Skip to content

Bump the nuget-minor-patch group with 14 updates#99

Merged
andregoepel merged 2 commits into
mainfrom
dependabot/nuget/nuget-minor-patch-614f212775
Jul 18, 2026
Merged

Bump the nuget-minor-patch group with 14 updates#99
andregoepel merged 2 commits into
mainfrom
dependabot/nuget/nuget-minor-patch-614f212775

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 18, 2026

Copy link
Copy Markdown
Contributor

Updated AndreGoepel.Design.Blazor from 1.0.2 to 1.0.3.

Release notes

Sourced from AndreGoepel.Design.Blazor's releases.

1.0.3

What's Changed

Full Changelog: andregoepel/design-blazor@v1.0.2...v1.0.3

Commits viewable in compare view.

Updated Marten from 9.14.1 to 9.16.0.

Release notes

Sourced from Marten's releases.

9.16.0

Lot of CritterWatch, couple bug fixes too

What's Changed

Full Changelog: JasperFx/marten@v9.15.4...V9.16.0

9.15.4

What's Changed

New Contributors

Full Changelog: JasperFx/marten@v9.15.3...v9.15.4

9.15.3

This addresses a potential vulnerability from SQL injection via non-string constant in a LINQ Select projection

Not a common usage, but still.

What's Changed

Full Changelog: JasperFx/marten@9.15.2...v9.15.3

9.15.2

Marten 9.15.2

A patch release. Both fixes come out of the same 512-tenant-database production deployment, reported by @​erdtsieck, and both turned out to be worse than the reports described.

Bulk event insert ran a full schema apply on every batch

#​4946fixed in #​4949

The batch BulkInsertEventsAsync overloads opened with Storage.ApplyAllConfiguredChangesToDatabaseAsync() on every call.

That is not a cheap check. It calls Tenancy.BuildDatabases() and runs a full schema delta — partition introspection plus information_schema sweeps — across every database in the store. So a sharded store paid one apply per database, per batch. On the reporting deployment, each ~1,000-event batch was triggering 512 schema applies.

The measured effect: import throughput collapsed to ~17 events/s, against >3,000/s for the streaming overload. A 686k-event tenant projected to roughly 11 hours. The connection pool filled with ~370 backends whose last statement was Weasel's partition-introspection query, which fed directly into the server-wide connection pressure that deployment was already fighting.

That the streaming overload BulkInsertEventStreamAsync has no such call and is fine is the tell: the schema apply was never part of the contract. It was a leftover.

The apply is now:

  • skipped entirely when the effective AutoCreate is None — it is a no-op there by contract, so all that remained was the introspection cost; and
  • otherwise run at most once per database the import actually touches, memoized on IMartenDatabase.Identifier.

One subtlety worth recording, because it is the kind of thing that bites later: the memoized apply deliberately does not take a caller's CancellationToken. The first caller to arrive owns the single in-flight task that every concurrent caller for that database awaits — so binding that shared task to one caller's token would let a single cancelled batch fail sibling batches that were never cancelled. Each caller applies its own token at the await site instead. A schema apply is short and idempotent, so letting it run to completion is the cheaper trade.

Under AutoCreate.None, the event storage must already exist before import. That is the documented contract and it matches the streaming overload — but if you were previously relying on the per-call apply to create it for you under a non-None store, note the change.

The document bulk-insert path (BulkInsertAsync / BulkInsertDocumentsAsync) is unaffected. It routes through the ordinary per-feature EnsureStorageExistsAsync that Weasel already memoizes, not a full-store delta.

Tenant provisioning silently under-provisioned partitions

#​4944fixed in #​4950

AddPartitionToAllTables, and the tenant-provisioning paths built on it, walked the calling store's StoreOptions to decide which tables needed a list partition for a new tenant.

So any tool or host that provisions tenants from a store which doesn't register every document type silently under-provisioned. Document types unknown to the caller never got their partitions — and the tenant then failed with a Postgres 23514 check-constraint violation on first write to the missing partition. Nothing failed at provisioning time; the damage surfaced later, somewhere else.

The workaround was "the provisioning tool must register all document types," which re-creates schema knowledge in a second place and drifts as document types are added.

The sweep is now database-driven: it enumerates tenant list-partitioned tables from the Postgres catalog, so a partially-registered store still provisions every partitioned table it finds.

Scoping is enforced inside the catalog query rather than filtered in memory afterward:

  • Schema — the store's own AllSchemaNames() only. Foreign partitioned tables in a shared database are never touched.
  • Partition shape — LIST strategy, exactly one key column, and that column named tenant_id. This is the filter that matters most, and it is what keeps the sweep off Marten's own non-tenant list partitioning: UseArchivedStreamPartitioning keys mt_events on is_archived, and ByList() keys on its own field. Without it, a "helpful" sweep would start adding tenant partitions to tables partitioned on something else entirely.
  • External management — tables marked ByExternallyManagedListPartitions() are subtracted.

Opt out with SweepPartitionedTablesFromDatabase (default on). No Weasel change was required.

