From 4d09dab6645d6b97a0e3b5db0d03d35c26ccf4c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Otto=20Boly=C3=B3s?= <obolyos@mriiot.com>
Date: Mon, 27 Apr 2026 11:05:29 +0200
Subject: [PATCH 1/7] build(sysml-import): bump Scriban 5.9.0 -> 7.1.0

Resolves the 11 advisories open against the 5.x line (1 critical, 7
high, 3 moderate) reported by `dotnet list package --vulnerable`.
Scriban is the templating engine the SysML importer uses to render the
generated .g.cs files under libraries/MTConnect.NET-Common/,
libraries/MTConnect.NET-XML/ and libraries/MTConnect.NET-JSON-cppagent/.
The 7.x line drops support for net6.0/net7.0 targets but the importer
pins net8.0, so the bump is binary-compatible for this consumer.
---
 .../MTConnect.NET-SysML-Import.csproj                           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/MTConnect.NET-SysML-Import/MTConnect.NET-SysML-Import.csproj b/build/MTConnect.NET-SysML-Import/MTConnect.NET-SysML-Import.csproj
index 311adf646..65a7fa967 100644
--- a/build/MTConnect.NET-SysML-Import/MTConnect.NET-SysML-Import.csproj
+++ b/build/MTConnect.NET-SysML-Import/MTConnect.NET-SysML-Import.csproj
@@ -9,7 +9,7 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Scriban" Version="5.9.0" />
+		<PackageReference Include="Scriban" Version="7.1.0" />
 	</ItemGroup>
 
 	<ItemGroup>

From 5b0a5741f2a081516ea7e699a2f6e2cb5d34468f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Otto=20Boly=C3=B3s?= <obolyos@mriiot.com>
Date: Mon, 27 Apr 2026 11:27:25 +0200
Subject: [PATCH 2/7] build(repo): bump Microsoft.NET.Test.Sdk to 17.14.1 in
 test projects

Aligns every NUnit + xUnit test project on the same Test.Sdk version.
Latest stable on the 17.x line; 18.x intentionally skipped pending a
separate evaluation.

Affected csprojs:
- tests/MTConnect.NET-Common-Tests (16.11.0 -> 17.14.1)
- tests/MTConnect.NET-HTTP-Tests   (16.11.0 -> 17.14.1)
- tests/MTConnect.NET-SHDR-Tests   (17.4.0  -> 17.14.1)
- tests/MTConnect.NET-XML-Tests    (17.4.0  -> 17.14.1)
- tests/IntegrationTests           (17.4.0  -> 17.14.1)

Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting
changes use the most-affected scope" -- scope `repo` because the bump
spans five test scopes.
---
 tests/IntegrationTests/IntegrationTests.csproj                  | 2 +-
 .../MTConnect.NET-Common-Tests.csproj                           | 2 +-
 tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj  | 2 +-
 tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj  | 2 +-
 tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/IntegrationTests/IntegrationTests.csproj b/tests/IntegrationTests/IntegrationTests.csproj
index dc261c014..39551112f 100644
--- a/tests/IntegrationTests/IntegrationTests.csproj
+++ b/tests/IntegrationTests/IntegrationTests.csproj
@@ -18,7 +18,7 @@
   <ItemGroup>
     <PackageReference Include="Divergic.Logging.Xunit" Version="4.2.0" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="7.0.0" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="xunit" Version="2.4.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
diff --git a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
index e8abcf4f4..ddfc7c947 100644
--- a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
+++ b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
@@ -9,7 +9,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.11.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.2" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
     <PackageReference Include="coverlet.collector" Version="3.1.0" />
diff --git a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
index 409138a5e..e6648c4a4 100644
--- a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
+++ b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
@@ -9,7 +9,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.11.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.2" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
     <PackageReference Include="coverlet.collector" Version="3.1.0" />
diff --git a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
index e4e1eae80..8ed544c8c 100644
--- a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
+++ b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
@@ -7,7 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
     <PackageReference Include="coverlet.collector" Version="3.2.0">
diff --git a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
index ce1e88e2f..d54fc6f0a 100644
--- a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
+++ b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
@@ -8,7 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="DeepEqual" Version="4.2.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
     <PackageReference Include="coverlet.collector" Version="3.2.0">

From cb0f40885d0a63b88589a82e3e2959e81b648519 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Otto=20Boly=C3=B3s?= <obolyos@mriiot.com>
Date: Mon, 27 Apr 2026 11:28:20 +0200
Subject: [PATCH 3/7] build(repo): bump coverlet.collector to 6.0.4 across test
 projects

Latest stable on the 6.x line. Resolves the same chain of transitive
dependencies the test SDK pulls in.

