build(repo): bump Scriban + test-infra packages#149
Draft
ottobolyos wants to merge 7 commits intoTrakHound:masterfrom
Draft
build(repo): bump Scriban + test-infra packages#149ottobolyos wants to merge 7 commits intoTrakHound:masterfrom
ottobolyos wants to merge 7 commits intoTrakHound:masterfrom
Conversation
Resolves the 11 advisories open against the 5.x line (1 critical, 7 high, 3 moderate) reported by `dotnet list package --vulnerable`. Scriban is the templating engine the SysML importer uses to render the generated .g.cs files under libraries/MTConnect.NET-Common/, libraries/MTConnect.NET-XML/ and libraries/MTConnect.NET-JSON-cppagent/. The 7.x line drops support for net6.0/net7.0 targets but the importer pins net8.0, so the bump is binary-compatible for this consumer.
ottobolyos
changed the title
Aligns every NUnit + xUnit test project on the same Test.Sdk version. Latest stable on the 17.x line; 18.x intentionally skipped pending a separate evaluation. Affected csprojs: - tests/MTConnect.NET-Common-Tests (16.11.0 -> 17.14.1) - tests/MTConnect.NET-HTTP-Tests (16.11.0 -> 17.14.1) - tests/MTConnect.NET-SHDR-Tests (17.4.0 -> 17.14.1) - tests/MTConnect.NET-XML-Tests (17.4.0 -> 17.14.1) - tests/IntegrationTests (17.4.0 -> 17.14.1) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans five test scopes.
Latest stable on the 6.x line. Resolves the same chain of transitive dependencies the test SDK pulls in. Affected csprojs: - tests/MTConnect.NET-Common-Tests (3.1.0 -> 6.0.4) - tests/MTConnect.NET-HTTP-Tests (3.1.0 -> 6.0.4) - tests/MTConnect.NET-SHDR-Tests (3.2.0 -> 6.0.4) - tests/MTConnect.NET-XML-Tests (3.2.0 -> 6.0.4) - tests/IntegrationTests (3.2.0 -> 6.0.4) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans five test scopes.
Latest stable on the 3.x line. NUnit stays on the 3.x line for now; the 4.x major rewrite (Assert.That syntax overhaul) is deferred to a dedicated migration PR -- folding it in here would conflate dep hygiene with substantial test-source rewrites. Affected csprojs: - tests/MTConnect.NET-Common-Tests (3.13.2 -> 3.14.0) - tests/MTConnect.NET-HTTP-Tests (3.13.2 -> 3.14.0) - tests/MTConnect.NET-SHDR-Tests (3.13.3 -> 3.14.0) - tests/MTConnect.NET-XML-Tests (3.13.3 -> 3.14.0) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans four test scopes.
Latest stable on the 4.x line. Pairs with the NUnit 3.14.0 bump. Affected csprojs: - tests/MTConnect.NET-Common-Tests (4.0.0 -> 4.6.0) - tests/MTConnect.NET-HTTP-Tests (4.0.0 -> 4.6.0) - tests/MTConnect.NET-SHDR-Tests (4.3.1 -> 4.6.0) - tests/MTConnect.NET-XML-Tests (4.3.1 -> 4.6.0) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans four test scopes.