Known limitation, and it is a real one: a document type registered into a schema the calling store has never heard of stays invisible to the schema filter — a store cannot own a schema it does not know exists. Single-schema stores (the default, and the reporting deployment's shape) are fully covered. Closing this properly would need a persisted table list alongside mt_tenant_partitions.


... (truncated)

9.15.1

Patch release for a silent data-correctness regression. If you use ForTenant() on an identity-mapped or dirty-tracked session, upgrade.

Fixed

  • #​4947ForTenant() on an identity session stopped returning tenancy-neutral documents (reported by @​dervagabund, with a repro — thank you). A ForTenant() view of an identity- or dirty-tracked session no longer saw global (tenancy-neutral) documents tracked by the parent session. Since a global document has exactly one row per id for the whole database, LoadAsync through the ForTenant view missed the identity map, went to the database, and returned null for a document that is there. A silent wrong answer, not an error.

    Affected: 9.13.0, 9.14.x, 9.15.0. Introduced by the fix for #​4801, which tenant-scoped the identity map and version tracker for ForTenant sessions. That was correct for conjoined documents — where the same id means a different document per tenant — but it was applied per session rather than per document type, so it also isolated document types that are tenancy-neutral and must be shared.

    Sharing is now decided per document type. A nested ForTenant session shares the parent's identity-map and version-tracker entry for a type only when the storage is identity-mapped, the type is not Conjoined, and the nested session's database is the same instance as the parent's (under database-per-tenant, the same id in another tenant's database is a different document even for a tenancy-neutral type). The isolation introduced by #​4801 is preserved exactly — the Bug_4801 suite still passes, and the new tests include guard rails asserting conjoined documents stay isolated.

Full changelog: JasperFx/marten@9.15.0...9.15.1

9.15.0

Closed issues

  • #​4942 — sharded tenancy: auto-assign never repaired half-provisioned tenants (PR #​4945). findOrAssignTenantDatabaseAsync returned early on an existing assignment row, skipping createPartitionsForTenant + per-tenant event-sequence provisioning — so a tenant whose provisioning was interrupted (assignment committed, partitions missing) failed every write with 23514 forever. Both early-return paths (including a second race-window hole under the advisory lock) now run the same idempotent repair the explicit AddTenantToShardAsync(tenantId, databaseId) overload always ran, guarded to once per process per tenant via the resolution cache.
  • #​4941 — two-day silent projection outage (closed with full mapping). Root cause was #​4942; the invisibility was JasperFx/jasperfx#​506/#​507, fixed in JasperFx 2.27.0 which this release consumes.

Also in this release

  • Bundles the fixed JasperFx.Events.SourceGenerator analyzer (JasperFx/jasperfx#​505) — CS1061 compile break for no-parameterless-ctor aggregates with instance Apply returning the aggregate.
  • Follow-up enhancement filed as #​4944 (database-driven partition sweep via pg_inherits) for the #​4943 provisioning-tool scenario.

Verified against Wolverine (full solution + CoreTests/MartenTests/distribution/Http suites, zero failures) and CritterWatch before publishing. Thanks to @​erdtsieck for the dump-verified root-cause analysis.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.HeaderPropagation from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.AspNetCore.HeaderPropagation's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Http.Resilience from 10.7.0 to 10.8.0.

Release notes

Sourced from Microsoft.Extensions.Http.Resilience's releases.

10.8.0

This release adds new experimental APIs to Microsoft.Extensions.AI.Abstractions and updates the OpenAI dependency to 2.12.0, alongside documentation, test, and repository maintenance.

Experimental API Changes

New Experimental APIs

  • New experimental API: AIFunctionNameAttribute and AIParameterNameAttribute #​7610 by @​jozkee (co-authored by @​jeffhandley @​Copilot)
  • New experimental API: ToolApprovalRequestContent.RequiresConfirmation (MEAI001) #​7549 by @​javiercn (co-authored by @​Copilot)

What's Changed

AI

  • Upgrade OpenAI dependency to 2.12.0 #​7608 by @​jozkee (co-authored by @​Copilot)
  • Auto-detect audio format in OpenAISpeechToTextClient #​7575 by @​jozkee (co-authored by @​Copilot)
  • Fix ImageGeneratingChatClient duplicating preceding content and dropping following content #​7624 by @​jozkee (co-authored by @​Copilot)

Vector Data

  • Make all test methods virtual in VectorData.ConformanceTests #​7606 by @​adamsitnik (co-authored by @​Copilot)

Documentation Updates

  • Remove links to ai-samples repo #​7574 by @​gewarren
  • Fix up docs with Copilot (MEVD) #​7597 by @​gewarren
  • Fix up docs with Copilot (M.E.ServiceDiscovery) #​7598 by @​gewarren (co-authored by @​Copilot)
  • Fix up docs with Copilot (MEAI) #​7600 by @​gewarren
  • Fix up docs with Copilot #​7601 by @​gewarren

