Bump the dependencies group with 9 updates by dependabot[bot] · Pull Request #886 · guibranco/CrispyWaffle

This is an early alpha release, suitable for testing in pre-production environments. This release fixes a stack overflow error in ExchangeDeclareAsync that was reported several times:

Other fixes:

Ensure that the underlying timer for Task.Delay is canceled. by @lukebakken in Ensure that the underlying timer for Task.Delay is canceled. rabbitmq/rabbitmq-dotnet-client#1426
Fix #1429 by @lukebakken in Fix #1429 rabbitmq/rabbitmq-dotnet-client#1431
Port #1434 to main by @lukebakken in Port #1434 to main rabbitmq/rabbitmq-dotnet-client#1442
Add cancellation to initial socket connection by @lukebakken in Add cancellation to initial socket connection rabbitmq/rabbitmq-dotnet-client#1428

Full Changelog: rabbitmq/rabbitmq-dotnet-client@v7.0.0-alpha.1...v7.0.0-alpha.2

7.0.0-alpha.1

GitHub Milestone

This alpha release includes changes from #1347, which adds async methods to the public API, and is appropriate to test in your pre-production environments.

7.0.0-alpha.0

This is a very early pre-release of version 7. The goal is to test publishing the NuGet package from GitHub Actions.

https://www.nuget.org/packages/RabbitMQ.Client/7.0.0-alpha.0

Commits viewable in compare view.

Updated SonarAnalyzer.CSharp from 10.19.0.132793 to 10.22.0.136894.

Release notes

Sourced from SonarAnalyzer.CSharp's releases.

10.22

Hello everyone,
This release brings 4 new rules to help developers transition to C# 14, and a bunch of false positive fixes.

New rules

NET-3361 - New rule S8381: "scoped" should be escaped when used as a type name in lambda parameters
NET-3359 - New rule S8368: "extension" identifiers should be escaped to avoid contextual keyword conflicts
NET-3347 - New rule S8380: Return types named "partial" should be escaped with "@"
NET-3345 - New rule S8367: Identifiers should not conflict with the "field" keyword in C# 14?

False Positive

NET-3443 - Fix S1940 FP: for floating point numbers that can be NaN "!(a <= b)" is not the same as "a > b"
NET-3001 - Fix S3063 FP: Concatenation with identifier
NET-1569 - Fix S5944 FP: AddressOf(MethodName) in Return statement
NET-3445 - Fix T0029 FP: Inside target-typed new
NET-2817 - Fix T0029 FP: Ident for collection expression members
NET-2024 - Fix T0029 FP: Inside array initializer
NET-3341 - Fix T0029 FP: After member access
NET-3462 - Fix T0042 FP: Inside constructors and collection initializers
NET-3426 - Fix T0042: Raw string in collection initializer
NET-2888 - Fix T0042 FP: Returned from method
NET-2874 - Fix T0042 FP: Raw string in ternary

Bugs

NET-3386 - Fix S4583 AD0001: BeginInvoke callback declared in separate file

Other

NET-3385 - S2612: Rule type changed from Security Hotspot to Vulnerability

10.21

### Bug

NET-3376 - Fix S6930 AD0001: Issue on template / code files for blazor
NET-3367 - Fix S4830 AD0001: CertificateValidationCheck Syntax node is not within syntax tree

Feature

NET-3260 - Fix broken links in S6960 RSPEC

False Positive

NET-2886 - Fix T0015 FP: In constructor
NET-1678 - Fix S4275 FP: with property overload

10.20

This release brings 9 precision improvements — 7 false positive fixes and 2 false negative fixes — across rules S1116, S1144, S1210, S1643, S1854, S2365, S3254, S3265, and S127. It also promotes S2068 and S6418 from Security Hotspot to Vulnerability, making them visible directly in the IDE, and removes S3256 from the Sonar Way quality profile.