MTConnect.NET-MQTT depends directly on Microsoft.Extensions.Hosting 7.0.0, which transitively brings System.Text.Json 7.0.0. That version is flagged by GHSA-hh2w-p6rv-4g7w (High severity, affects >= 7.0.0, < 7.0.4). On net8.0+ the runtime ships System.Text.Json natively so the transitive package is not actually loaded; on netstandard2.0 and net48 the package is the only thing on the wire, so the advisory is real exposure. Add per-TFM conditional <PackageReference Include="System.Text.Json" Version="8.0.5" /> for netstandard2.0 and net48 in MTConnect.NET-MQTT (the rooting library that pulls in Hosting). This forces the NuGet resolver to pick 8.0.5 on those TFMs and propagates through ProjectReference to every downstream csproj (MTConnect.NET, MTConnect.NET-Applications-Agents, MTConnect.NET-Applications-Adapter, MTConnect.NET-AgentModule-MqttRelay, MTConnect.NET-AgentModule-MqttAdapter, MTConnect.NET-AgentModule-MqttBroker, MTConnect.NET-AdapterModule-MQTT, MTConnect.NET-Adapter, MTConnect.NET-Agent, MTConnect.NET-Client-MQTT, MTConnect.NET-Agent-Embedded, Agent). Verified via project.assets.json: BEFORE .NETFramework,Version=v4.8 :: System.Text.Json/7.0.0 .NETStandard,Version=v2.0 :: System.Text.Json/7.0.0 AFTER .NETFramework,Version=v4.8 :: System.Text.Json/8.0.5 .NETStandard,Version=v2.0 :: System.Text.Json/8.0.5 Note: dotnet list package --vulnerable --include-transitive on [net8.0] still reports the transitive 7.0.0 because the local SDK (8.0.104) cannot restore for net9.0 (and Debug TargetFrameworks is net8.0 only). That report is a scanner false-positive on net8.0 where the runtime supersedes the package; the per-TFM scope here matches the finding and closes the actual exposure on netstandard2.0/net48. Solution build remains green (0 errors).
tests/IntegrationTests/IntegrationTests.csproj reported three High transitive vulnerabilities: * System.Net.Http 4.3.0 -- GHSA-7jgj-8wvc-jh57 * System.Text.Json 6.0.5 -- GHSA-8g4q-xg66-9fp4 * System.Text.RegularExpressions 4.3.0 -- GHSA-cmhx-cq75-c4mj The first and third were transitive dependencies of xunit 2.4.2; the second came from Divergic.Logging.Xunit 4.2.0 (which still resolves to System.Text.Json 6.0.5 even after bumping xunit, because Divergic declares a direct dependency). Bump: * Microsoft.Extensions.Logging.Abstractions 7.0.0 -> 8.0.2 (per the finding's guidance to move off the 7.x line entirely). * xunit 2.4.2 -> 2.9.2 (per the finding; resolves the System.Net.Http and System.Text.RegularExpressions transitives). * Add a direct PackageReference for System.Text.Json 8.0.5 to override the Divergic.Logging.Xunit transitive 6.0.5. BEFORE dotnet list ... --vulnerable --include-transitive on net8.0: > System.Net.Http 4.3.0 High GHSA-7jgj-8wvc-jh57 > System.Text.Json 6.0.5 High GHSA-8g4q-xg66-9fp4 > System.Text.RegularExpressions 4.3.0 High GHSA-cmhx-cq75-c4mj AFTER "The given project IntegrationTests has no vulnerable packages given the current sources." Solution-level build (MTConnect.NET.sln) remains green; the IntegrationTests project itself has a pre-existing direct-build issue (missing ProjectReferences to MTConnect.NET-Agent types) that is orthogonal to this dependency bump.
ottobolyos
force-pushed
the
chore/deps-update-2026-04-27
branch
from
7a6a72a to
e3ae31b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #126.
Summary
Bumps Scriban (the SysML importer's templating engine) from 5.9.0 to 7.1.0 and supersedes Dependabot's mechanical 5.9.0 -> 7.0.0 bump in #126, sweeping the test-infrastructure packages that Dependabot left out at the same time.
build(sysml-import): bump Scriban 5.9.0 -> 7.1.0. Closes 1 critical + 7 high + 3 moderate advisories on the 5.x line.build(repo): bumpMicrosoft.NET.Test.Sdkto 17.14.1 across the five test projects (latest stable 17.x; 18.x intentionally skipped pending a separate evaluation).build(repo): bumpcoverlet.collectorto 6.0.4 across the five test projects (latest stable 6.x).build(repo): bumpNUnitto 3.14.0 across the four NUnit test projects. NUnit stays on the 3.x line; the 4.x major rewrite (Assert.That syntax overhaul) is deferred to a dedicated migration PR.build(repo): bumpNUnit3TestAdapterto 4.6.0 across the four NUnit test projects (latest stable 4.x).build(repo): pinSystem.Text.Json8.0.5 onnetstandard2.0/net48in the MQTT projects to clear the F-S-H2 transitive High advisory chain.build(integration-tests): pin transitive package versions to clear remaining High advisories on the integration-tests project (F-S-H4, F-Si-L14).