Test Improvements

  • Fix flaky StampedeTests and harden related test waits #​7572 by @​jeffhandley (co-authored by @​Copilot)
  • Fix SQLitePCLRaw.lib.e_sqlite3 vulnerability by replacing SemanticKernel connectors with CommunityToolkit #​7579 by @​adamsitnik (co-authored by @​Copilot)
  • Removing SemanticKernel Connectors dependency and replacing it #​7584 by @​adamsitnik (co-authored by @​Copilot)
  • Migrate to xUnit v3 #​7607 by @​adamsitnik (co-authored by @​shyamnamboodiripad @​Copilot)

Repository Infrastructure Updates

  • Update OTel GenAI conventions skill for standalone semconv-genai repo #​7519 by @​jeffhandley (co-authored by @​Copilot)
  • Bump dotnet-coverage from 18.7.0 to 18.8.0 #​7552
  • [main] Update dependencies from dotnet/arcade #​7559
  • Fix transitive MessagePack vulnerability in AI template AppHost projects #​7561 by @​adamsitnik (co-authored by @​Copilot)
  • Bump esbuild, @​vitejs/plugin-react and vite in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7564
  • Bump tmp from 0.2.6 to 0.2.7 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7569
  • Bump js-yaml from 4.1.1 to 4.2.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7570
  • Bump PowerShell from 7.6.2 to 7.6.3 #​7576
  • Remove duplicate 'WebAPI' classification from template #​7577 by @​danroth27
  • [main] Update dependencies from dotnet/arcade #​7590
  • Eliminate redundant Correctness CI stage by merging into Build #​7594 by @​adamsitnik (co-authored by @​Copilot)
  • Update Agent Framework to 1.13.0 #​7613 by @​jeffhandley (co-authored by @​Copilot)
    ... (truncated)

Commits viewable in compare view.

Updated Microsoft.Extensions.ServiceDiscovery from 10.7.0 to 10.8.0.

Release notes

Sourced from Microsoft.Extensions.ServiceDiscovery's releases.

10.8.0

This release adds new experimental APIs to Microsoft.Extensions.AI.Abstractions and updates the OpenAI dependency to 2.12.0, alongside documentation, test, and repository maintenance.

Experimental API Changes

New Experimental APIs

  • New experimental API: AIFunctionNameAttribute and AIParameterNameAttribute #​7610 by @​jozkee (co-authored by @​jeffhandley @​Copilot)
  • New experimental API: ToolApprovalRequestContent.RequiresConfirmation (MEAI001) #​7549 by @​javiercn (co-authored by @​Copilot)

What's Changed

AI

  • Upgrade OpenAI dependency to 2.12.0 #​7608 by @​jozkee (co-authored by @​Copilot)
  • Auto-detect audio format in OpenAISpeechToTextClient #​7575 by @​jozkee (co-authored by @​Copilot)
  • Fix ImageGeneratingChatClient duplicating preceding content and dropping following content #​7624 by @​jozkee (co-authored by @​Copilot)

Vector Data

  • Make all test methods virtual in VectorData.ConformanceTests #​7606 by @​adamsitnik (co-authored by @​Copilot)

Documentation Updates

  • Remove links to ai-samples repo #​7574 by @​gewarren
  • Fix up docs with Copilot (MEVD) #​7597 by @​gewarren
  • Fix up docs with Copilot (M.E.ServiceDiscovery) #​7598 by @​gewarren (co-authored by @​Copilot)
  • Fix up docs with Copilot (MEAI) #​7600 by @​gewarren
  • Fix up docs with Copilot #​7601 by @​gewarren

Test Improvements

  • Fix flaky StampedeTests and harden related test waits #​7572 by @​jeffhandley (co-authored by @​Copilot)
  • Fix SQLitePCLRaw.lib.e_sqlite3 vulnerability by replacing SemanticKernel connectors with CommunityToolkit #​7579 by @​adamsitnik (co-authored by @​Copilot)
  • Removing SemanticKernel Connectors dependency and replacing it #​7584 by @​adamsitnik (co-authored by @​Copilot)
  • Migrate to xUnit v3 #​7607 by @​adamsitnik (co-authored by @​shyamnamboodiripad @​Copilot)

Repository Infrastructure Updates

  • Update OTel GenAI conventions skill for standalone semconv-genai repo #​7519 by @​jeffhandley (co-authored by @​Copilot)
  • Bump dotnet-coverage from 18.7.0 to 18.8.0 #​7552
  • [main] Update dependencies from dotnet/arcade #​7559
  • Fix transitive MessagePack vulnerability in AI template AppHost projects #​7561 by @​adamsitnik (co-authored by @​Copilot)
  • Bump esbuild, @​vitejs/plugin-react and vite in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7564
  • Bump tmp from 0.2.6 to 0.2.7 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7569
  • Bump js-yaml from 4.1.1 to 4.2.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7570
  • Bump PowerShell from 7.6.2 to 7.6.3 #​7576
  • Remove duplicate 'WebAPI' classification from template #​7577 by @​danroth27
  • [main] Update dependencies from dotnet/arcade #​7590
  • Eliminate redundant Correctness CI stage by merging into Build #​7594 by @​adamsitnik (co-authored by @​Copilot)
  • Update Agent Framework to 1.13.0 #​7613 by @​jeffhandley (co-authored by @​Copilot)
    ... (truncated)

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 18.7.0 to 18.8.1.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.8.1

What's Changed

Full Changelog: microsoft/vstest@v18.8.0...v18.8.1

18.8.0

What's Changed

Full Changelog: microsoft/vstest@v18.7.0...v18.8.0

Commits viewable in compare view.