Affected csprojs:
- tests/MTConnect.NET-Common-Tests (3.1.0 -> 6.0.4)
- tests/MTConnect.NET-HTTP-Tests   (3.1.0 -> 6.0.4)
- tests/MTConnect.NET-SHDR-Tests   (3.2.0 -> 6.0.4)
- tests/MTConnect.NET-XML-Tests    (3.2.0 -> 6.0.4)
- tests/IntegrationTests           (3.2.0 -> 6.0.4)

Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting
changes use the most-affected scope" -- scope `repo` because the bump
spans five test scopes.
---
 tests/IntegrationTests/IntegrationTests.csproj                  | 2 +-
 .../MTConnect.NET-Common-Tests.csproj                           | 2 +-
 tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj  | 2 +-
 tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj  | 2 +-
 tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/IntegrationTests/IntegrationTests.csproj b/tests/IntegrationTests/IntegrationTests.csproj
index 39551112f..cf88c7936 100644
--- a/tests/IntegrationTests/IntegrationTests.csproj
+++ b/tests/IntegrationTests/IntegrationTests.csproj
@@ -24,7 +24,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="3.2.0">
+    <PackageReference Include="coverlet.collector" Version="6.0.4">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
diff --git a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
index ddfc7c947..d28034394 100644
--- a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
+++ b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
@@ -12,7 +12,7 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.2" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
-    <PackageReference Include="coverlet.collector" Version="3.1.0" />
+    <PackageReference Include="coverlet.collector" Version="6.0.4" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
index e6648c4a4..7361e7f7c 100644
--- a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
+++ b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
@@ -12,7 +12,7 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.2" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
-    <PackageReference Include="coverlet.collector" Version="3.1.0" />
+    <PackageReference Include="coverlet.collector" Version="6.0.4" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
index 8ed544c8c..2c9cffcde 100644
--- a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
+++ b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
@@ -10,7 +10,7 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
-    <PackageReference Include="coverlet.collector" Version="3.2.0">
+    <PackageReference Include="coverlet.collector" Version="6.0.4">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
diff --git a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
index d54fc6f0a..18f7dfb3f 100644
--- a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
+++ b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
@@ -11,7 +11,7 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.13.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
-    <PackageReference Include="coverlet.collector" Version="3.2.0">
+    <PackageReference Include="coverlet.collector" Version="6.0.4">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>

From a591554235573ad347d8c30c9bf9669e14c23b1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Otto=20Boly=C3=B3s?= <obolyos@mriiot.com>
Date: Mon, 27 Apr 2026 11:28:44 +0200
Subject: [PATCH 4/7] build(repo): bump NUnit to 3.14.0 across NUnit test
 projects

Latest stable on the 3.x line. NUnit stays on the 3.x line for now;
the 4.x major rewrite (Assert.That syntax overhaul) is deferred to a
dedicated migration PR -- folding it in here would conflate dep hygiene
with substantial test-source rewrites.

Affected csprojs:
- tests/MTConnect.NET-Common-Tests (3.13.2 -> 3.14.0)
- tests/MTConnect.NET-HTTP-Tests   (3.13.2 -> 3.14.0)
- tests/MTConnect.NET-SHDR-Tests   (3.13.3 -> 3.14.0)
- tests/MTConnect.NET-XML-Tests    (3.13.3 -> 3.14.0)

Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting
changes use the most-affected scope" -- scope `repo` because the bump
spans four test scopes.
---
 .../MTConnect.NET-Common-Tests.csproj                           | 2 +-
 tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj  | 2 +-
 tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj  | 2 +-
 tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
index d28034394..ab2b784e3 100644
--- a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
+++ b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
@@ -10,7 +10,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
-    <PackageReference Include="NUnit" Version="3.13.2" />
+    <PackageReference Include="NUnit" Version="3.14.0" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
   </ItemGroup>
diff --git a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
index 7361e7f7c..b11da0298 100644
--- a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
+++ b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
@@ -10,7 +10,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
-    <PackageReference Include="NUnit" Version="3.13.2" />
+    <PackageReference Include="NUnit" Version="3.14.0" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
   </ItemGroup>
diff --git a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
index 2c9cffcde..615ca03d4 100644
--- a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
+++ b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
@@ -8,7 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
-    <PackageReference Include="NUnit" Version="3.13.3" />
+    <PackageReference Include="NUnit" Version="3.14.0" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
     <PackageReference Include="coverlet.collector" Version="6.0.4">
       <PrivateAssets>all</PrivateAssets>
diff --git a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
index 18f7dfb3f..f7669f8d9 100644
--- a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
+++ b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
@@ -9,7 +9,7 @@
   <ItemGroup>
     <PackageReference Include="DeepEqual" Version="4.2.1" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
-    <PackageReference Include="NUnit" Version="3.13.3" />
+    <PackageReference Include="NUnit" Version="3.14.0" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
     <PackageReference Include="coverlet.collector" Version="6.0.4">
       <PrivateAssets>all</PrivateAssets>

From 7c241fed3d5c520e14ecc5fa5cc6c026e36e40e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Otto=20Boly=C3=B3s?= <obolyos@mriiot.com>
Date: Mon, 27 Apr 2026 11:29:05 +0200
Subject: [PATCH 5/7] build(repo): bump NUnit3TestAdapter to 4.6.0 across NUnit
 test projects

Latest stable on the 4.x line. Pairs with the NUnit 3.14.0 bump.

