deps: Bump System.IO.Hashing from 10.0.6 to 10.0.7#457
Merged
Conversation
--- updated-dependencies: - dependency-name: System.IO.Hashing dependency-version: 10.0.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
3 tasks
AceHack
added a commit
that referenced
this pull request
Apr 25, 2026
* ci(dependabot): group nuget + github-actions updates per Otto-280 Per Aaron 2026-04-25 directive: ungrouped per-package PRs add noise to the drain queue when several packages bump in the same week (observed today with #454 / #455 / #457 / #458 — four separate PRs for one .NET servicing roll). Add groups stanza to both nuget and github-actions updates: - dotnet-runtime: System.* / Microsoft.* (servicing rolls cluster here, e.g. 10.0.6 → 10.0.7). - fsharp-and-tooling: FSharp.* / FsCheck / xunit / Meziantou.* / Mono.*. - nuget-minor-patch: catch-all for everything else, minor/patch only. - github-actions-minor-patch: catch-all for action SHA-pins. Major bumps still open as individual PRs so they get scrutiny. Single CI run covers each cluster instead of N runs for N PRs. * ci(dependabot): exclude non-runtime Microsoft.* + role-ref attribution Two thread fixes on PR #473: 1. **`dotnet-runtime` group narrowed.** Add `exclude-patterns` for `Microsoft.NET.Test.Sdk` (test harness) and `Microsoft.Z3` (SMT solver) so they fall through to `nuget-minor-patch` rather than being mis-bundled into the .NET servicing-roll rollup. Caught by copilot-pull-request-reviewer. 2. **Attribution as role-ref.** Per Otto-279 (current-state surface = role-ref preferred over name), `.github/dependabot.yml` is a config file = current-state surface. Replace "Per Aaron Otto-280" with "Per maintainer Otto-280" in two comment locations. The tag (Otto-280) still carries traceability without using a contributor name in code/config. * ci(dependabot): keep Microsoft.NET.Test.Sdk in dotnet-runtime group Maintainer pushback 2026-04-25: `Microsoft.NET.Test.Sdk` actually ships on .NET's monthly servicing cadence (18.x track follows .NET 10), so it does belong with the runtime rollup. Excluding it would push it into the catch-all `nuget-minor-patch` group, which muddies the cluster more than the original concern. `Microsoft.Z3` (the MSR SMT solver) genuinely runs on independent solver-team timelines, so the exclusion stays. Net change vs prior commit on this branch: drop one entry from `exclude-patterns`, expand the rationale comment so a future reader sees why one is in and the other out (Otto-282 — the why-comment as mental-load optimization). * ci(dependabot): inline rationale, drop Otto-NNN reference Resolves PR #473 thread `PRRT_kwDOSF9kNM59liop`. Copilot flagged that `Otto-280` is a maintainer-memory tag with no in-repo discoverable artifact, leaving the comment durable only as long as the agent has its memory tree available. The reviewer is right: future readers (humans, contractors, third-party AI) cannot resolve `Otto-NNN` references. Per Otto-282 (write the WHY in-place), the right fix is to inline the rationale rather than cite a tag. Two comments updated: 1. Top NuGet rationale comment now self-explains: "ungrouped per-package PRs add noise to the drain queue when several packages bump in the same week — every System.* / Microsoft.* bump on a .NET monthly servicing roll would otherwise open as its own PR within hours of the others, multiplying CI runs and human review for what is effectively a single coordinated change." 2. GitHub Actions comment now points back to the NuGet group's rationale rather than re-citing the Otto-NNN tag. Net: same intent, no out-of-repo references required to parse the file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated System.IO.Hashing from 10.0.6 to 10.0.7.
Release notes
Sourced from System.IO.Hashing's releases.
No release notes found for this version range.
Commits viewable in compare view.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)