Updated OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry.Exporter.OpenTelemetryProtocol's releases.

1.17.0

For highlights and announcements pertaining to this release see: Release Notes > 1.17.0.

The following changes are from the previous release 1.17.0-rc.1.

... (truncated)

1.17.0-rc.1

The following changes are from the previous release 1.16.0.

  • NuGet: OpenTelemetry v1.17.0-rc.1

    • Fixed a metric point reclaim data race on CPU ARM architectures.
      (#​7401)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Replaced the vendored copy of
      EnvironmentVariablesConfigurationProvider with a direct
      Microsoft.Extensions.Configuration.EnvironmentVariables package dependency.
      Consumers gain automatic pickup of upstream bug fixes and security patches;
      no public API or behavioural change.
      (#​7146)

    • Added a verbose OpenTelemetry-Sdk self-diagnostics event that is emitted
      when an activity is dropped because its local (in-process) parent is not
      recorded.
      (#​7427)

    • Added support for a Schema URL on Resource instances.
      (#​7472)

    • Fixed a metric storage leak that occurred when meters and instruments were
      repeatedly created and disposed.
      (#​7466)

    • Added ExcludedTagKeys property to MetricStreamConfiguration to support
      excluding specific tag keys from metric streams.
      (#​7373)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.17.0-rc.1

    • Fixed TraceContextPropagator to normalize empty tracestate header values
      to null when extracting trace context.
      (#​7407,
      #​7433)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Experimental (pre-release builds only): Updated EnvironmentVariableCarrier.Get
      to read only the normalized environment variable name, following the updated
      environment variable carrier specification.
      Non-normalized carrier keys are no longer matched, even when they would
      normalize to the requested key.
      ... (truncated)

1.17.0-beta.1

The following changes are from the previous release 1.16.0-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.17.0-beta.1

    • Added a verbose-level diagnostic event for ignored metrics.
      (#​7429)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Fix double unit suffixes in metric names when using OpenMetrics.
      (#​7454)

    • Fix incorrect handling of leading digits in metric names for OpenMetrics.
      (#​7454)

    • Add PrometheusAspNetCoreOptions.ScopeInfoEnabled property to enable or
      disable scope labels in Prometheus metrics. Defaults to true.
      (#​7436)

    • Added support for the dots and values Prometheus UTF-8 name escaping
      schemes when negotiated via the Accept header.
      (#​7439)

    • Add PrometheusAspNetCoreOptions.TargetInfoEnabled property to enable or
      disable the target_info metric in Prometheus metrics. Defaults to true.
      (#​7438)

    • Added support for the allow-utf-8 Prometheus UTF-8 name escaping scheme
      when negotiated via the Accept header.
      (#​7440)

    • Add PrometheusAspNetCoreOptions.ResourceConstantLabels property to select
      resource attributes to add to each metric as constant labels. Defaults to
      null (no resource attributes are added as metric labels).
      (#​7471)

    • Add PrometheusAspNetCoreOptions.MaxScrapeResponseSizeBytes to configure
      the maximum size of a scrape response. The default is now ~166 MiB.
      (#​7487)

    • A scrape whose serialized output exceeds the maximum scrape response size
      limit now responds with HTTP 500.
      (#​7487)

    • Fixed the Prometheus text exposition format emitting redundant comments.
      (#​7491)

    • Made Accept header content negotiation consistent with the
      PrometheusHttpListener endpoint.
      ... (truncated)

Commits viewable in compare view.

Updated OpenTelemetry.Extensions.Hosting from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry.Extensions.Hosting's releases.

1.17.0

For highlights and announcements pertaining to this release see: Release Notes > 1.17.0.

The following changes are from the previous release 1.17.0-rc.1.

... (truncated)

1.17.0-rc.1

The following changes are from the previous release 1.16.0.

  • NuGet: OpenTelemetry v1.17.0-rc.1

    • Fixed a metric point reclaim data race on CPU ARM architectures.
      (#​7401)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Replaced the vendored copy of
      EnvironmentVariablesConfigurationProvider with a direct
      Microsoft.Extensions.Configuration.EnvironmentVariables package dependency.
      Consumers gain automatic pickup of upstream bug fixes and security patches;
      no public API or behavioural change.
      (#​7146)

    • Added a verbose OpenTelemetry-Sdk self-diagnostics event that is emitted
      when an activity is dropped because its local (in-process) parent is not
      recorded.
      (#​7427)

    • Added support for a Schema URL on Resource instances.
      (#​7472)

    • Fixed a metric storage leak that occurred when meters and instruments were
      repeatedly created and disposed.
      (#​7466)

    • Added ExcludedTagKeys property to MetricStreamConfiguration to support
      excluding specific tag keys from metric streams.
      (#​7373)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.17.0-rc.1