Affected csprojs:
- tests/MTConnect.NET-Common-Tests (4.0.0 -> 4.6.0)
- tests/MTConnect.NET-HTTP-Tests   (4.0.0 -> 4.6.0)
- tests/MTConnect.NET-SHDR-Tests   (4.3.1 -> 4.6.0)
- tests/MTConnect.NET-XML-Tests    (4.3.1 -> 4.6.0)

Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting
changes use the most-affected scope" -- scope `repo` because the bump
spans four test scopes.
---
 .../MTConnect.NET-Common-Tests.csproj                           | 2 +-
 tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj  | 2 +-
 tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj  | 2 +-
 tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
index ab2b784e3..e06ed7bd0 100644
--- a/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
+++ b/tests/MTConnect.NET-Common-Tests/MTConnect.NET-Common-Tests.csproj
@@ -11,7 +11,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.14.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
+    <PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
   </ItemGroup>
 
diff --git a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
index b11da0298..12ced97e0 100644
--- a/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
+++ b/tests/MTConnect.NET-HTTP-Tests/MTConnect.NET-HTTP-Tests.csproj
@@ -11,7 +11,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.14.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="4.0.0" />
+    <PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
   </ItemGroup>
 
diff --git a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
index 615ca03d4..05c68a35e 100644
--- a/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
+++ b/tests/MTConnect.NET-SHDR-Tests/MTConnect.NET-SHDR-Tests.csproj
@@ -9,7 +9,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.14.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
+    <PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
     <PackageReference Include="coverlet.collector" Version="6.0.4">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
diff --git a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
index f7669f8d9..2e1af056a 100644
--- a/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
+++ b/tests/MTConnect.NET-XML-Tests/MTConnect.NET-XML-Tests.csproj
@@ -10,7 +10,7 @@
     <PackageReference Include="DeepEqual" Version="4.2.1" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="NUnit" Version="3.14.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="4.3.1" />
+    <PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
     <PackageReference Include="coverlet.collector" Version="6.0.4">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

From d3035042c359ceb409c63efd3f7a7b58f2cd2bd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Otto=20Boly=C3=B3s?= <obolyos@mriiot.com>
Date: Mon, 27 Apr 2026 22:32:17 +0200
Subject: [PATCH 6/7] build(repo): pin System.Text.Json 8.0.5 on
 netstandard2.0/net48 MQTT

MTConnect.NET-MQTT depends directly on Microsoft.Extensions.Hosting
7.0.0, which transitively brings System.Text.Json 7.0.0. That version
is flagged by GHSA-hh2w-p6rv-4g7w (High severity, affects
>= 7.0.0, < 7.0.4). On net8.0+ the runtime ships System.Text.Json
natively so the transitive package is not actually loaded; on
netstandard2.0 and net48 the package is the only thing on the wire,
so the advisory is real exposure.

Add per-TFM conditional <PackageReference Include="System.Text.Json"
Version="8.0.5" /> for netstandard2.0 and net48 in MTConnect.NET-MQTT
(the rooting library that pulls in Hosting). This forces the
NuGet resolver to pick 8.0.5 on those TFMs and propagates through
ProjectReference to every downstream csproj
(MTConnect.NET, MTConnect.NET-Applications-Agents,
MTConnect.NET-Applications-Adapter,
MTConnect.NET-AgentModule-MqttRelay,
MTConnect.NET-AgentModule-MqttAdapter,
MTConnect.NET-AgentModule-MqttBroker,
MTConnect.NET-AdapterModule-MQTT, MTConnect.NET-Adapter,
MTConnect.NET-Agent, MTConnect.NET-Client-MQTT,
MTConnect.NET-Agent-Embedded, Agent).

Verified via project.assets.json: BEFORE
  .NETFramework,Version=v4.8 :: System.Text.Json/7.0.0
  .NETStandard,Version=v2.0  :: System.Text.Json/7.0.0
AFTER
  .NETFramework,Version=v4.8 :: System.Text.Json/8.0.5
  .NETStandard,Version=v2.0  :: System.Text.Json/8.0.5

Note: dotnet list package --vulnerable --include-transitive on
[net8.0] still reports the transitive 7.0.0 because the local SDK
(8.0.104) cannot restore for net9.0 (and Debug TargetFrameworks is
net8.0 only). That report is a scanner false-positive on net8.0 where
the runtime supersedes the package; the per-TFM scope here matches
the finding and closes the actual exposure on netstandard2.0/net48.

