Bump the aspnetcore group with 3 updates

[dependabot]

Updated Microsoft.AspNetCore.Authentication.Facebook from 10.0.0 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.Authentication.Facebook's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Authentication.Google from 10.0.0 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.Authentication.Google's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Authentication.MicrosoftAccount from 10.0.0 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.Authentication.MicrosoftAccount's releases.

No release notes found for this version range.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 35353

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 35353"

[MauiBot]

🤖 AI Summary

👋 @dependabot[bot] — new AI review results are available. Please review the latest session below.

📊 Review Session — f4751c0 · Bump the aspnetcore group with 3 updates · 2026-05-08 21:09 UTC

---

🚦 Gate — Test Before & After Fix

---

Gate Result: ⚠️ SKIPPED

No tests were detected in this PR.

Recommendation: Add tests to verify the fix using the write-tests-agent.

---

🧪 UI Tests — Category Detection

---

No UI test categories needed for this PR (no UI-relevant changes).

---

🔍 Regression Cross-Reference

---

🟢 No implementation files modified — skipping regression cross-reference.

---

🔍 Pre-Flight — Context & Validation

---

Pre-Flight — PR #35353

Summary

• Title: Bump the aspnetcore group with 3 updates
• Author: dependabot[bot]
• Base: main @ b71adea6e63829f4fc264302f1cad08aa542c794
• Head: dependabot/nuget/eng/aspnetcore-deb168309f
• Files changed: 1 (eng/Versions.props, +4/-4)
• Linked issue: none
• Labels: area-infrastructure, dependencies, nuget
• Mergeable state: blocked
• Gate: ⚠️ SKIPPED — no tests in this PR (config-only change). Test additions are not applicable for a Dependabot dependency bump.

Classification

This is an infrastructure-only PR. No production C#/XAML code is touched, no tests are added/changed, no public API surface is affected. All changes are MSBuild property values in eng/Versions.props.

Diff (full)

@@ -85,9 +85,9 @@
     <MicrosoftWindowsWebView2PackageVersion>1.0.3179.45</MicrosoftWindowsWebView2PackageVersion>
     <!-- Everything else -->
     <MicrosoftAspNetCoreAuthorizationPackageVersion>10.0.0</MicrosoftAspNetCoreAuthorizationPackageVersion>
-    <MicrosoftAspNetCoreAuthenticationFacebookPackageVersion>10.0.0</MicrosoftAspNetCoreAuthenticationFacebookPackageVersion>
-    <MicrosoftAspNetCoreAuthenticationGooglePackageVersion>10.0.0</MicrosoftAspNetCoreAuthenticationGooglePackageVersion>
-    <MicrosoftAspNetCoreAuthenticationMicrosoftAccountPackageVersion>10.0.0</MicrosoftAspNetCoreAuthenticationMicrosoftAccountPackageVersion>
+    <MicrosoftAspNetCoreAuthenticationFacebookPackageVersion>10.0.7</MicrosoftAspNetCoreAuthenticationFacebookPackageVersion>
+    <MicrosoftAspNetCoreAuthenticationGooglePackageVersion>10.0.7</MicrosoftAspNetCoreAuthenticationGooglePackageVersion>
+    <MicrosoftAspNetCoreAuthenticationMicrosoftAccountPackageVersion>10.0.7</MicrosoftAspNetCoreAuthenticationMicrosoftAccountPackageVersion>
@@ -98,7 +98,7 @@
     <MicrosoftAspNetCoreMetadataPackageVersion>10.0.0</MicrosoftAspNetCoreMetadataPackageVersion>
     <MicrosoftJSInteropPackageVersion>10.0.0</MicrosoftJSInteropPackageVersion>
     <!-- Everything else (previous edition) -->
-    <MicrosoftAspNetCorePackageVersion>8.0.16</MicrosoftAspNetCorePackageVersion>
+    <MicrosoftAspNetCorePackageVersion>10.0.7</MicrosoftAspNetCorePackageVersion>
     <MicrosoftAspNetCoreAuthorizationPreviousPackageVersion>$(MicrosoftAspNetCorePackageVersion)</MicrosoftAspNetCoreAuthorizationPreviousPackageVersion>

Code review summary

✅ What's correct

• The 3 *Authentication*PackageVersion bumps from 10.0.0 → 10.0.7 are aligned with the PR title and Dependabot's stated intent. These variables drive <PackageReference> items in eng/NuGetVersions.targets:177-188 for current-TFM (net10.0) builds. Patch-version bumps within 10.0.x are TFM-compatible.