    • Fixed TraceContextPropagator to normalize empty tracestate header values
      to null when extracting trace context.
      (#​7407,
      #​7433)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Experimental (pre-release builds only): Updated EnvironmentVariableCarrier.Get
      to read only the normalized environment variable name, following the updated
      environment variable carrier specification.
      Non-normalized carrier keys are no longer matched, even when they would
      normalize to the requested key.
      ... (truncated)

1.17.0-beta.1

The following changes are from the previous release 1.16.0-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.17.0-beta.1

    • Added a verbose-level diagnostic event for ignored metrics.
      (#​7429)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Fix double unit suffixes in metric names when using OpenMetrics.
      (#​7454)

    • Fix incorrect handling of leading digits in metric names for OpenMetrics.
      (#​7454)

    • Add PrometheusAspNetCoreOptions.ScopeInfoEnabled property to enable or
      disable scope labels in Prometheus metrics. Defaults to true.
      (#​7436)

    • Added support for the dots and values Prometheus UTF-8 name escaping
      schemes when negotiated via the Accept header.
      (#​7439)

    • Add PrometheusAspNetCoreOptions.TargetInfoEnabled property to enable or
      disable the target_info metric in Prometheus metrics. Defaults to true.
      (#​7438)

    • Added support for the allow-utf-8 Prometheus UTF-8 name escaping scheme
      when negotiated via the Accept header.
      (#​7440)

    • Add PrometheusAspNetCoreOptions.ResourceConstantLabels property to select
      resource attributes to add to each metric as constant labels. Defaults to
      null (no resource attributes are added as metric labels).
      (#​7471)

    • Add PrometheusAspNetCoreOptions.MaxScrapeResponseSizeBytes to configure
      the maximum size of a scrape response. The default is now ~166 MiB.
      (#​7487)

    • A scrape whose serialized output exceeds the maximum scrape response size
      limit now responds with HTTP 500.
      (#​7487)

    • Fixed the Prometheus text exposition format emitting redundant comments.
      (#​7491)

    • Made Accept header content negotiation consistent with the
      PrometheusHttpListener endpoint.
      ... (truncated)

Commits viewable in compare view.

Updated OpenTelemetry.Instrumentation.AspNetCore from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry.Instrumentation.AspNetCore's releases.

1.17.0

1.17.0-rc.1

1.17.0-beta.1

1.17.0-alpha.1

Commits viewable in compare view.

Updated OpenTelemetry.Instrumentation.Http from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry.Instrumentation.Http's releases.

1.17.0

1.17.0-rc.1

1.17.0-beta.1

1.17.0-alpha.1

Commits viewable in compare view.

Updated OpenTelemetry.Instrumentation.Runtime from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry.Instrumentation.Runtime's releases.

1.17.0

1.17.0-rc.1

1.17.0-beta.1

1.17.0-alpha.1

Commits viewable in compare view.

Updated Radzen.Blazor from 11.1.3 to 11.1.5.

Release notes

Sourced from Radzen.Blazor's releases.

11.1.5

11.1.5 - 2026-07-15

Improvements

  • RadzenScheduler view titles - new TitleFormat and TitleFormatter parameters on the scheduler views give full control over each view's title: a format string, or a formatter function for complete customization.

Fixes

  • RadzenSpreadsheet - reading an XLSX file with more than 100 rows or columns no longer throws "Row index is out of range". Each sheet is now sized from its actual used range instead of a fixed 100x100 grid.
  • RadzenColorPicker - no longer stuck in color-picking mode when a native browser drag interrupts dragging. Fixes #​2610.
  • JS interop - component create functions now return a no-op disposable instead of null when the element reference has already been released (component disposed, or navigation before OnAfterRenderAsync interop completes), avoiding "Cannot create a JSObjectReference from the value 'null'".

11.1.4

11.1.4 - 2026-07-13

Improvements

  • RadzenPivotDataGrid group limits — new MaxGroups and OthersLabel properties on RadzenPivotRow and RadzenPivotColumn limit the number of row or column groups displayed at each level. The most significant groups (ranked by the sorted aggregate or the first aggregate) are kept and the remaining items are combined into a single localizable "Others" group. Fixes #​2470.
  • RadzenChartRangeNavigator and RadzenRangeNavigator handle label formatting — new HandleLabelFormatter property accepts a formatter function (receiving a DateTime for date ranges or a double for numeric ranges) for full control over the handle labels, taking precedence over HandleLabelFormatString. Fixes #​2617.
  • RadzenDropDown, RadzenListBox and RadzenDropDownDataGrid loading stateIsLoading and LoadingTemplate are now available on DropDown and ListBox, and DropDownDataGrid forwards its LoadingTemplate to the inner DataGrid. Thanks to @​artnim!

Fixes

  • RadzenChart: fixed an infinite loop in the chart tooltip disposal that could permanently pin a CPU core when a chart tooltip was opened during prerendering (e.g. a sparkline with a data point near the top-left corner of the plot). Chart tooltips now open only in response to actual mouse interaction over the chart.
  • RadzenSplitter: the collapse and expand buttons no longer start a drag resize on pointer down. Fixes #​2616.

Commits viewable in compare view.