Solution build remains green (0 errors).
---
 .../MTConnect.NET-MQTT/MTConnect.NET-MQTT.csproj    | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/libraries/MTConnect.NET-MQTT/MTConnect.NET-MQTT.csproj b/libraries/MTConnect.NET-MQTT/MTConnect.NET-MQTT.csproj
index aa6ebcebd..925554599 100644
--- a/libraries/MTConnect.NET-MQTT/MTConnect.NET-MQTT.csproj
+++ b/libraries/MTConnect.NET-MQTT/MTConnect.NET-MQTT.csproj
@@ -52,6 +52,19 @@
 		<PackageReference Include="MQTTnet" Version="4.3.7.1207" />
 	</ItemGroup>
 
+	<!-- Pin System.Text.Json 8.0.5 on TFMs without an in-the-runtime
+		 System.Text.Json. Microsoft.Extensions.Hosting 7.0.0
+		 transitively brings System.Text.Json 7.0.0 which is flagged
+		 by GHSA-hh2w-p6rv-4g7w. On netstandard2.0 and net48 the
+		 package is the only thing on the wire, so the override here
+		 closes the actual exposure surface. -->
+	<ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' ">
+		<PackageReference Include="System.Text.Json" Version="8.0.5" />
+	</ItemGroup>
+	<ItemGroup Condition=" '$(TargetFramework)' == 'net48' ">
+		<PackageReference Include="System.Text.Json" Version="8.0.5" />
+	</ItemGroup>
+
 	<ItemGroup>
 		<None Include="Configurations\IMTConnectMqttExpanderConfiguration.cs" />
 		<None Include="Configurations\MTConnectMqttExpanderConfiguration.cs" />

From e3ae31b5a5ed3840eec6ccdb0e58433535187d81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Otto=20Boly=C3=B3s?= <obolyos@mriiot.com>
Date: Mon, 27 Apr 2026 22:37:28 +0200
Subject: [PATCH 7/7] build(integration-tests): clear High transitive
 vulnerabilities

tests/IntegrationTests/IntegrationTests.csproj reported three High
transitive vulnerabilities:

* System.Net.Http 4.3.0 -- GHSA-7jgj-8wvc-jh57
* System.Text.Json 6.0.5 -- GHSA-8g4q-xg66-9fp4
* System.Text.RegularExpressions 4.3.0 -- GHSA-cmhx-cq75-c4mj

The first and third were transitive dependencies of xunit 2.4.2; the
second came from Divergic.Logging.Xunit 4.2.0 (which still resolves to
System.Text.Json 6.0.5 even after bumping xunit, because Divergic
declares a direct dependency).

Bump:

* Microsoft.Extensions.Logging.Abstractions 7.0.0 -> 8.0.2 (per the
  finding's guidance to move off the 7.x line entirely).
* xunit 2.4.2 -> 2.9.2 (per the finding; resolves the System.Net.Http
  and System.Text.RegularExpressions transitives).
* Add a direct PackageReference for System.Text.Json 8.0.5 to override
  the Divergic.Logging.Xunit transitive 6.0.5.

BEFORE
  dotnet list ... --vulnerable --include-transitive on net8.0:
    > System.Net.Http                4.3.0  High  GHSA-7jgj-8wvc-jh57
    > System.Text.Json               6.0.5  High  GHSA-8g4q-xg66-9fp4
    > System.Text.RegularExpressions 4.3.0  High  GHSA-cmhx-cq75-c4mj

AFTER
  "The given project IntegrationTests has no vulnerable packages
   given the current sources."

Solution-level build (MTConnect.NET.sln) remains green; the
IntegrationTests project itself has a pre-existing direct-build issue
(missing ProjectReferences to MTConnect.NET-Agent types) that is
orthogonal to this dependency bump.
---
 tests/IntegrationTests/IntegrationTests.csproj | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/IntegrationTests/IntegrationTests.csproj b/tests/IntegrationTests/IntegrationTests.csproj
index cf88c7936..89bf57b9e 100644
--- a/tests/IntegrationTests/IntegrationTests.csproj
+++ b/tests/IntegrationTests/IntegrationTests.csproj
@@ -17,9 +17,10 @@
 
   <ItemGroup>
     <PackageReference Include="Divergic.Logging.Xunit" Version="4.2.0" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="7.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
-    <PackageReference Include="xunit" Version="2.4.2" />
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
+    <PackageReference Include="xunit" Version="2.9.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>