Bump the tests group with 5 updates#260
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps CancelCop.Analyzer from 1.4.2 to 1.4.8 Bumps DependencyInjection.Lifetime.Analyzers from 2.9.0 to 2.10.4 Bumps Microsoft.Extensions.Http.Polly from 9.0.0 to 9.0.17 Bumps System.IO.Hashing from 10.0.8 to 10.0.9 Bumps System.ServiceModel.Syndication from 9.0.0 to 9.0.17 --- updated-dependencies: - dependency-name: CancelCop.Analyzer dependency-version: 1.4.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: tests - dependency-name: DependencyInjection.Lifetime.Analyzers dependency-version: 2.10.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: tests - dependency-name: Microsoft.Extensions.Http.Polly dependency-version: 9.0.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: tests - dependency-name: System.IO.Hashing dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: tests - dependency-name: System.ServiceModel.Syndication dependency-version: 9.0.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: tests ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
.NET
This was referenced Jun 10, 2026
Contributor
Author
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/nuget/src/DNTCommon.Web.Core/tests-cfcab8d5c1
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated CancelCop.Analyzer from 1.4.2 to 1.4.8.
Release notes
Sourced from CancelCop.Analyzer's releases.
1.4.8
Rule-catalog trust contract
RuleCatalogTestsdrift guards: every shipped descriptor must have a README rule-table row (correct severity + fix mark), be tracked inAnalyzerReleases.Shipped.mdwith matching severity, and every exported code-fix provider must target a shipped rule. A rule can no longer be added, renamed, or re-severitied without the public docs following.Full test suite: 205 passed on CI (5 new drift guards this release). No analyzer behavior changes.
See CHANGELOG.md and docs/ANALYZER_HEALTH.md.
1.4.7
Internal refactor: shared token-propagation pipeline
CancellationTokenHelpers.ReportIfTokenNotPropagated. Each analyzer is rule-specific gating plus one call.See CHANGELOG.md and docs/ANALYZER_HEALTH.md.
1.4.6
Named-argument-safe code fixes (CC002/CC003/CC004)
cancellationToken: ct) using the target overload''s declared parameter name, carried in newTokenArgumentNamediagnostic metadata. Positional calls keep positional fixes.Verified via CI (
build-and-test, 200 tests passing); local test execution is currently blocked by Windows Smart App Control on the dev machine (seedocs/ANALYZER_HEALTH.md).See CHANGELOG.md.
1.4.5
Token scope: constructors and primary constructors
CancellationTokenparameters declared on constructors and C# 12 primary constructors (classes and records), including capture from instance methods, instance field initializers, and partial-type parts whose primary constructor is declared elsewhere.Full test suite: 196 passed, 0 failed (12 new tests this release).
See CHANGELOG.md and docs/ANALYZER_HEALTH.md.
1.4.4
CC005C: method-group Minimal API handlers
app.MapGet("/users", GetUsersAsync),UserHandlers.Get,Handler<T>,(Handler), and local-function method groups — flagging the referenced method when it is async-shaped without aCancellationTokenparameter.CancellationToken cancellationToken = defaultto the referenced method or local function (same-document only;= defaultkeeps other call sites compiling).handler.Invoke, metadata-declared methods, ambiguous method groups, and externally-controlled signatures stay quiet. Virtual/abstract and partial handlers report but get no automatic fix (the rewrite would not compile — CS0115/CS8795).Full test suite: 184 passed, 0 failed (16 new tests this release).
See CHANGELOG.md and docs/ANALYZER_HEALTH.md.
1.4.3
CC003/CC004: token detection inside local functions and lambdas
CancellationTokenwith the same scope walk as CC002/CC009 — the nearest enclosing local function, lambda, or method that declares (or captures) a token. Previously a matching call inside a local function or lambda owning its own token was silently missed.Expression<TDelegate>lambdas are never flagged (the token cannot be propagated there).staticlambdas / static local functions — the outer token is not capturable (CS8820/CS8421), so suggesting it was a false positive with a non-compiling fix (affected CC002/CC009 since v1.4.2; caught in review before shipping for CC003/CC004).async delegate (CancellationToken ct) { … }), previously a silent false negative for all four propagation rules.Full test suite: 168 passed, 0 failed (14 new tests this release).
