chore(deps): align EF Core, WolverineFx, and ASP.NET Core 8.x families#81
Conversation
PR #74 (dotnet-minor-and-patch group) and PR #80 (microsoft-extensions group) both bumped a subset of a version family and left the rest at old versions: - PR #74 + #80 raised `Microsoft.EntityFrameworkCore.Relational` to 9.0.16 but left `Microsoft.EntityFrameworkCore` and `Microsoft.EntityFrameworkCore.InMemory` at 9.0.5 → NU1605 downgrade risk (CodeRabbit caught it). - PR #74 raised `WolverineFx`, `.EntityFrameworkCore`, and `.Postgresql` to 5.39.3 but left `WolverineFx.Http` at 5.38.0 even though 5.39.3 exists upstream (Dependabot missed it; CodeRabbit didn't catch). - PR #74 + #80 raised `Microsoft.AspNetCore.Mvc.Testing` to 8.0.27 but left `Microsoft.AspNetCore.Authentication.JwtBearer` at 8.0.11 → out-of-step ASP.NET Core 8.x patches. This replacement PR aligns the three families and rolls up every other safe minor/patch bump PR #74 carried: EF Core trio → 9.0.16. WolverineFx quad → 5.39.3. ASP.NET Core 8.x pair → 8.0.27. Plus MediatR 12.5.0, FluentValidation 11.12.0, StackExchange.Redis 2.13.1, BCrypt.Net-Next 4.2.0, AWSSDK.S3 4.0.23.4, AWSSDK.Extensions.NETCore.Setup 4.0.4.1, Serilog.Sinks.Console 6.1.1, Scalar.AspNetCore 2.14.14, OpenIddict 5.8.0, Microsoft.NET.Test.Sdk 17.14.1, Bogus 35.6.5, Npgsql 9.0.5. With versions aligned correctly, `dotnet restore` no longer needs the csproj-level `MediatR` reference or `Npgsql` `VersionOverride` that PR #74 added as workarounds. Local `dotnet build` is 0/0 warnings, 642 unit tests pass, `dotnet format --verify-no-changes` is clean. Closes PRs #74 and #80.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthrough
ChangesNuGet Dependency Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Directory.Packages.props`:
- Around line 17-18: The PackageVersion entries for Npgsql and
Npgsql.EntityFrameworkCore.PostgreSQL are misaligned (Npgsql set to 9.0.5 while
the EF Core provider is 9.0.4); update the Npgsql PackageVersion entry to
Version="9.0.4" in Directory.Packages.props so both packages match the provider
release, or if you intentionally need 9.0.5, add a brief justification comment
in the file and ensure the provider version is explicitly pinned/overridden with
a comment describing why they differ.
- Around line 19-32: The review notes that package existence and security
advisory checks were only run for a subset of entries; extend the same NuGet
existence and GitHub security-advisory checks to the remaining PackageVersion
entries (WolverineFx, WolverineFx.Http, WolverineFx.EntityFrameworkCore,
WolverineFx.Postgresql all Version="5.39.3", MailKit Version="4.16.0",
Serilog.AspNetCore Version="9.0.0", Serilog.Sinks.Seq Version="8.0.0"), report
any advisories or missing packages, and if advisories are found either bump to a
safe version or document an accepted risk in the repo; ensure results are
applied consistently for these PackageVersion symbols in
Directory.Packages.props.
- Line 36: You updated Scalar.AspNetCore from 2.6.0 to 2.14.14; check and update
any code that relied on the removed ScalarOptions.EndpointPathPrefix by
migrating deployment/path-prefix logic to the new endpointPrefix usage exposed
by MapScalarApiReference, and search for usages of
ScalarOptions.EndpointPathPrefix to remove/replace them; also audit all places
that serialize/deserialize enums (API controllers, clients, tests, and
integration fixtures) to ensure they work with the new JsonConverter-based enum
serialization (adjust client expectations, test fixtures, or add custom
JsonConverters/JsonSerializerOptions where necessary) so enum JSON
representation matches the new behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 7cd9d3a1-4bb9-4abe-ba93-fd94a51fb875
📒 Files selected for processing (1)
Directory.Packages.props
| <PackageVersion Include="StackExchange.Redis" Version="2.13.1" /> | ||
| <!-- WolverineFx quad aligned; .Http 5.39.3 exists, Dependabot just missed it --> | ||
| <PackageVersion Include="WolverineFx" Version="5.39.3" /> | ||
| <PackageVersion Include="WolverineFx.Http" Version="5.39.3" /> | ||
| <PackageVersion Include="WolverineFx.EntityFrameworkCore" Version="5.39.3" /> | ||
| <PackageVersion Include="WolverineFx.Postgresql" Version="5.39.3" /> | ||
| <PackageVersion Include="BCrypt.Net-Next" Version="4.2.0" /> | ||
| <PackageVersion Include="MailKit" Version="4.16.0" /> | ||
| <PackageVersion Include="AWSSDK.S3" Version="4.0.23" /> | ||
| <PackageVersion Include="AWSSDK.Extensions.NETCore.Setup" Version="4.0.3.37" /> | ||
| <PackageVersion Include="AWSSDK.S3" Version="4.0.23.4" /> | ||
| <PackageVersion Include="AWSSDK.Extensions.NETCore.Setup" Version="4.0.4.1" /> | ||
| <PackageVersion Include="Serilog.AspNetCore" Version="9.0.0" /> | ||
| <PackageVersion Include="Serilog.Sinks.Console" Version="6.0.0" /> | ||
| <PackageVersion Include="Serilog.Sinks.Console" Version="6.1.1" /> | ||
