Bump Magick.NET-Q8-AnyCPU from 14.12.0 to 14.13.1

[dependabot]

Updated Magick.NET-Q8-AnyCPU from 14.12.0 to 14.13.1.

Release notes

Sourced from Magick.NET-Q8-AnyCPU's releases.

14.13.1

What's Changed

• Fixed loading of animated AVIF image as MagickImageCollection (#​2000)
• Fixed determining the number of frames when reading animated AVIF images (#​2005)
• Fixed loaded of indexed color PSD file (#​2007)
• Another fix when reading JPEG compressed TIFF files. (#​2016)

Related changes in ImageMagick since the last release of Magick.NET:

• Stack overflow in fx operation (GHSA-rcr6-g7jc-f57g)
• Heap Buffer Over-Write of a single byte in the JP2 encoder (GHSA-533m-3wf6-c33v)
• Use-After-Free in MSL decoder (GHSA-5r4x-w6p5-222q)
• Infinite Loop in the MIFF decoder can lead to CPU exhaustion (GHSA-7gg8-qqx7-92g5)
• Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions (GHSA-36wm-hprc-mcf5)
• Heap Buffer Over-Write in MIFF encoder when using LZMA compression (GHSA-jcqp-6r6f-3mfx)

Library updates:

• ImageMagick 7.1.2-23 (2026-05-17)
• aom 3.14.0 (2026-05-12)
• openexr 3.4.11 (2026-04-30)
• libhwy 1.4.0 (2026-04-23)
• lcms 2.19.1 (2026-05-06)
• openjph 0.27.3 (2026-05-14)

Full Changelog: dlemstra/Magick.NET@14.13.0...14.13.1

14.13.0

What's Changed

• Added PixelDifferenceCount to ErrorMetric.

Related changes in ImageMagick since the last release of Magick.NET:

• Corrected the patch that was made earlier to fix reading JPEG compressed TIFF images (#​1993)
• Call CloseBlob on the correct image to prevent the blob from remaining open (#​1997)

Library updates:

• ImageMagick 7.1.2-21 (2026-04-21)
• harfbuzz 14.2.0 (2026-04-20)
• libpng 1.6.58 (2026-04-15)
• libraqm 0.10.5 (2026-04-11)
• libraw 0.22.1 (2026-04-06)
• libxml2 2.15.3 (2026-04-15)
• openexr 3.4.9 (2026-04-17)
• openjph 0.27.0 (2026-04-14)

Full Changelog: dlemstra/Magick.NET@14.12.0...14.13.0

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 35505

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 35505"

[kubaflo]

/review -b feature/refactor-copilot-yml

[kubaflo]

/review -b feature/refactor-copilot-yml

[kubaflo]

/review -b feature/enhanced-reviewer -p android

[kubaflo]

/review rerun

[kubaflo]

/review -b feature/enhanced-reviewer -p android

[MauiBot]

AI Review Summary

@dependabot[bot] — new AI review results are available based on this last commit: 7eb0f3f. To request a fresh review after new comments or commits, comment /review rerun.

Review Sessions — click to expand

Gate — Test Before & After Fix

Gate Result: ⚠️ SKIPPED

No tests were detected in this PR.

Recommendation: Add tests to verify the fix using the write-tests-agent.

---

Pre-Flight — Context & Validation

Issue: N/A - Dependabot dependency update
PR: #35505 - Bump Magick.NET-Q8-AnyCPU from 14.12.0 to 14.13.1
Platforms Affected: android test infrastructure; visual test utility dependency shared by platform UI test projects
Files Changed: 1 implementation/test-infrastructure, 0 test

Key Findings

• PR #35505 changes only src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj, updating Magick.NET-Q8-AnyCPU from 14.12.0 to 14.13.1.
• The PR has no linked product issue and no test changes; the prior gate result was skipped because no tests were detected.
• PR comments are review/CI trigger commands plus dogfood instructions; no inline review comments or prior ❌ Error findings were found.
• The dependency is used by VisualTestUtils.MagickNet, which is referenced by platform UI test projects including Android.