See CHANGELOG.md and docs/ANALYZER_HEALTH.md.
Commits viewable in compare view.
Updated DependencyInjection.Lifetime.Analyzers from 2.9.0 to 2.10.4.
Release notes
Sourced from DependencyInjection.Lifetime.Analyzers's releases.
2.10.4
DependencyInjection.Lifetime.Analyzers 2.10.4
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
UseMiddlewareargument (app.UseMiddleware<MyMiddleware>(preBuilt)/app.UseMiddleware(typeof(MyMiddleware), preBuilt)) was still reported, even though ActivatorUtilities binds the supplied argument and never resolves that parameter from the container. Constructor selection now threads its argument-fill map through to reporting; a parameter explicitly supplied at every registration site stays quiet, while one unfilled site still reports.app?.UseMiddleware<MyMiddleware>()on builder-typed instance members is now recognized (the receiver resolves through the enclosing conditional access). Extension-method registrations already worked through the reduced-method parameter type and are now pinned by tests.UseMiddleware(typeof(T))(positive and explicit-argument-suppressed), keyed scoped dependencies ([FromKeyedServices]reporting on key match, silent for a different-key singleton),IEndpointRouteBuilderregistrations, and the extension-method (ReducedFrom) receiver path.Install
What changed
Fixed
UseMiddlewareargument (app.UseMiddleware<MyMiddleware>(preBuilt)/app.UseMiddleware(typeof(MyMiddleware), preBuilt)) was still reported, even though ActivatorUtilities binds the supplied argument and never resolves that parameter from the container. Constructor selection now threads its argument-fill map through to reporting; a parameter explicitly supplied at every registration site stays quiet, while one unfilled site still reports.Added
app?.UseMiddleware<MyMiddleware>()on builder-typed instance members is now recognized (the receiver resolves through the enclosing conditional access). Extension-method registrations already worked through the reduced-method parameter type and are now pinned by tests.UseMiddleware(typeof(T))(positive and explicit-argument-suppressed), keyed scoped dependencies ([FromKeyedServices]reporting on key match, silent for a different-key singleton),IEndpointRouteBuilderregistrations, and the extension-method (ReducedFrom) receiver path.Learn more
2.10.3
DependencyInjection.Lifetime.Analyzers 2.10.3
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
_cache.Add(service),_cache.Insert(...),Enqueue,Push,TryAdd— both for tracked locals and direct resolutions passed as arguments) and when a handler bound to the scoped service is subscribed to an event whose owner outlives the scope (_publisher.Changed += service.Handle, captured-delegate subscriptions, method-group delegate locals (EventHandler h = service.Handle;), static events, and events on the enclosing instance). Method groups on tracked service locals participate in delegate-capture tracking generally, so they also report through the existing field/property/ref-out/return delegate sinks. Mutation matching requires the resolved method to return void/bool/int (real mutator signatures) and the receiver type to actually be a collection (implementIEnumerable), so value-returning shapes —ImmutableList.Add, fluent builders — and ordinary field-held objects with Insert/Add-style methods (repositories persisting data) stay quiet; conditional-access mutations (_cache?.Add(service)) are recognized through the enclosing conditional access. The new sinks require the resolution to precede the sink in document order (a local reassigned to a scoped resolution after theAdd/subscription escaped its previous value, not the scoped one), method-group recognition gates on the member actually being a method (delegate-valued properties returning static handlers stay quiet) and on the resolution preceding the conversion site (method groups bind their receiver at conversion time), and event receivers are classified by the root of the access chain, sowrapper.Publisher.Changedwith a scope-local wrapper stays quiet while field/property/parameter/static roots report. Local containers and scope-local publishers stay quiet too — they live and die with the scope. Indexer assignment to a field dictionary (_byTenant[key] = service) was already detected through the indexer property symbol and is now pinned by a regression test. These were the two highest-frequency real-world escape shapes missing from the sink table per the 2026-06-10 health re-audit.Install