❌ Errors

• eng/Versions.props:101 — Wrong value for "previous edition" anchor.
  MicrosoftAspNetCorePackageVersion is the anchor that all *PreviousPackageVersion entries (lines 102–114) inherit via $(MicrosoftAspNetCorePackageVersion). Those Previous* entries are gated by Condition="$(TargetFramework.StartsWith('$(_MauiPreviousDotNetTfm)'))" in eng/NuGetVersions.targets:209-252.
  • _MauiPreviousDotNetTfm = net9.0 (resolved via Directory.Build.props:67-71, where _MauiPreviousDotNetVersionMajor=9, _MauiPreviousDotNetVersionMinor=0).
  • Therefore MicrosoftAspNetCorePackageVersion must be a 9.0.x value. Latest patch on NuGet is 9.0.15.
  • The PR sets it to 10.0.7, which means net9.0 consumers will be told to restore AspNetCore 10.0.7 — a TFM mismatch. AspNetCore 10.0.x targets net10.0/net10.0-* and is not compatible with net9.0. This will break BlazorWebView/HybridWebView previous-TFM packaging.
  • The previous value 8.0.16 was also stale (it was a net8.0 value left over from when net8 was the previous TFM), but bumping it to 10.0.7 is strictly worse than leaving 8.0.16 because 10 > 9 (no graceful fallback) whereas 8.0.x packages can install into a 9.0 project. Correct value: 9.0.15.

⚠️ Warnings

• PR title says "3 updates" but the diff modifies 4 lines. The 4th change (the "previous edition" anchor) is outside the scope advertised in the title and Dependabot release notes. This is a sign Dependabot's grouped update inadvertently swept in an unrelated alias.
• No CHANGELOG / release notes available ("No release notes found for this version range" — confirms 10.0.7 is a routine servicing release with no functional changes for this consumer).

💡 Suggestions

• Add a comment near MicrosoftAspNetCorePackageVersion documenting it must track _MauiPreviousDotNetTfm so future Dependabot/manual bumps don't drift.

Failure modes

• Restore failure on net9 BlazorWebView builds: dotnet restore for projects multi-targeting net9.0-* will attempt Microsoft.AspNetCore.Components.WebView 10.0.7, which requires net10.0. Result: NU1202 "package is not compatible".
• NuGet audit / pruning false-positives: With RestoreEnablePackagePruning=false (Directory.Build.props:58) and NuGetAuditMode=direct, this slip is unlikely to mask vulnerabilities, but the wrong anchor will surface as restore errors before audit runs.

Blast radius

• All *PreviousPackageVersion entries (10 properties on lines 103–114) inherit from MicrosoftAspNetCorePackageVersion. Every <PackageReference> in eng/NuGetVersions.targets:209-252 (10 packages × net9.0 builds) is affected.
• BlazorWebView previous-TFM tests/templates and any HybridWebView previous-TFM consumers are at risk.

Verdict

NEEDS_CHANGES (confidence: high). The 3 Authentication bumps are fine; the 4th line (MicrosoftAspNetCorePackageVersion) must be 9.0.15 (or some 9.0.x), not 10.0.7.

Platform selection

• Requested: android
• Test command: N/A — config-only PR, no automated test asserts version pinning. Validation is deferred to CI restore/build.

---

🔬 Code Review — Deep Analysis

---

Code review — PR #35353 (deep dive)

Independence-first review: reviewed the diff before reading PR description/title.

Files reviewed

• eng/Versions.props (only file in PR)

Cross-referenced files

• eng/NuGetVersions.targets (consumer of every property changed)
• Directory.Build.props (defines _MauiPreviousDotNetTfm)
• Directory.Build.targets (uses _MauiPreviousDotNetTfm)

Findings

❌ Error 1 — eng/Versions.props:101 — MicrosoftAspNetCorePackageVersion set to wrong major version

Severity: High
Why: This property is the anchor for the previous TFM (net9.0) build edition of every AspNetCore PackageReference. See Directory.Build.props:67-71 (_MauiPreviousDotNetVersionMajor=9) and eng/NuGetVersions.targets:209-252 (every *Previous*PackageVersion consumer is conditioned on TargetFramework.StartsWith('$(_MauiPreviousDotNetTfm)')).

Setting it to 10.0.7 means net9.0 builds will request AspNetCore packages whose only target framework is net10.0, producing NU1202 restore errors.

Recommended fix: <MicrosoftAspNetCorePackageVersion>9.0.15</MicrosoftAspNetCorePackageVersion> (latest 9.0 patch on NuGet as of review).