Code Review Summary

Verdict: NEEDS_DISCUSSION
Confidence: low
Errors: 0 | Warnings: 0 | Suggestions: 0

Key code review findings:

• No actionable code findings. The only limitation is unavailable required-check status (gh unauthenticated) and skipped gate coverage.

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
PR	PR #35505	Directly bump Magick.NET-Q8-AnyCPU from 14.12.0 to 14.13.1 in VisualTestUtils.MagickNet.csproj	⚠️ Gate skipped (no tests detected)	src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj	Original PR; simplest and Dependabot-friendly

---

Code Review — Deep Analysis

Code Review — PR #35505

Independent Assessment

What this changes: Updates Magick.NET-Q8-AnyCPU in src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj:9 from 14.12.0 to 14.13.1.
Inferred motivation: Routine dependency update for visual test image comparison tooling, picking up upstream Magick.NET/ImageMagick bug fixes and security fixes.

Reconciliation with PR Narrative

Author claims: Dependabot dependency bump from 14.12.0 to 14.13.1, with upstream bug/security/library updates.
Agreement/disagreement: Matches the code exactly. No additional source changes.

Prior Review Reconciliation

No prior ❌ Error findings found.

Blast Radius Assessment

• Runs for all instances: no — no MAUI runtime/handler code changes; affects projects that reference VisualTestUtils.MagickNet during test builds/runs.
• Startup impact: no app startup impact.
• Static/shared state: no.

CI Status

• Required-check result: undetermined
• Classification: tool-unavailable / undetermined
• Action taken: gh pr checks 35505 --repo dotnet/maui --required could not be used because GitHub CLI is unauthenticated; confidence capped low. Local restore/build validation was used for try-fix candidates only.

Findings

No actionable findings.

Failure-Mode Probing

• Package missing/incompatible with netstandard2.0: candidate restore/build validations succeeded for accepted version forms.
• API break in used ImageMagick APIs: project compile succeeded for direct usages in VisualTestUtils.MagickNet.
• Android platform behavior: no Android handler/runtime code changes; impact is limited to visual test utility dependency resolution used by UI test projects.

Verdict: NEEDS_DISCUSSION

Confidence: low (CI/gate coverage was undetermined/skipped; dependency-only code review found no issues.)
Summary: The direct Dependabot bump is simple and appropriate. No code-review issues were found, but this review cannot claim LGTM because the required CI state was unavailable and the gate was skipped due no detected tests.

---

Fix — Analysis & Comparison

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
1	maui-expert-reviewer	Centralize Magick.NET-Q8-AnyCPU version in eng/Versions.props and reference an MSBuild property	✅ PASS (restore/build)	2 files	Valid but likely worse: single-use dependency, extra indirection, less Dependabot-friendly
2	maui-expert-reviewer	Use bounded NuGet version range [14.13.1,15.0.0)	✅ PASS (restore/build)	1 file	Valid but worse: reduces deterministic restore and may silently resolve later 14.x behavior
3	maui-expert-reviewer	Use exact NuGet bracket syntax [14.13.1]	✅ PASS (restore/build)	1 file	Valid but not clearly better: noisier/less idiomatic than normal Dependabot bump
PR	PR #35505	Direct PackageReference bump from 14.12.0 to 14.13.1	⚠️ Gate skipped (no tests detected)	1 file	Original PR; simplest deterministic, idiomatic, Dependabot-friendly option

Cross-Pollination

Model	Round	New Ideas?	Details
maui-expert-reviewer	2	No	NO NEW IDEAS — Current direct PackageReference bump is the simplest deterministic, Dependabot-friendly fix; tested alternatives add indirection/noise or reduce restore predictability.

Exhausted: Yes
Selected Fix: PR's fix — It is the simplest and most maintainable candidate for a single-use Dependabot dependency bump. No tested alternative was demonstrably better.

---

try-fix-1 Narrative

Approach: Centralized Magick.NET version property

Move the Magick.NET-Q8-AnyCPU version into eng/Versions.props and reference it from the VisualTestUtils.MagickNet project.

Different from existing fix: PR #35505 directly updates the PackageReference Version attribute inline; this candidate turns it into centrally managed repo version metadata.