What changed
Added
_cache.Add(service),_cache.Insert(...),Enqueue,Push,TryAdd— both for tracked locals and direct resolutions passed as arguments) and when a handler bound to the scoped service is subscribed to an event whose owner outlives the scope (_publisher.Changed += service.Handle, captured-delegate subscriptions, method-group delegate locals (EventHandler h = service.Handle;), static events, and events on the enclosing instance). Method groups on tracked service locals participate in delegate-capture tracking generally, so they also report through the existing field/property/ref-out/return delegate sinks. Mutation matching requires the resolved method to return void/bool/int (real mutator signatures) and the receiver type to actually be a collection (implementIEnumerable), so value-returning shapes —ImmutableList.Add, fluent builders — and ordinary field-held objects with Insert/Add-style methods (repositories persisting data) stay quiet; conditional-access mutations (_cache?.Add(service)) are recognized through the enclosing conditional access. The new sinks require the resolution to precede the sink in document order (a local reassigned to a scoped resolution after theAdd/subscription escaped its previous value, not the scoped one), method-group recognition gates on the member actually being a method (delegate-valued properties returning static handlers stay quiet) and on the resolution preceding the conversion site (method groups bind their receiver at conversion time), and event receivers are classified by the root of the access chain, sowrapper.Publisher.Changedwith a scope-local wrapper stays quiet while field/property/parameter/static roots report. Local containers and scope-local publishers stay quiet too — they live and die with the scope. Indexer assignment to a field dictionary (_byTenant[key] = service) was already detected through the indexer property symbol and is now pinned by a regression test. These were the two highest-frequency real-world escape shapes missing from the sink table per the 2026-06-10 health re-audit.Learn more
2.10.2
DependencyInjection.Lifetime.Analyzers 2.10.2
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
var options = CreateOptions();orclient.CreateProcessor("q", CreateOptions())where the helper is non-virtual, singly-declared, and in the same file. A helper that provably returns a fresh creation withMaxConcurrentCalls = 8upgrades the config-gated DI022 Info to the DI021 warning; one that pins the knob to 1 silences the sink (the fresh creation is instance-correlated by construction). Supported helper shapes: expression-bodied=> new Options {...}, a singlereturn new Options {...};, and a single returned local initialized with a creation (collecting its in-helper member writes). Stale proofs are invalidated: reassigning the options local from another helper re-derives the proof from the replacement, a fresh-creation replacement discards every value collected for the discarded instance (a staleMaxDegreeOfParallelism = 1can no longer silence a default-unlimitedParallelOptions), opaque reassignments make the knob unprovable, writes inside nested lambdas/local functions poison sequential proofs as unknown candidates (without erasing construction-time concurrent constants, and regardless of where the nested function is declared — declaration position says nothing about execution order), and writes or reassignments after the sink consumed the options (the SDK snapshots values at the creation call) are ignored as later variable reuse. Virtual/overridable helpers, parameter-driven knob values, multiple returns, and shared-instance returns likewise stay unproven (DI022) — reducing the Info-tier noise the health doc watchlists without weakening the instance-correlation principle. Applies to ServiceBus processor options andParallelOptionsalike.Install
What changed
Changed