| <PackageVersion Include="Serilog.Sinks.Seq" Version="8.0.0" /> | ||
| </ItemGroup> |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify package versions exist and check for security advisories
echo "=== Checking package version existence ==="
for pkg in "StackExchange.Redis/2.13.1" "BCrypt.Net-Next/4.2.0" "AWSSDK.S3/4.0.23.4" "AWSSDK.Extensions.NETCore.Setup/4.0.4.1" "Serilog.Sinks.Console/6.1.1"; do
IFS='/' read -r name version <<< "$pkg"
status=$(curl -s -o /dev/null -w "%{http_code}" "https://api.nuget.org/v3-flatcontainer/${name,,}/${version}/${name,,}.${version}.nupkg")
if [ "$status" = "200" ]; then
echo "✓ $name $version exists"
else
echo "✗ $name $version NOT FOUND (HTTP $status)"
fi
done
echo -e "\n=== Checking for GitHub security advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 10, ecosystem: NUGET, package: "StackExchange.Redis") {
nodes {
advisory { summary severity publishedAt }
vulnerableVersionRange
firstPatchedVersion { identifier }
}
}
}'Repository: phuong-labs/axis
Length of output: 382
Package version/security checks are only partially covered (extend to the rest of the block).
- NuGet package existence confirmed for: StackExchange.Redis
2.13.1, BCrypt.Net-Next4.2.0, AWSSDK.S34.0.23.4, AWSSDK.Extensions.NETCore.Setup4.0.4.1, Serilog.Sinks.Console6.1.1. - GitHub security advisories (NuGet ecosystem) for StackExchange.Redis
2.13.1returned no entries. - Still missing: security advisory checks (and NuGet existence checks, if desired) for WolverineFx/* (
5.39.3family), MailKit4.16.0, Serilog.AspNetCore9.0.0, and Serilog.Sinks.Seq8.0.0.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Directory.Packages.props` around lines 19 - 32, The review notes that package
existence and security advisory checks were only run for a subset of entries;
extend the same NuGet existence and GitHub security-advisory checks to the
remaining PackageVersion entries (WolverineFx, WolverineFx.Http,
WolverineFx.EntityFrameworkCore, WolverineFx.Postgresql all Version="5.39.3",
MailKit Version="4.16.0", Serilog.AspNetCore Version="9.0.0", Serilog.Sinks.Seq
Version="8.0.0"), report any advisories or missing packages, and if advisories
are found either bump to a safe version or document an accepted risk in the
repo; ensure results are applied consistently for these PackageVersion symbols
in Directory.Packages.props.
| <ItemGroup Label="API"> | ||
| <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.9.0" /> | ||
| <PackageVersion Include="Scalar.AspNetCore" Version="2.6.0" /> | ||
| <PackageVersion Include="Scalar.AspNetCore" Version="2.14.14" /> |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Scalar.AspNetCore changelog breaking changes between version 2.6.0 and 2.14.14
💡 Result:
Scalar.AspNetCore breaking changes between 2.6.0 and 2.14.14 (inclusive) From the Scalar repo’s ASP.NET Core integration docs/migration notes and PRs that explicitly describe breaking/obsolete removals, the notable breaking changes in that range are: 1) EndpointPathPrefix removed (was previously obsolete) - The property EndpointPathPrefix was previously marked obsolete and later removed, along with related workarounds and tests. This is a breaking API removal for code that still referenced ScalarOptions.EndpointPathPrefix (and any sub-path/deployment workarounds tied to it). [1] - Migration guidance (from earlier in the 2.x line) states that EndpointPathPrefix should be replaced by the endpointPrefix parameter in MapScalarApiReference, and that endpointPrefix excludes the {documentName} placeholder. [2] - A PR in the Scalar repo states “remove obsolete EndpointPathPrefix” and indicates it was included in the next version bump. [1] 2) Scalar.AspNetCore switched to using JsonConverters for enums (potential behavior change) - A merged PR states that Scalar.AspNetCore “switch[es] to json converters” for enums instead of mapping enum values to strings in the mapper. It also notes a future simplification for.NET 9+ using JsonStringEnumMemberName. [3] - While the PR is labeled feat/implementation rather than “breaking changes” explicitly, changing enum serialization can be breaking if any consumer relied on the prior serialized representation. [3] What I could NOT reliably extract from sources within this run - A complete, version-by-version list of every breaking change specifically for every release between 2.6.0 and 2.14.14. The integration CHANGELOG exists in the repo, but the search results returned only partial/fragmented content rather than the full entries needed to confidently enumerate every breaking change across all versions in that window. [4] If you want, I can do a follow-up pass that directly parses the aspnetcore/CHANGELOG.md entries for each version from 2.6.0 through 2.14.14 and produce a strict, exhaustive breaking-change list (with citations for each bullet).