Diff

diff --git a/eng/Versions.props b/eng/Versions.props
index f1df08d7d7..a6d6e87af3 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -142,6 +142,7 @@
     <MicrosoftDotNetXHarnessCLIVersion>11.0.0-prerelease.26230.4</MicrosoftDotNetXHarnessCLIVersion>
     <TizenUIExtensionsVersion>0.9.2</TizenUIExtensionsVersion>
     <SvgSkiaPackageVersion>2.0.0.4</SvgSkiaPackageVersion>
+    <MagickNetQ8AnyCPUPackageVersion>14.13.1</MagickNetQ8AnyCPUPackageVersion>
     <FizzlerPackageVersion>1.3.0</FizzlerPackageVersion>
     <TizenUIExtensionsVersion>0.9.0</TizenUIExtensionsVersion>
     <ExCSSPackageVersion>4.2.3</ExCSSPackageVersion>
diff --git a/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj b/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
index 13c824627a..7778ed608f 100644
--- a/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
+++ b/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Magick.NET-Q8-AnyCPU" Version="14.13.1" />
+    <PackageReference Include="Magick.NET-Q8-AnyCPU" Version="$(MagickNetQ8AnyCPUPackageVersion)" />
   </ItemGroup>
 
   <ItemGroup>

Test Results

Running: dotnet restore src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj --no-cache --force --verbosity minimal
  Determining projects to restore...
  Restored /home/vsts/work/1/s/src/TestUtils/src/VisualTestUtils/VisualTestUtils.csproj (in 637 ms).
  Restored /home/vsts/work/1/s/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj (in 636 ms).
Running: dotnet build src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj --no-restore --configuration Debug --verbosity minimal
  VisualTestUtils -> /home/vsts/work/1/s/artifacts/bin/VisualTestUtils/Debug/netstandard2.0/VisualTestUtils.dll
  VisualTestUtils.MagickNet -> /home/vsts/work/1/s/artifacts/bin/VisualTestUtils.MagickNet/Debug/netstandard2.0/VisualTestUtils.MagickNet.dll

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:01.68

Analysis

Result: Pass

What happened: Restore and build for VisualTestUtils.MagickNet completed successfully.

Why it worked/failed: The repository-level MSBuild property flowed into the PackageReference and preserved the 14.13.1 dependency update.

Self-review: clean - no findings. This is dependency metadata, not handler/platform runtime code.

Insights: The approach is valid but likely not better than the PR for a single-use Dependabot-managed dependency because it adds indirection and may reduce Dependabot friendliness.

---

try-fix-2 Narrative

Approach: Bounded 14.x NuGet version range

Use a NuGet version range [14.13.1,15.0.0) instead of an exact package version.

Different from existing fix: PR #35505 pins exactly to 14.13.1; this candidate sets 14.13.1 as the minimum acceptable 14.x version while excluding future major versions.

Diff

diff --git a/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj b/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
index 13c824627a..9411a1ccd6 100644
--- a/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
+++ b/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Magick.NET-Q8-AnyCPU" Version="14.13.1" />
+    <PackageReference Include="Magick.NET-Q8-AnyCPU" Version="[14.13.1,15.0.0)" />
   </ItemGroup>
 
   <ItemGroup>

Test Results

Running: dotnet restore src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj --no-cache --force --verbosity minimal
  Determining projects to restore...
  Restored /home/vsts/work/1/s/src/TestUtils/src/VisualTestUtils/VisualTestUtils.csproj (in 593 ms).
  Restored /home/vsts/work/1/s/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj (in 590 ms).
Running: dotnet build src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj --no-restore --configuration Debug --verbosity minimal
  VisualTestUtils -> /home/vsts/work/1/s/artifacts/bin/VisualTestUtils/Debug/netstandard2.0/VisualTestUtils.dll
  VisualTestUtils.MagickNet -> /home/vsts/work/1/s/artifacts/bin/VisualTestUtils.MagickNet/Debug/netstandard2.0/VisualTestUtils.MagickNet.dll

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:01.66

Analysis

Result: Pass

What happened: Restore and build completed with the bounded package version range.

Why it worked/failed: NuGet accepted the version range and resolved a compatible Magick.NET 14.x package satisfying the floor.

Self-review: clean - no MAUI handler/platform findings; risk is dependency determinism rather than runtime code correctness.

Insights: Even when valid, this is not better than the PR because it reduces deterministic restore behavior for a test utility package.

---

try-fix-3 Narrative

Approach: Exact-version pin with NuGet bracket syntax

Use NuGet exact version range syntax [14.13.1] instead of the plain exact-looking version string.

Different from existing fix: PR #35505 uses Version="14.13.1", which NuGet treats as a minimum version. This candidate requires exactly 14.13.1.

Diff

diff --git a/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj b/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
index 13c824627a..26c019ee4d 100644
--- a/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
+++ b/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj
@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Magick.NET-Q8-AnyCPU" Version="14.13.1" />
+    <PackageReference Include="Magick.NET-Q8-AnyCPU" Version="[14.13.1]" />
   </ItemGroup>
 
   <ItemGroup>

Test Results

Running: dotnet restore src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj --no-cache --force --verbosity minimal
  Determining projects to restore...
  Restored /home/vsts/work/1/s/src/TestUtils/src/VisualTestUtils/VisualTestUtils.csproj (in 616 ms).
  Restored /home/vsts/work/1/s/src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj (in 617 ms).
Running: dotnet build src/TestUtils/src/VisualTestUtils.MagickNet/VisualTestUtils.MagickNet.csproj --no-restore --configuration Debug --verbosity minimal
  VisualTestUtils -> /home/vsts/work/1/s/artifacts/bin/VisualTestUtils/Debug/netstandard2.0/VisualTestUtils.dll
  VisualTestUtils.MagickNet -> /home/vsts/work/1/s/artifacts/bin/VisualTestUtils.MagickNet/Debug/netstandard2.0/VisualTestUtils.MagickNet.dll

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:01.58

Analysis

Result: Pass

What happened: Restore and build completed with exact NuGet bracket syntax.

Why it worked/failed: NuGet accepted the exact-version range and resolved 14.13.1 deterministically.

Self-review: clean - no MAUI handler/platform findings; this remains dependency metadata only.

Insights: This improves explicit determinism, but it is noisier and less idiomatic than the PR for a Dependabot bump.

---

Report — Final Recommendation

Comparative Fix Report — PR #35505

Candidates

Rank	Candidate	Regression/Test Result	Assessment
1	pr	Gate skipped; no tests detected	Best candidate. Directly updates the single Magick.NET-Q8-AnyCPU package reference from 14.12.0 to 14.13.1, preserving the standard Dependabot pattern and deterministic-looking dependency metadata without extra indirection.
1	pr-plus-reviewer	Same as pr	Equivalent to pr. The expert reviewer produced no actionable inline findings, so there was no sandbox change to apply.
3	try-fix-3	PASS — restore/build	Valid candidate using exact NuGet bracket syntax [14.13.1]. It is slightly more explicit about exact resolution, but it is noisier and less idiomatic for this repository's direct package-reference update style.
4	try-fix-1	PASS — restore/build	Valid candidate centralizing the version in eng/Versions.props, but worse for a single-use Dependabot-managed dependency because it adds unnecessary indirection and may reduce Dependabot friendliness.
5	try-fix-2	PASS — restore/build	Valid candidate using [14.13.1,15.0.0), but worse because it permits future 14.x resolution changes and reduces restore predictability.

Regression-Test Ordering

No candidate was reported as failing regression tests. The try-fix candidates all passed their restore/build checks, while the PR gate was skipped because no tests were detected. Because there are no failed candidates, ranking is based on correctness, determinism, repository convention, and maintainability.

Winner

pr is the winning candidate. It is the simplest and most maintainable fix for this Dependabot dependency update, and the expert reviewer found no actionable improvements to apply. pr-plus-reviewer is technically tied because it is identical, but selecting pr more accurately records that the raw submitted fix already contains the preferred implementation.

Test Coverage Note

The gate result was skipped because no tests were detected. For this dependency-only update, a targeted restore/build of VisualTestUtils.MagickNet and its relevant UI-test consumers would be useful CI evidence, but the absence of PR-added tests is not itself a code defect for this package bump.

---

Future Action — review latest findings

No alternative fix was selected for this run. Review the session findings and CI results before merging.