var options = CreateOptions();orclient.CreateProcessor("q", CreateOptions())where the helper is non-virtual, singly-declared, and in the same file. A helper that provably returns a fresh creation withMaxConcurrentCalls = 8upgrades the config-gated DI022 Info to the DI021 warning; one that pins the knob to 1 silences the sink (the fresh creation is instance-correlated by construction). Supported helper shapes: expression-bodied=> new Options {...}, a singlereturn new Options {...};, and a single returned local initialized with a creation (collecting its in-helper member writes). Stale proofs are invalidated: reassigning the options local from another helper re-derives the proof from the replacement, a fresh-creation replacement discards every value collected for the discarded instance (a staleMaxDegreeOfParallelism = 1can no longer silence a default-unlimitedParallelOptions), opaque reassignments make the knob unprovable, writes inside nested lambdas/local functions poison sequential proofs as unknown candidates (without erasing construction-time concurrent constants, and regardless of where the nested function is declared — declaration position says nothing about execution order), and writes or reassignments after the sink consumed the options (the SDK snapshots values at the creation call) are ignored as later variable reuse. Virtual/overridable helpers, parameter-driven knob values, multiple returns, and shared-instance returns likewise stay unproven (DI022) — reducing the Info-tier noise the health doc watchlists without weakening the instance-correlation principle. Applies to ServiceBus processor options andParallelOptionsalike.Learn more
2.10.1
DependencyInjection.Lifetime.Analyzers 2.10.1
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
EventingBasicConsumer.Received(v6 sync),AsyncEventingBasicConsumer.Received(v6 async), andAsyncEventingBasicConsumer.ReceivedAsync(v7) handlers now participate in concurrent-handler shared-state analysis — RabbitMQ consumers are among the most common .NET message-handler surfaces sharing a singleDbContextacross deliveries. The dispatch pump'sConsumerDispatchConcurrencyknob lives on theConnectionFactory(v7: also per-channel options), typically in another method or bound from configuration, so reports default to the config-gated DI022 Info tier; a constant knob above 1 in the containing type upgrades to the DI021 warning. Knob constants are recognized across integral types (RabbitMQ.Client v7 declares the property asushort), consumer types match by fully-qualified name, and all existing guardrails apply (in-handler scopes,IDbContextFactory<T>, inline creation, serialization guards, whitelisted captures). Instance-correlated factory→connection→channel→consumer tracing for sequential proofs remains a v2 target.Install
What changed
Added
EventingBasicConsumer.Received(v6 sync),AsyncEventingBasicConsumer.Received(v6 async), andAsyncEventingBasicConsumer.ReceivedAsync(v7) handlers now participate in concurrent-handler shared-state analysis — RabbitMQ consumers are among the most common .NET message-handler surfaces sharing a singleDbContextacross deliveries. The dispatch pump'sConsumerDispatchConcurrencyknob lives on theConnectionFactory(v7: also per-channel options), typically in another method or bound from configuration, so reports default to the config-gated DI022 Info tier; a constant knob above 1 in the containing type upgrades to the DI021 warning. Knob constants are recognized across integral types (RabbitMQ.Client v7 declares the property asushort), consumer types match by fully-qualified name, and all existing guardrails apply (in-handler scopes,IDbContextFactory<T>, inline creation, serialization guards, whitelisted captures). Instance-correlated factory→connection→channel→consumer tracing for sequential proofs remains a v2 target.Learn more
2.10.0
DependencyInjection.Lifetime.Analyzers 2.10.0
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
DbContextand derived contexts,DbConnection/DbCommand/DbTransaction/DbDataReaderand their interfaces,IDbContextTransaction,HttpContext) created or resolved once and captured via field, closure, or enclosing-method parameter into a handler a framework invokes concurrently. v1 sinks:ServiceBusProcessor/ServiceBusSessionProcessormessage and error handlers,EventProcessorClientevent handlers,System.Threading.Timercallbacks with a finite period,System.Timers.Timer.Elapsed, andParallel.For/ForEach/ForEachAsync/Invokebodies. Also detects resolution from a long-lived scope captured from outside the handler (the "movedGetRequiredServiceinside the lambda" loophole). Stays quiet for in-handler scopes,IDbContextFactory<T>, inline creation, proven-sequential configurations (MaxConcurrentCalls = 1,MaxConcurrentSessions = 1,MaxDegreeOfParallelism = 1, one-shot timers,AutoReset = false,SynchronizingObject), and handlers that serialize themselves (lock,SemaphoreSlimwait/finally-release,Interlocked/Monitor.TryEnterreentrancy guards, timer