Updated WolverineFx.Marten from 6.17.1 to 6.20.0.

Release notes

Sourced from WolverineFx.Marten's releases.

6.20.0

Wolverine 6.20.0

Dependency upgrades (critter stack)

  • Marten 9.16.0, Polecat 5.2.0, JasperFx 2.29.0, Weasel 9.17.0 (aligned across the stack).

Multi-tenancy & connection footprint

  • Scope tenant scheduled-job polling to the owning node (GH-3376) — under Wolverine-managed distribution, nodes no longer open a scheduled-job polling connection to every tenant database; the footprint scales with databases, not nodes × databases. Plus daemon tracker-subscription leak hygiene.
  • Polecat primary-store database-per-tenant (GH-3445) — IntegrateWithWolverine() now honors a database-per-tenant Polecat store and reads MainDatabaseConnectionString.
  • DatabaseServerId sourced from DatabaseDescriptor.Port instead of re-parsing (jasperfx#​514).

CritterWatch / connection state

  • Degrade-only connection state for Azure Service Bus, GCP Pub/Sub (GH-3237) and Kafka (GH-3454) listeners — heuristics only degrade to Reconnecting/Disconnected from real SDK callbacks; they never synthesize Connected, and resting state is Unknown.

Kafka

  • Read record timestamps into SentAt and expose record headers on raw-JSON listeners (GH-3407).
  • JsonSerializerOptions on raw-JSON endpoints now actually applies; PublishRawJson mapper registration fixed.
  • Bounded the listener shutdown drain instead of awaiting forever (GH-3434).

Sagas

  • SagaConcurrencyException now inherits JasperFx.ConcurrencyException (GH-3444) — existing OnException<ConcurrencyException>() policies now catch saga concurrency failures.
  • Lightweight RDBMS saga provider treated as a catch-all so Marten/EF Core win precedence in mixed-storage hosts (GH-3443).

Other

  • Ancillary Marten store now registers the event-subscription family interface aliases (GH-3438).
  • F# code generation improvements (#​3437); TrackedSession not-tracked vs not-routed fix (#​3435).
  • Buffered circuit-breaker tests re-scoped to the transport's non-durable contract (GH-3137); durability docs corrections.

6.19.0

CosmosDB

  • Add optimistic concurrency (ETag compare-and-swap) to saga persistence (GH-3414) @​mysticmind
  • CosmosDbConfiguration.PartitionSagasById(): opt-in, saga id becomes the document partition key (GH-3415) @​mysticmind
  • Refuse a CosmosClient whose serializer would drop a saga's id at host start; document the camelCase requirement (GH-3416) @​mysticmind

HTTP / OpenAPI

  • Describe the whole route table on a pre-start ApiExplorer read; minimal API and MVC endpoints were silently omitted (GH-3421) @​mysticmind
  • Type a Marten/Polecat aggregate-id route parameter as uuid instead of falling back to string (GH-3420) @​mysticmind

Durability / persistence

  • Dead letter recovered envelopes whose transport can't be resolved, instead of losing the rest of the batch and rethrowing forever (GH-3413) @​mysticmind
  • Measure and surface per-server database connection budgets: OTel gauges + IWolverineObserver.ConnectionBudget (GH-3397) @​jeremydmiller

Test infrastructure only

  • Stop IntegrationContext from disposing a class fixture it doesn't own; pin ApplicationAssembly in the CoreTests harness (GH-3423) @​jeremydmiller
  • Give the modular monolith fixture its own message storage schema (GH-3413) @​mysticmind
  • Stop using_dynamic_multi_tenancy from poisoning its own next run @​mysticmind

Milestone: https://github.com/JasperFx/wolverine/issues?q=is%3Aissue%20state%3Aclosed%20milestone%3A6.19.0
Full Changelog: JasperFx/wolverine@V6.18.0...V6.19.0

6.18.0

Wolverine 6.18.0

A security-relevant serialization fix, a startup-fatal codegen fix, a silently-dead-listener fix in RabbitMQ, the first F# saga codegen support of any persistence provider, and the CI split that makes "merge when green" mean something again.

If you use MassTransit interop over a durable listener, take this release. See the first section.

⚠️ Security-relevant: reserved envelope headers could be spoofed through the durable inbox

#​3408fixed in #​3411

EnvelopeSerializer wrote the typed envelope properties to the wire format and then appended every Envelope.Headers entry verbatim, with no reserved-key filter — and the appended entries came last. Because the reader parses reserved keys straight back into typed properties, a Headers entry under a reserved key silently overwrote the real property on the next read.

A value in envelope.Headers["tenant-id"] is inert while the envelope is in memory. It stops being inert the moment the envelope crosses the serializer — any durable listener, the inbox/outbox, or the scheduled-message store:

  1. Something puts tenant-id into envelope.Headers.
  2. The durable inbox persists the envelope; the header is appended after the (null) typed property.
  3. On read back, env.TenantId is set from it.

saga-id reaches another saga's state, and id rewrites Envelope.Id — the inbox's dedupe identity.