⚠️ Warning 1 — Title/diff mismatch

PR title is "Bump the aspnetcore group with 3 updates", but the diff bumps 4 properties. The 4th (MicrosoftAspNetCorePackageVersion) is grouped with the 3 stated packages by Dependabot's group config but is semantically a different concern (it gates the previous-TFM build, not the current-TFM build).

💡 Suggestion 1 — Add a guarding comment

Add an XML comment near line 101 reminding maintainers/Dependabot that the value must match the major.minor of _MauiPreviousDotNetTfm. This protects against future grouped Dependabot updates re-introducing the same drift.

Failure-mode probes

1. net9.0-android BlazorWebView restore → expected to fail with NU1202 for all 10 *Previous* PackageReference entries.
2. net10.0-android HybridWebView build → unaffected (the 3 Authentication bumps are valid 10.0.x patches).
3. Live audit (NuGetAuditMode=direct) → no new advisories expected (10.0.7 is a normal servicing release, no release notes; 9.0.15 likewise).

Blast radius

• Direct consumers via eng/NuGetVersions.targets: 10 <PackageReference> items conditioned on previous TFM (lines 209–252).
• Affected projects: every project in the workload that multi-targets net9.0-* and references Microsoft.AspNetCore.* or Microsoft.JSInterop — primarily BlazorWebView and HybridWebView samples/host apps and template tests.

Verdict

NEEDS_CHANGES (confidence: high)

• Required: revert/correct the MicrosoftAspNetCorePackageVersion line to a 9.0.x value (recommended 9.0.15).
• Optional: add a comment documenting the relationship to _MauiPreviousDotNetTfm.

The 3 Authentication-package bumps are safe and should be retained.

---

🔧 Fix — Analysis & Comparison

---

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
1	try-fix-1 (claude-opus-4.6 / regression patterns)	Bump only the 3 Auth packages 10.0.0→10.0.7; leave previous-TFM anchor alone	⚠️ SKIPPED (no test) — mechanically safe, no NU1202 introduced	1 file, 3 lines	Strictly safer than pr but leaves stale 8.0.16
2	try-fix-2 (claude-sonnet-4.6 / build-infra)	Bump 3 Auth → 10.0.7 AND fix anchor to 9.0.15 (correct net9 patch)	⚠️ SKIPPED — mechanically correct; 9.0.15 exists on nuget.org	1 file, 4 lines	Best functional outcome; same as pr-plus-reviewer minus comment
3	try-fix-3 (gpt-5.3-codex / api-design cohesion)	Bump ALL 13 AspNetCore-current to 10.0.7 + anchor to 9.0.15	⚠️ SKIPPED — all versions exist	1 file, 14 lines	Out of scope for this PR; should be separate PR
4	try-fix-4 (gemini-3-pro-preview / supply-chain)	No-op: defer/decline the PR	⚠️ SKIPPED — empty diff	0 files	Safest but provides no value
pr	PR #35353 (dependabot)	Bump 3 Auth → 10.0.7 AND anchor 8.0.16→10.0.7	⚠️ SKIPPED (Gate) — analytically introduces NU1202 for net9 builds	1 file, 4 lines	Anchor change has wrong major version
pr-plus-reviewer	Branch A	PR diff + reviewer fix: anchor to 9.0.15 with explanatory comment	⚠️ SKIPPED — mechanically correct	1 file, 5 lines	Best overall; documents the coupling

Cross-Pollination

Model	Round	New Ideas?	Details
claude-opus-4.6	2	No	try-fix-2 already covers the corrected anchor; try-fix-1 is the conservative fallback. NO NEW IDEAS.
claude-sonnet-4.6	2	No	Considered also auto-deriving the anchor as $(_MauiPreviousDotNetVersion).x but that requires a Choose/When and is out of scope for a Dependabot PR. NO NEW IDEAS.
gpt-5.3-codex	2	No	try-fix-3 already represents the broadest reasonable bump. NO NEW IDEAS.
gemini-3-pro-preview	2	No	No-op already represents the most conservative path. NO NEW IDEAS.

Exhausted: Yes (all four models report "NO NEW IDEAS").

Selected Fix: pr-plus-reviewer — preserves the 3 valid 10.0.7 bumps, corrects the previous-TFM anchor to 9.0.15, and adds a guarding comment documenting the coupling with _MauiPreviousDotNetTfm. Functionally identical to try-fix-2 with the added documentation guard.