re-arm, disposable async-lock idiom). Scope-per-message frameworks (MassTransit, NServiceBus, Quartz, Hangfire, SignalR, Azure Functions) are deliberately not sinks.ServiceBusProcessor.MaxConcurrentCallsfrom configuration or default). Conditional wording: raising the knob above 1 makes it a concurrency crash, and even sequential dispatch accumulates state across all messages. Proven> 1upgrades to DI021; proven== 1is silent.await using var scope = _scopeFactory.CreateAsyncScope();(or the syncCreateScopeform for synchronous delegates, converting expression-bodied lambdas to blocks), re-resolves the service from the new scope, plumbsIServiceScopeFactorythrough the constructor when no factory field exists, and removes the captured field, its constructor assignment, and the feeding parameter when the handler was their only consumer. Refuses safely for static handlers, scope-resolution diagnostics, and types without a declared constructor.Install
What changed
Added
DbContextand derived contexts,DbConnection/DbCommand/DbTransaction/DbDataReaderand their interfaces,IDbContextTransaction,HttpContext) created or resolved once and captured via field, closure, or enclosing-method parameter into a handler a framework invokes concurrently. v1 sinks:ServiceBusProcessor/ServiceBusSessionProcessormessage and error handlers,EventProcessorClientevent handlers,System.Threading.Timercallbacks with a finite period,System.Timers.Timer.Elapsed, andParallel.For/ForEach/ForEachAsync/Invokebodies. Also detects resolution from a long-lived scope captured from outside the handler (the "movedGetRequiredServiceinside the lambda" loophole). Stays quiet for in-handler scopes,IDbContextFactory<T>, inline creation, proven-sequential configurations (MaxConcurrentCalls = 1,MaxConcurrentSessions = 1,MaxDegreeOfParallelism = 1, one-shot timers,AutoReset = false,SynchronizingObject), and handlers that serialize themselves (lock,SemaphoreSlimwait/finally-release,Interlocked/Monitor.TryEnterreentrancy guards, timer re-arm, disposable async-lock idiom). Scope-per-message frameworks (MassTransit, NServiceBus, Quartz, Hangfire, SignalR, Azure Functions) are deliberately not sinks.ServiceBusProcessor.MaxConcurrentCallsfrom configuration or default). Conditional wording: raising the knob above 1 makes it a concurrency crash, and even sequential dispatch accumulates state across all messages. Proven> 1upgrades to DI021; proven== 1is silent.await using var scope = _scopeFactory.CreateAsyncScope();(or the syncCreateScopeform for synchronous delegates, converting expression-bodied lambdas to blocks), re-resolves the service from the new scope, plumbsIServiceScopeFactorythrough the constructor when no factory field exists, and removes the captured field, its constructor assignment, and the feeding parameter when the handler was their only consumer. Refuses safely for static handlers, scope-resolution diagnostics, and types without a declared constructor.Learn more
2.9.6
DependencyInjection.Lifetime.Analyzers 2.9.6
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
BuildServiceProvider()results as disposed or caller-owned when appropriate — including combinations with conditional-access creations such as(services?.BuildServiceProvider())!. Flows that pass the result through a user-defined conversion (explicit or implicit operator) or an unproven downcast ((Wrapper)(object)..., downcast from an interface) still report, because they are not proven to hand the root provider itself to the disposal or return site.Install
What changed
Changed
BuildServiceProvider()results as disposed or caller-owned when appropriate — including combinations with conditional-access creations such as(services?.BuildServiceProvider())!. Flows that pass the result through a user-defined conversion (explicit or implicit operator) or an unproven downcast ((Wrapper)(object)..., downcast from an interface) still report, because they are not proven to hand the root provider itself to the disposal or return site.Learn more
2.9.5
DependencyInjection.Lifetime.Analyzers 2.9.5
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
service = scope?.ServiceProvider.GetRequiredService<T>();inside ausingblock is recognized and a later use after the scope is disposed reports as it does for the plain form. Chainedscope?.ServiceProvider?.GetRequiredService<T>()resolutions and scopes created withusing (var scope = factory?.CreateScope())(declaration, using-statement, predeclared, and reassignment forms) participate too. Conditional resolutions consumed inside the scope stay quiet. Conditional uses after dispose (service?.DoWork()) were already covered.Install