This was live, not theoretical. MassTransitEnvelope.TransferData already copies every incoming MassTransit header into envelope.Headers unfiltered (and by assignment, not TryAdd). Any Wolverine app doing MassTransit interop over a durable listener has had this path open. If that describes you, this release is the one to take.

The fix filters reserved keys on the write side, so the typed property stays authoritative and a reserved key sitting in Headers becomes a no-op. causation-id is deliberately not filtered — DeliveryOptions intentionally carries it as a loose header for Wolverine.Marten's OutboxedSessionFactory, and it is never promoted by the reader.

Startup-fatal codegen fix

#​3399fixed in #​3406 — invalid generated class name for batched (array) message types. This one prevents the application from starting.

Fixes

  • #​3388 (#​3400) — refuse a competing Marten daemon under Wolverine-managed event subscription distribution. A DaemonMode.Solo/HotCold daemon alongside managed distribution is now an actionable startup exception instead of two schedulers quietly fighting over the same shards.
  • CritterWatch #​698 (#​3396) — IAgentRuntime.ApplyRestrictionsAsync persisted the restriction and then never dispatched the commands it computed, so pausing an agent had no immediate effect. Reported by @​erdtsieck against a live cluster.
  • #​3385 (#​3403) — a header-identified saga invoked over a gRPC hop failed with an opaque Internal status. It now returns an actionable diagnostic telling you to put the saga identity on the request DTO.
  • #​3398 (#​3404) — [AsParameters] now rejects unparseable values in collection query parameters, closing the gap left by the scalar fix in #​3372.
  • #​3365 (#​3412) — the Polecat primary IEventStore bridge registered twice, so GetServices<IEventStore>() returned the same store instance two times and anything iterating it double-counted. Polecat's own AddPolecat() had started registering IEventStore and Wolverine was still bridging it as well.
  • #​3391 (#​3419) — RabbitMQ: a successful eager channel restart never re-consumed. A callback-exception restart could leave an open channel with zero consumers while reporting State = Connected — a silently dead listener. The listener now defers to ReconnectedAsync(), which re-declares and re-consumes. Also pins the ConnectionMonitor tracking invariant that #​3370 fixed but nothing guarded.

OpenAPI

#​3380 (#​3418) — OpenAPI parameters are now derived from the full binding chain rather than the handler signature alone. Two real defects closed:

  • Query/header values bound only by an After/Finally postprocessor were omitted from the operation entirely.
  • Route parameter types were read off resolved binding variables, so they degraded to the route constraint (or string) whenever the description was assembled before those frames resolved — which is exactly the build-time OpenAPI / openapi CLI path, because ASP.NET caches the first ApiExplorer read.

More importantly, this ships the OpenAPI shape-test harness that was missing. Adding a shape assertion is now one endpoint plus one [Fact], which is why this class of omission kept shipping unnoticed.

New: Azure Service Bus emulator support

#​3366 (#​3409) — the docs told you to call UseAzureServiceBusTesting(), which only ever existed in Wolverine's own test suite. It is now a real, shipping API:

... (truncated)

6.17.3

Bug-fix and scale release, following the 6.17.2 community sweep. Every item below came from a community report or a review finding — thank you all.

Closed issues

  • #​3375 — durability metrics polling pinned a connection per database per node (PR #​3384 by @​erdtsieck). Each durability agent ran its own in-phase PeriodicTimer, so at high database counts the metrics polling itself became significant connection pressure. Agents now register their store with a node-wide sequential sweeper that walks the node's databases one at a time across the UpdateMetricsPeriod window — at most one metrics connection in flight per node, regardless of database count. The registration set is re-read every pass, so databases join and leave the sweep as agents start and stop without a restart.
  • #​3332 — CIAWS was disabled by a broken SNS per-tenant LocalStack setup (PR #​3364 by @​Steve-XYZ). Test-only; re-enables the AWS CI job. Partially addresses #​3350 (the CIPolecat half remains open).
  • RabbitMQ listeners ghosted after a broker restart on a channel callback exception (PR #​3370 by @​kconfesor). The agent stayed latched after a channel-only shutdown and was never rebuilt, so a listener came back "connected" but dead. Reviewed specifically against the #​3171/#​3187 channel-only-shutdown work to confirm it does not reintroduce the latched-Disconnected state that #​3187 fixed. Two follow-ups are tracked in #​3391.
  • ProductSupport#​33 — CritterWatch telemetry was caught by tracked-session waits (PR #​3390, reported by @​uniquelau). A monitored host publishes telemetry that a TrackedSession would pick up and then sit waiting on messages the test never sent. The default ignore rule now covers all of INotToBeRouted (agent commands and framework telemetry), with a deliberate carve-out for Acknowledgement / FailureAcknowledgement, which the session's own acknowledgement APIs depend on. If you are on an older version, IgnoreMessagesMatchingType(t => t.CanBeCastTo<INotToBeRouted>()) is the workaround.