---

📋 Report — Final Recommendation

---

PR #35353 — Comparative Report

Summary

Dependabot PR bumping 3 AspNetCore Authentication packages from 10.0.0 → 10.0.7. The diff also bumps a 4th line — MicrosoftAspNetCorePackageVersion from 8.0.16 → 10.0.7 — which is the previous-TFM anchor for net9.0-conditioned <PackageReference> items in eng/NuGetVersions.targets:209-252. That 4th change is incorrect: it points net9 builds at packages that only target net10, producing NU1202 restore errors. Correct value is a 9.0.x patch (latest is 9.0.15).

Candidate comparison

Candidate	Auth bumps correct?	Previous-TFM anchor	Test/Gate	Risk-of-Regression	Verdict
pr	✅ 10.0.7	❌ 10.0.7 (wrong major)	⚠️ SKIPPED	High — NU1202 for net9.0-* BlazorWebView/HybridWebView consumers	❌ Reject as-is
pr-plus-reviewer	✅ 10.0.7	✅ 9.0.15 + doc comment	⚠️ SKIPPED	Low	✅ Winner
try-fix-1	✅ 10.0.7	⚠️ unchanged at 8.0.16 (stale)	⚠️ SKIPPED	Low	Acceptable fallback
try-fix-2	✅ 10.0.7	✅ 9.0.15	⚠️ SKIPPED	Low	Tied with winner; no comment
try-fix-3	✅ 10.0.7 (also bumps 10 siblings)	✅ 9.0.15	⚠️ SKIPPED	Medium — out of scope for this PR	Reject (open separate PR)
try-fix-4	❌ no bump	⚠️ unchanged	⚠️ SKIPPED	None — but no value delivered	Reject (no benefit)

Per the ranking rule, "Candidates that failed regression tests MUST be ranked lower than candidates that passed them." No candidate has automated regression test coverage in this PR (Gate ⚠️ SKIPPED for all). Ranking therefore relies on mechanical correctness and risk analysis:

• pr does not "fail" tests but does mechanically introduce a known restore failure for net9 multi-targeted projects (NU1202). It is therefore ranked below pr-plus-reviewer, try-fix-1, and try-fix-2, which do not introduce that failure mode.

Final ranking

1. pr-plus-reviewer — correct + documented
2. try-fix-2 — correct, no doc comment
3. try-fix-1 — safe subset (3 packages only); leaves stale 8.0.16
4. try-fix-3 — correct but out-of-scope
5. pr — introduces net9 restore failure
6. try-fix-4 — no-op

Winner: pr-plus-reviewer

Rationale: Preserves the legitimate Dependabot-driven patch bumps for the 3 Authentication packages, simultaneously corrects the latent bug in the previous-TFM anchor (which the PR worsened), and adds a guarding XML comment so the next Dependabot/manual bump cannot re-introduce the same drift. This is the only candidate that addresses both the surface change and the latent infrastructure bug while staying within the spirit of a Dependabot bump PR.

Recommended PR-author actions

• Replace <MicrosoftAspNetCorePackageVersion>10.0.7</MicrosoftAspNetCorePackageVersion> with <MicrosoftAspNetCorePackageVersion>9.0.15</MicrosoftAspNetCorePackageVersion>.
• (Optional but recommended) Add an XML comment near that line documenting that the value must track the major.minor of _MauiPreviousDotNetTfm (Directory.Build.props:67-71).
• Update PR title to reflect that this also corrects the previous-TFM anchor (e.g., "Bump aspnetcore group with 3 updates and correct previous-TFM anchor to 9.0.15").

---

[MauiBot]

Expert Review — 2 findings

See inline comments for details.

[MauiBot]

MicrosoftAspNetCorePackageVersion is the anchor inherited by every *PreviousPackageVersion property (lines 102–114) and is consumed by eng/NuGetVersions.targets:209-252 only when TargetFramework.StartsWith('$(_MauiPreviousDotNetTfm)'). _MauiPreviousDotNetTfm resolves to net9.0 (Directory.Build.props:67-71, _MauiPreviousDotNetVersionMajor=9).

Setting it to 10.0.7 will cause dotnet restore for net9.0-* BlazorWebView/HybridWebView projects to request packages that only target net10.0, producing NU1202. The previous value 8.0.16 was already stale (it was a net8.0 value), but bumping further to 10.0.7 is strictly worse — 10 > 9 has no graceful fallback, whereas 8.0.x packages still install into a 9.0 project.

Suggested fix: use the latest 9.0 patch — <MicrosoftAspNetCorePackageVersion>9.0.15</MicrosoftAspNetCorePackageVersion>.

[MauiBot]

Consider adding an XML comment above this line to remind future maintainers (and Dependabot's grouped-update logic) that this value must track the major.minor of _MauiPreviousDotNetTfm (currently net9.0). This will help avoid the same drift on the next grouped bump.

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.