What changed
Changed
service = scope?.ServiceProvider.GetRequiredService<T>();inside ausingblock is recognized and a later use after the scope is disposed reports as it does for the plain form. Chainedscope?.ServiceProvider?.GetRequiredService<T>()resolutions and scopes created withusing (var scope = factory?.CreateScope())(declaration, using-statement, predeclared, and reassignment forms) participate too. Conditional resolutions consumed inside the scope stay quiet. Conditional uses after dispose (service?.DoWork()) were already covered.Learn more
2.9.4
DependencyInjection.Lifetime.Analyzers 2.9.4
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
return scope?.ServiceProvider.GetRequiredService<T>();, chainedscope?.ServiceProvider?.GetRequiredService<T>(), field captures_field = scope?.ServiceProvider.GetRequiredService<T>();, and locals resolved throughscope?.ServiceProvider...that later escape were all silent, because resolution recognition required a plainMemberAccessExpressionSyntaxreceiver and the consumption-shape checks matched the invocation's direct parent. The analyzer now resolves the provider receiver throughMemberBindingExpressionSyntax/ConditionalAccessExpressionSyntaxshapes (includingusing var scope = factory?.CreateScope();creations) and classifies consumption from the outermost enclosing conditional access. Transient resolutions and locally-consumed services through the same shapes stay quiet.Install
What changed
Changed
return scope?.ServiceProvider.GetRequiredService<T>();, chainedscope?.ServiceProvider?.GetRequiredService<T>(), field captures_field = scope?.ServiceProvider.GetRequiredService<T>();, and locals resolved throughscope?.ServiceProvider...that later escape were all silent, because resolution recognition required a plainMemberAccessExpressionSyntaxreceiver and the consumption-shape checks matched the invocation's direct parent. The analyzer now resolves the provider receiver throughMemberBindingExpressionSyntax/ConditionalAccessExpressionSyntaxshapes (includingusing var scope = factory?.CreateScope();creations) and classifies consumption from the outermost enclosing conditional access. Transient resolutions and locally-consumed services through the same shapes stay quiet.Learn more
2.9.3
DependencyInjection.Lifetime.Analyzers 2.9.3
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
services?.BuildServiceProvider()) that are in fact handled. As with DI001 in 2.9.2, the consumption-shape checks matched the invocation's direct parent, sovar provider = services?.BuildServiceProvider();with a laterprovider?.Dispose()(includingfinallycleanup and predeclared reassignment),return services?.BuildServiceProvider();, and arrow-bodied returns all produced false positives. The analyzer now resolves the enclosingConditionalAccessExpressionSyntaxbefore matching initializer/assignment/return/arrow parents. Undisposed conditional-access creations still report, andusing var provider = services?.BuildServiceProvider();stays quiet as before.using/await usingrewrite for conditional-access creations. The rewrite stays valid for that shape because the local is a nullable reference type (ServiceProviderimplements bothIDisposableandIAsyncDisposable, andusingaccepts null values).Install
What changed
Changed
services?.BuildServiceProvider()) that are in fact handled. As with DI001 in 2.9.2, the consumption-shape checks matched the invocation's direct parent, sovar provider = services?.BuildServiceProvider();with a laterprovider?.Dispose()(includingfinallycleanup and predeclared reassignment),return services?.BuildServiceProvider();, and arrow-bodied returns all produced false positives. The analyzer now resolves the enclosingConditionalAccessExpressionSyntaxbefore matching initializer/assignment/return/arrow parents. Undisposed conditional-access creations still report, andusing var provider = services?.BuildServiceProvider();stays quiet as before.using/await usingrewrite for conditional-access creations. The rewrite stays valid for that shape because the local is a nullable reference type (ServiceProviderimplements bothIDisposableandIAsyncDisposable, andusingaccepts null values).Learn more
2.9.2
DependencyInjection.Lifetime.Analyzers 2.9.2
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