Fixes from review

  • Metrics sweeper: unregistration race and a hot-spin guard (PR #​3393, follow-ups from the #​3384 post-merge review). The sweeper removed a registration by URI alone, so when an agent for a database stopped after a replacement agent for the same database had registered — exactly what agent redistribution does — the stopping agent evicted the live registration, and that database silently stopped being polled until the node restarted. Unregistration now removes only the exact registration instance it created. Separately, UpdateMetricsPeriod = TimeSpan.Zero would hot-spin the sweep loop (the pre-#​3384 PeriodicTimer threw); it is now rejected at configuration time, with DurabilityMetricsEnabled = false as the way to turn polling off.

Marten test-helper: PauseThenCatchUpOnMartenDaemonActivity

  • #​3388 — cold first catch-up appeared to stall (PR #​3394, reported by @​uniquelau). Investigated in depth. The reported mechanism — that coordinator.ResumeAsync() does not start never-started shards — does not hold: under Wolverine-managed distribution the coordinator is WolverineProjectionCoordinator, whose ResumeAsync builds the daemon lazily and starts every shard, bypassing agent assignment entirely. The cold path works, and there are now four tests proving it (including with a second subscription-agent consumer sharing the agent family).

    The real defect was a timeout mismatch, and it explains the reported symptom exactly. The stage runs inside a child TrackedSession whose token cancels at TrackedSession.Timeout5 seconds by default — while the catch-up ignored that token and waited on an internal 60-second budget. The session gave up first and left the catch-up envelope started-but-never-finished, which reads as a hang. This is a genuine 6.16 → 6.17 behavior change: the old active ForceAll finished inside 5 seconds; resume-and-wait on a cold daemon or a busy machine does not. The catch-up now honors the session's token and raises an actionable TimeoutException naming the store and pointing at TrackActivity().Timeout(...).

    If you hit this on 6.17.0–6.17.2, raising the tracked-session timeout is the fix.

Docs

  • New page: gRPC + Sagas (PR #​3389, following @​erikshafer's coverage in PR #​3386). gRPC services can start and continue sagas with no gRPC-specific code — the saga identity must be on the message body, because a gRPC method is a thin shim in front of IMessageBus.InvokeAsync<T> and the chain that runs is the handler's. The header-identified gap is tracked as #​3385, with a clear diagnostic planned.
  • Testing guide (PR #​3395): tracked sessions ignore framework telemetry by default as of this release, and — the trap behind #​3388 — Timeout() bounds the whole session including its stages, so a slow stage like PauseThenCatchUpOnMartenDaemonActivity() is capped by the...

Description has been truncated

Bumps AndreGoepel.Design.Blazor from 1.0.2 to 1.0.3
Bumps Marten from 9.14.1 to 9.16.0
Bumps Microsoft.AspNetCore.HeaderPropagation from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.Http.Resilience from 10.7.0 to 10.8.0
Bumps Microsoft.Extensions.ServiceDiscovery from 10.7.0 to 10.8.0
Bumps Microsoft.NET.Test.Sdk from 18.7.0 to 18.8.1
Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.16.0 to 1.17.0
Bumps OpenTelemetry.Extensions.Hosting from 1.16.0 to 1.17.0
Bumps OpenTelemetry.Instrumentation.AspNetCore from 1.16.0 to 1.17.0
Bumps OpenTelemetry.Instrumentation.Http from 1.16.0 to 1.17.0
Bumps OpenTelemetry.Instrumentation.Runtime from 1.16.0 to 1.17.0
Bumps Radzen.Blazor from 11.1.3 to 11.1.5
Bumps WolverineFx.Marten from 6.17.1 to 6.20.0
Bumps WolverineFx.RuntimeCompilation from 6.17.1 to 6.20.0

---
updated-dependencies:
- dependency-name: AndreGoepel.Design.Blazor
  dependency-version: 1.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-minor-patch
- dependency-name: Marten
  dependency-version: 9.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.AspNetCore.HeaderPropagation
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.Extensions.Http.Resilience
  dependency-version: 10.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.Extensions.ServiceDiscovery
  dependency-version: 10.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.8.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: OpenTelemetry.Extensions.Hosting
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: OpenTelemetry.Instrumentation.AspNetCore
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: OpenTelemetry.Instrumentation.Http
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: OpenTelemetry.Instrumentation.Runtime
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Radzen.Blazor
  dependency-version: 11.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-minor-patch
- dependency-name: WolverineFx.Marten
  dependency-version: 6.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: WolverineFx.RuntimeCompilation
  dependency-version: 6.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jul 18, 2026
@andregoepel
andregoepel merged commit 1d36420 into main Jul 18, 2026
4 checks passed
@andregoepel
andregoepel deleted the dependabot/nuget/nuget-minor-patch-614f212775 branch July 18, 2026 03:52
andregoepel added a commit that referenced this pull request Jul 18, 2026
Dependabot missed this upgrade. 1.3.3 transitively requires
Marten.AspNetCore >= 9.16.0, and with central transitive pinning enabled
the central Marten.AspNetCore pin has to move up with it. Dependabot had
missed that one too, leaving it at 9.14.1 behind Marten core (already
9.16.0 via #99); bumping it to 9.16.0 restores Marten/Marten.AspNetCore
parity.

Build, the 57 bUnit tests and `dotnet list package --vulnerable` are green.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant