Skip to content

Bump MediatR from 12.5.0 to 14.1.0#33

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/MediatR-14.1.0
Closed

Bump MediatR from 12.5.0 to 14.1.0#33
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/MediatR-14.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown

Updated MediatR from 12.5.0 to 14.1.0.

Release notes

Sourced from MediatR's releases.

14.1.0

What's Changed

New Contributors

Full Changelog: LuckyPennySoftware/MediatR@v14.0.0...v14.1.0

14.0.0

What's Changed

Full Changelog: LuckyPennySoftware/MediatR@v13.1.0...v14.0.0

14.0.0-beta-1

What's Changed

Full Changelog: LuckyPennySoftware/MediatR@v13.1.0...v14.0.0-beta-1

This release is a beta release that introduces .NET 10 support and package signing. Signed packages means going forward packages can be validated against trusted authorities that the package has been published by Lucky Penny Software and not tampered with.

13.1.0

What's Changed

New Contributors

Full Changelog: LuckyPennySoftware/MediatR@v13.0.0...v13.1.0

13.0.0

Full Changelog: LuckyPennySoftware/MediatR@v12.5.0...v13.0.0

  • Added support for .NET Standard 2.0
  • Requiring license key
  • Moving from Apache license to dual commercial/OSS license

To set your license key:

services.AddMediatR(cfg => {
    cfg.LicenseKey = "<License key here>";
});

You can obtain your license key at MediatR.io

Commits viewable in compare view.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump MediatR from 12.5.0 to 14.1.0
015ebb8 
---
updated-dependencies:
- dependency-name: MediatR
  dependency-version: 14.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jun 4, 2026
@dependabot dependabot Bot requested a review from flydyk as a code owner June 4, 2026 22:33
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code labels Jun 4, 2026
@flydyk

flydyk commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

@claude review pr

@claude

claude Bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @flydyk's task in 2m 43s —— View job

PR Review: Bump MediatR 12.5.0 → 14.1.0

  • Gather context
  • Analyze version change impact (licensing, API breaks)
  • Review MediatR registration in the codebase
  • Check handlers and pipeline behaviors
  • Check CI results

Summary

Do not merge this PR as-is. The version jump from 12.5.0 → 14.1.0 skips MediatR 13.0.0, which introduced a mandatory license key and a new ILoggerFactory dependency. Both issues surface in CI: the build compiles cleanly, but 1 unit test fails and the license is not configured.

CI Status

Job Result
backend ❌ Failed
frontend ✅ Passed
CodeQL ✅ Passed

Issue 1 — Unit test failure (blocking) ❌

Test: ApplicationRegistrationTests.AddApplication_WhenResolvingMediator_ShouldDispatchGetAllPeople

Error:

System.InvalidOperationException: MediatR requires ILoggerFactory to be registered.
Call services.AddLogging() before services.AddMediatR().

MediatR 13.0+ introduced a license-checking mechanism that requires ILoggerFactory to log its status. The test builds a bare ServiceCollection with no logging — this was fine with MediatR 12.x but now throws.

ApplicationRegistrationTests.cs:17

var services = new ServiceCollection();
// ← Missing: services.AddLogging();
services.AddApplication();

The integration tests pass (5/5) because WebApplicationFactory sets up the full ASP.NET Core pipeline (including logging) automatically.

Fix is a one-liner, but it's moot until the licensing question below is resolved. Fix this →

Issue 2 — License key not configured (blocking) ⚠️

MediatR 13.0.0 changed from Apache 2.0 → dual commercial/OSS license and requires an explicit license key. Without it MediatR logs license violations at startup and future versions may enforce this more strictly.

The PR description itself documents the requirement:

services.AddMediatR(cfg => {
    cfg.LicenseKey = "<License key here>";
});

The current registration in ApplicationServiceCollectionExtensions.cs:18 has no license key:

services.AddMediatR(configuration => configuration.RegisterServicesFromAssembly(assembly));

MediatR 14.1.0 adds "perpetual licensing" (a one-time purchase). Since this is a public OSS project, a community/OSS license may be available for free at mediatr.io — worth checking before deciding to reject the upgrade.

Issue 3 — ILogger constructor requirement new in 14.x

MediatR 14.1.0 release notes include: "Fix: Cryptic 'No constructor' Error When ILoggerFactory Is Not Registered" — confirming that ILoggerFactory is now a hard dependency at construction time, not just at first dispatch. Any test or integration point that builds IMediator without calling services.AddLogging() first will throw.

What works fine

  • Compilation: Zero errors. All handlers (GetFamilyGraphHandler, GetAllPeopleHandler, GetPersonByIdHandler) remain compatible — the IRequestHandler<TRequest, TResponse> interface did not change.
  • ValidationBehavior: The next(cancellationToken) call is correct — this delegate signature was introduced in MediatR 12.x and is unchanged.
  • Directory.Packages.props: The change itself is correct — just the version pin; no other packages need updates.
  • Integration tests: All 5 pass because ASP.NET Core registers logging by default.

Recommendation

Three options, in order of preference:

Option A (Recommended if free OSS license is available): Check mediatr.io for a community license, then:

  1. Add the key to AddMediatR(cfg => cfg.LicenseKey = ...) in ApplicationServiceCollectionExtensions.cs
  2. Add services.AddLogging() to ApplicationRegistrationTests.cs
  3. Merge this PR

Option B (Zero risk, zero effort): Close this PR. Stay on MediatR 12.5.0 — it's the last Apache-licensed version and still targets .NET 10. Add a Dependabot ignore rule for >= 13.0.0 to stop future noise:

# .github/dependabot.yml
ignore:
  - dependency-name: "MediatR"
    versions: [">= 13.0.0"]

Option C (Long-term): Migrate away from MediatR to a free alternative (Wolverine, Immediate.Handlers, or plain handlers wired directly in DI) — eliminates the licensing concern entirely, but is significant refactor work.

View CI run |

@flydyk flydyk mentioned this pull request Jun 4, 2026
Merged
@flydyk

flydyk commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Closing — not upgrading MediatR.

MediatR moved to a commercial license at v13+ (the CheckLicense runtime gate this PR's CI failure surfaced). This project deliberately pins MediatR to the last OSS/Apache-2.0 line (12.x), per CLAUDE.md.

The consolidated dependency PR #36:

  • keeps MediatR at 12.5.0, and
  • adds an ignore rule in .github/dependabot.yml for MediatR semver-major bumps, so this won't be re-proposed (12.x minor/patch still flow).

If a MediatR commercial license is acquired later, lift that ignore rule.

@flydyk flydyk closed this Jun 4, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/nuget/MediatR-14.1.0 branch June 4, 2026 23:13
flydyk added a commit that referenced this pull request Jun 5, 2026
@flydyk @claude
chore(deps): consolidated Dependabot updates + MediatR 14 (community …
807fa8c 
…license) (#36)

* chore(deps): bump backend NuGet packages (MediatR held at 12.x)

Consolidates Dependabot backend PRs:
- FluentValidation + DI ext 11.11 -> 12.1.1 (#31)
- Mapster 7.4 -> 10.0.7 (#32)
- AwesomeAssertions 8.0 -> 9.4.0 (#28) — namespace moved
  FluentAssertions -> AwesomeAssertions; updated GlobalUsings
- Microsoft.NET.Test.Sdk 17.12 -> 18.6.0 (#34)
- xunit.runner.visualstudio 2.8.2 -> 3.1.5 (#35)
- coverlet.collector 6.0.2 -> 10.0.1 (#29)
- xunit 2.9.2 -> 2.9.3, Microsoft.* runtime 10.0.0 -> 10.0.8 (#27)

MediatR deliberately NOT bumped: v13+ is commercially licensed; the
project pins 12.x to stay OSS-free (see dependabot.yml ignore rule).

Verified: dotnet test -c Release -> 31 + 5 pass; no vulnerable packages.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* chore(deps): bump frontend toolchain + runtime majors (Vite 8, Vitest 4)

Consolidates Dependabot frontend PRs:
- vite 5 -> 8.0.16 (#25, now bundles via rolldown)
- vitest 1 -> 4.1.8 (#22)
- @vitejs/plugin-vue 5 -> 6.0.7 (#23)
- vue-tsc 2 -> 3.3.3 (#20)
- typescript 5.5 -> 6.0.3 (#18)
- vue-router 4 -> 5.1.0 (#21)
- pinia 2 -> 3.0.4 (#24)
- @vue/test-utils 2.4.6 -> 2.4.11 (#17)
- jsdom 24 -> 29.1.1 (#19)

Code fixes required by the toolchain majors:
- Add src/vite-env.d.ts (/// <reference types="vite/client" />): vue-tsc 3
  / TS 6 now type-check side-effect CSS/SCSS imports in main.ts.
- OakTree.vue: wire the <svg> through a stable function ref. vue-tsc 3 no
  longer counts a string ref="svgRef" (composable-owned) as a read, and a
  dynamic :ref auto-unwraps to the element; the function form is correct.
- vite.config.ts: pin Vitest's worker pool to 'threads' (its Vitest-1
  default); Vitest 4 changed it to 'forks', which times out spawning many
  child processes.

Lockfile regenerated under Node 22 / npm 10 so platform-native rolldown
bindings (incl. linux-x64-gnu/musl for CI) resolve. MediatR-equivalent
licensing concern N/A here.

Verified on Node 22.22.3: npm run build OK; vitest 21 files / 132 tests
pass; npm audit -> 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* ci: codeql-action v4, pin MediatR (ignore majors), full npm audit

- codeql.yml: github/codeql-action init+analyze v3 -> v4 (#16)
- dependabot.yml: ignore MediatR semver-major bumps (v13+ is commercially
  licensed); 12.x minor/patch still flow. Closes the loop on #33.
- ci.yml: drop `--omit=dev` from the npm audit gate now that the Vite 8 /
  Vitest 4 upgrade cleared the dev-toolchain advisories (full tree is clean).
- docs/ci-cd/pr-quality-gates.md: document the full-tree audit + MediatR pin.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* chore(deps): upgrade MediatR 12.5.0 -> 14.1.0 (community license)

A Lucky Penny Software community license was obtained, so MediatR is no
longer held at the OSS 12.x line.

- Directory.Packages.props: MediatR 14.1.0; add Microsoft.Extensions.Logging
  10.0.8 (v14's license check resolves ILoggerFactory).
- AddApplication: register AddLogging() so MediatR's license check works on a
  bare ServiceCollection (unit tests), and apply the license key when supplied.
- Program.cs: pass MediatR:LicenseKey from configuration.
- appsettings.json: document the MediatR:LicenseKey slot (blank; real key via
  user-secrets or MediatR__LicenseKey env var — never committed).
- dependabot.yml: drop the MediatR semver-major ignore (now licensed).
- Docs (runbook, design spec, CLAUDE.md): reflect MediatR 14.x + licensing.

Verified: dotnet test -c Release -> 31 + 5 pass; no vulnerable packages.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* chore: add UserSecretsId for MediatR license key (local dev)

Enables `dotnet user-secrets set "MediatR:LicenseKey" "<key>"` so the Lucky
Penny community license key is supplied locally without committing it. The id
is not a secret. (Also tidies the csproj formatting that `user-secrets init`
collapsed.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flydyk flydyk Awaiting requested review from flydyk flydyk is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@flydyk