet
- dependency-name: jetbrains.resharper.globaltools
  dependency-version: 2026.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.AspNetCore.JsonPatch
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.Data.Sqlite.Core
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.EntityFrameworkCore.Design
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.EntityFrameworkCore.InMemory
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.Extensions.Logging
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.EntityFrameworkCore.Sqlite
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.EntityFrameworkCore.Sqlite.Core
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.EntityFrameworkCore.SqlServer
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.EntityFrameworkCore.Tools
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.Extensions.Http.Polly
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: microsoft.web.librarymanager.cli
  dependency-version: 3.0.114
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: QuestPDF
  dependency-version: 2026.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: System.DirectoryServices
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: System.DirectoryServices.AccountManagement
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
...

Signed-off-by: dependabot[bot] <support@github.com>
@rlorenzo rlorenzo changed the title Bump the dotnet group with 22 updates Bump the dotnet group with 20 updates Jul 3, 2026
GHSA-2m69-gcr7-jv3q flags SQLitePCLRaw.lib.e_sqlite3 2.1.11, pulled in
transitively by EF Sqlite in the test project with no patched version
in the 2.x line. Bundle 3.0.3 replaces it with SourceGear.sqlite3
3.50.4.5. Remove the pin when EF references a patched bundle.
@rlorenzo rlorenzo force-pushed the dependabot/nuget/dot-config/dotnet-2deaa23698 branch from 7833b88 to b80f5cf Compare July 3, 2026 02:31
@rlorenzo

rlorenzo commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@bsedwards Before this can get onto TEST/PROD, the .NET 10.0.9 SDK needs to be installed on those machines.

@rlorenzo rlorenzo requested a review from bsedwards July 3, 2026 02:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .net code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Microsoft Security Advisory CVE-2026-45591 | ASP.NET Core Denial of Service Vulnerability

2 participants