Citations:
- 1: feat(Scalar.AspNetCore): remove obsolete
EndpointPathPrefixproperty scalar/scalar#7648 - 2: Migration Guide for Scalar.AspNetCore 2.0.0 scalar/scalar#4362
- 3: feat(Scalar.AspNetCore): switch to json converters scalar/scalar#6625
- 4: https://github.com/scalar/scalar/blob/main/integrations/dotnet/aspnetcore/CHANGELOG.md
Verify Scalar.AspNetCore 2.6.0 → 2.14.14 breaking/behavioral changes (Directory.Packages.props line 36)
This jump includes notable breaking/behavioral items to check in the API project:
- Removal of obsolete
ScalarOptions.EndpointPathPrefix(update any deployment/path-prefix logic to the newer endpointPrefix guidance used withMapScalarApiReference). - Change in enum JSON handling (Scalar moved to
JsonConverter-based enum serialization; confirm clients/tests don’t rely on the prior enum JSON representation).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Directory.Packages.props` at line 36, You updated Scalar.AspNetCore from
2.6.0 to 2.14.14; check and update any code that relied on the removed
ScalarOptions.EndpointPathPrefix by migrating deployment/path-prefix logic to
the new endpointPrefix usage exposed by MapScalarApiReference, and search for
usages of ScalarOptions.EndpointPathPrefix to remove/replace them; also audit
all places that serialize/deserialize enums (API controllers, clients, tests,
and integration fixtures) to ensure they work with the new JsonConverter-based
enum serialization (adjust client expectations, test fixtures, or add custom
JsonConverters/JsonSerializerOptions where necessary) so enum JSON
representation matches the new behavior.
CodeRabbit flagged: PR #74 had bumped Npgsql to 9.0.5 but Npgsql.EntityFrameworkCore.PostgreSQL has not published 9.0.5 yet (latest is 9.0.4). NuGet auto-resolves to the newer Npgsql, so build still works, but the family-alignment principle in memory/feedback_version_family_alignment.md says: keep family members in lockstep, drop the floater when the leader hasn't moved. Other CodeRabbit notes acknowledged: - WolverineFx.Http / MailKit / Serilog.AspNetCore / Serilog.Sinks.Seq all verified present on NuGet (HTTP 200) at the declared versions; no action needed. - Scalar.AspNetCore 2.6.0 → 2.14.14 removes `EndpointPathPrefix` and changes enum JSON serialization. We never used `EndpointPathPrefix` (`MapScalarApiReference` in Program.cs uses `WithOpenApiRoutePattern` + `Title` + `Theme` only). Enum serialization change only affects the Scalar API-reference UI rendering of examples, not the runtime REST surface. Scalar is dev + staging only. Build + unit tests stay clean; no action needed.
1 participant
Summary
Replaces Dependabot PRs #74 (dotnet-minor-and-patch group) and #80 (microsoft-extensions group) which both partially bumped a version family. CodeRabbit flagged the EF Core split on both; I also caught a WolverineFx.Http drift Dependabot missed and an ASP.NET Core 8.x patch drift.
Plus rolls up every other safe minor/patch bump that was in PR #74: MediatR 12.5.0, FluentValidation 11.12.0, StackExchange.Redis 2.13.1, BCrypt.Net-Next 4.2.0, AWSSDK.S3 4.0.23.4, AWSSDK.Extensions 4.0.4.1, Serilog.Sinks.Console 6.1.1, Scalar.AspNetCore 2.14.14, OpenIddict 5.8.0, Microsoft.NET.Test.Sdk 17.14.1, Bogus 35.6.5, Npgsql 9.0.5.
Why this replaces, not amends
PR #74 also patched
Axis.Shared.Infrastructure.csprojto add aMediatRreference andNpgsql VersionOverride="9.0.5"— Dependabot's workarounds for the family split. With versions aligned correctly here, those workarounds are unnecessary anddotnet restoreresolves cleanly without them. Keeping them would hide future drift.Verification
dotnet build— 0 warnings, 0 errorsdotnet format --verify-no-changes— cleanRequirements & rules followed
./scripts/check-doc-drift.shN/A (nosrc/,tests/,docs/epics/change)TODO/FIXME/ placeholder / stubSummary by CodeRabbit