_provider?.CreateScope()) that are in fact handled. The consumption-shape checks (IsReturned, explicit-disposal local extraction) previously matched the invocation's direct parent, but a conditional-access creation hangs the initializer/assignment/return/arrow shape off the enclosingConditionalAccessExpressionSyntax, sovar scope = _provider?.CreateScope();with a laterscope?.Dispose()(includingfinallycleanup and predeclared reassignment),return _provider?.CreateScope();, and arrow-bodied=> _provider?.CreateScope()all produced false positives. Undisposed conditional-access creations still report, andusing var scope = _provider?.CreateScope();stays quiet as before.factory?.CreateAsyncScope()produces a nullableAsyncServiceScope(aNullable<T>with noDisposeAsync), so the rewrite could not compile; the plain "Add 'using'" fix remains available and valid for that shape because the scope local is a nullable reference type.Install
What changed
Changed
_provider?.CreateScope()) that are in fact handled. The consumption-shape checks (IsReturned, explicit-disposal local extraction) previously matched the invocation's direct parent, but a conditional-access creation hangs the initializer/assignment/return/arrow shape off the enclosingConditionalAccessExpressionSyntax, sovar scope = _provider?.CreateScope();with a laterscope?.Dispose()(includingfinallycleanup and predeclared reassignment),return _provider?.CreateScope();, and arrow-bodied=> _provider?.CreateScope()all produced false positives. Undisposed conditional-access creations still report, andusing var scope = _provider?.CreateScope();stays quiet as before.factory?.CreateAsyncScope()produces a nullableAsyncServiceScope(aNullable<T>with noDisposeAsync), so the rewrite could not compile; the plain "Add 'using'" fix remains available and valid for that shape because the scope local is a nullable reference type.Learn more
2.9.1
DependencyInjection.Lifetime.Analyzers 2.9.1
Compile-time DI diagnostics for
Microsoft.Extensions.DependencyInjectionprojects that want earlier feedback on lifetime bugs, scope leaks, service locator drift, and unresolvable registrations.Why install or upgrade
host?.Services.GetRequiredService<T>()the analyzer classified the conditional-access receiverhost(never a known root provider) instead of the.Servicesmember binding, so scoped resolutions throughhost?.Services..., chainedapp?.Services?..., and local aliases such asvar rootServices = app?.Services;were silently missed. Known root-provider properties (Services,ApplicationServices,ServiceProvider) and known scoped-provider properties (RequestServices, scopeServiceProvider) are now recognised when they appear as aMemberBindingExpressionSyntax, with the owner resolved from the enclosingConditionalAccessExpressionSyntax. The scoped-provider recognition keepshttpContext?.RequestServices...andscope?.ServiceProvider...quiet inside singleton implementations now that the receiver reorder makes those shapes reachable.WhenNotNull(e.g.var s = host?.Services.GetRequiredService<T>();). Lifting that receiver intousing var scope = ....CreateScope();would have emitted a standalone member binding that does not compile, and the wrap would also have dropped the null-shortcut semantics.Install
What changed
Changed
host?.Services.GetRequiredService<T>()the analyzer classified the conditional-access receiverhost(never a known root provider) instead of the.Servicesmember binding, so scoped resolutions throughhost?.Services..., chainedapp?.Services?..., and local aliases such asvar rootServices = app?.Services;were silently missed. Known root-provider properties (Services,ApplicationServices,ServiceProvider) and known scoped-provider properties (RequestServices, scopeServiceProvider) are now recognised when they appear as aMemberBindingExpressionSyntax, with the owner resolved from the enclosingConditionalAccessExpressionSyntax. The scoped-provider recognition keepshttpContext?.RequestServices...andscope?.ServiceProvider...quiet inside singleton implementations now that the receiver reorder makes those shapes reachable.WhenNotNull(e.g.var s = host?.Services.GetRequiredService<T>();). Lifting that receiver intousing var scope = ....CreateScope();would have emitted a standalone member binding that does not compile, and the wrap would also have dropped the null-shortcut semantics.Learn more
Commits viewable in compare view.
Updated Microsoft.Extensions.Http.Polly from 9.0.0 to 9.0.17.
Release notes
Sourced from Microsoft.Extensions.Http.Polly's releases.
9.0.17
Release
What's Changed
Full Changelog: dotnet/aspnetcore@v9.0.16...v9.0.17
9.0.16
Release
What's Changed
73a63eatod72f9c8by @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest from73a63eatod72f9c8dotnet/aspnetcore#66088Full Changelog: dotnet/aspnetcore@v9.0.15...v9.0.16
9.0.15
Release
What's Changed
56efe39to73a63eaby @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest from56efe39to73a63eadotnet/aspnetcore#65587Full Changelog: dotnet/aspnetcore@v9.0.14...v9.0.15
9.0.14
Release
What's Changed
9156d4cto56efe39by @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest from9156d4cto56efe39dotnet/aspnetcore#65290Full Changelog: dotnet/aspnetcore@v9.0.13...v9.0.14
9.0.13
Release
What's Changed
1b96fa1to9156d4cby @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest from1b96fa1to9156d4cdotnet/aspnetcore#64908Full Changelog: dotnet/aspnetcore@v9.0.12...v9.0.13)
9.0.12
Release
What's Changed
Microsoft.Buildversions to 17.8.43 by @MackinnonBuck in UpdateMicrosoft.Buildversions to 17.8.43 dotnet/aspnetcore#642779706f75to6ec14dfby @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest from9706f75to6ec14dfdotnet/aspnetcore#642306ec14dfto1b96fa1by @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest from6ec14dfto1b96fa1dotnet/aspnetcore#64580Full Changelog: dotnet/aspnetcore@v9.0.11...v9.0.12
9.0.11
Release
What's Changed
eb2d85eto9706f75by @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest fromeb2d85eto9706f75dotnet/aspnetcore#63894Full Changelog: dotnet/aspnetcore@v9.0.10...v9.0.11
9.0.10
Release
What's Changed
373af2etoeb2d85eby @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest from373af2etoeb2d85edotnet/aspnetcore#63501RadioButtonGetsResetAfterSubmittingEnhancedFormby @ilonatommy in UnquarantineRadioButtonGetsResetAfterSubmittingEnhancedFormdotnet/aspnetcore#63556Full Changelog: dotnet/aspnetcore@v9.0.9...v9.0.10
9.0.9
Release
What's Changed
c67de11to373af2eby @dependabot[bot] in [release/9.0] (deps): Bump src/submodules/googletest fromc67de11to373af2edotnet/aspnetcore#63035Full Changelog: dotnet/aspnetcore@v9.0.8...v9.0.9
9.0.7
Release
What's Changed
04ee1b4toe9092b1by @dependabot in [release/9.0] (deps): Bump src/submodules/googletest from04ee1b4toe9092b1dotnet/aspnetcore#62199Full Changelog: dotnet/aspnetcore@v9.0.6...v9.0.7
9.0.6
Bug Fixes
The Forwarded Headers Middleware now ignores
X-Forwarded-Headerssent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence forwarded header values, preventing potential spoofing or misrouting issues.Dependency Updates
52204f7to04ee1b4(#61762)Updates the GoogleTest submodule to a newer commit, bringing in the latest improvements and bug fixes from the upstream project.
Updates internal build and infrastructure dependencies from the dotnet/arcade repository, ensuring compatibility and access to the latest build tools.
Refreshes dependencies from the dotnet/extensions repository, incorporating the latest features and fixes from the extensions libraries.
Further updates dependencies from dotnet/extensions, ensuring the project benefits from recent improvements and bug fixes.
Additional updates to build and infrastructure dependencies from dotnet/arcade, maintaining up-to-date tooling and build processes.
Miscellaneous
Updates the project version and branding to 9.0.6, reflecting the new release and ensuring version consistency across the codebase.
Incorporates various internal commits into the release/9.0 branch, ensuring that all relevant changes are included in this release.
This summary is generated and may contain inaccuracies. For complete details, please review the linked pull requests.
Full Changelog: v9.0.5...v9.0.6
9....
Description has been truncated