Changes

NET-3227 - Remove S3256 from "Sonar Way" quality profile
NET-3208 - S6418: Rule type changed from Security Hotspot to Vulnerability
NET-3207 - S2068: Rule type changed from Security Hotspot to Vulnerability
NET-3206 - Remove links to rules.sonarsource.com

False Positive

NET-3215 - Fix FP on S127: Should only raise on stop condition variables
NET-3212 - Fix FP on S3254: Don't raise if the parameter isn't last
NET-3053 - Fix FP on S1210: Implementing comparable operators for private types
NET-2984 - Fix FP on S3265: BCL enums with [Flags] not recognized due to metadata resolution
NET-2976 - Fix FP on S1854: Default value initializations flagged despite exemptions
NET-2966 - Fix FP on S1144: Constructors in MEF-exported types
NET-2956 - Fix FP on S1116: Empty loop body with side effects in condition

False Negative

NET-1261 - Fix FN on S2365: Rule should report on new collection
NET-1259 - Fix FN on S1643: Concatenation for parameters, fields and properties are not detected

Rule specification

NET-3246 - Modify Rule S127: Update Description
NET-3218 - Modify Rule S3265: Add exception for MethodImplAttributes
NET-3086 - Modify Rule S1116: Add loop exception

Maintenance

NET-3047 - Update RSPEC before 10.20 release

Commits viewable in compare view.

Updated StackExchange.Redis from 2.11.8 to 2.12.14.

Release notes

Sourced from StackExchange.Redis's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated System.Diagnostics.EventLog from 10.0.2 to 10.0.5.

Release notes

Sourced from System.Diagnostics.EventLog's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated System.Security.Permissions from 10.0.3 to 10.0.5.

Release notes

Sourced from System.Security.Permissions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated System.Text.Encoding.CodePages from 10.0.2 to 10.0.5.

Release notes

Sourced from System.Text.Encoding.CodePages's releases.

No release notes found for this version range.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps FluentAssertions from 8.8.0 to 8.9.0 Bumps Microsoft.Extensions.Http from 10.0.2 to 10.0.5 Bumps Microsoft.NET.Test.Sdk from 18.3.0 to 18.4.0 Bumps RabbitMQ.Client from 6.8.1 to 7.2.1 Bumps SonarAnalyzer.CSharp from 10.19.0.132793 to 10.22.0.136894 Bumps StackExchange.Redis from 2.11.8 to 2.12.14 Bumps System.Diagnostics.EventLog from 10.0.2 to 10.0.5 Bumps System.Security.Permissions from 10.0.3 to 10.0.5 Bumps System.Text.Encoding.CodePages from 10.0.2 to 10.0.5 --- updated-dependencies: - dependency-name: FluentAssertions dependency-version: 8.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: Microsoft.Extensions.Http dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: Microsoft.NET.Test.Sdk dependency-version: 18.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: RabbitMQ.Client dependency-version: 7.2.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: SonarAnalyzer.CSharp dependency-version: 10.22.0.136894 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: StackExchange.Redis dependency-version: 2.12.14 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: System.Diagnostics.EventLog dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: System.Security.Permissions dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: System.Text.Encoding.CodePages dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

guibranco

Automatically approved by gstraccini[bot]

socket-security · 2026-04-07T16:07:06Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nuget/system.text.encoding.codepages@10.0.2 ⏵ 10.0.5
	nuget/system.diagnostics.eventlog@10.0.2 ⏵ 10.0.5
	nuget/microsoft.extensions.http@10.0.2 ⏵ 10.0.5
	nuget/system.security.permissions@10.0.3 ⏵ 10.0.5
	nuget/rabbitmq.client@6.8.1 ⏵ 7.2.1
	nuget/fluentassertions@8.8.0 ⏵ 8.9.0
	nuget/microsoft.net.test.sdk@18.3.0 ⏵ 18.4.0

View full report

socket-security · 2026-04-07T16:07:10Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): nuget `microsoft.bcl.asyncinterfaces` is 100.0% likely to have a medium risk anomaly Notes: The fragment is not conventional executable source code; it is a binary-like payload rich in signing-related data (certificates, OCSP/CRL references) with references to NuGet/Microsoft ecosystems. This necessitates provenance verification and strict supply-chain validation to prevent misuse or tampering in a package delivery context. Further context about how this artifact is consumed is required to determine actual risk in a given project. Confidence: 1.00 Severity: 0.60 From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/microsoft.bcl.asyncinterfaces@8.0.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/microsoft.bcl.asyncinterfaces@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): nuget `microsoft.codecoverage` Notes: This C# assembly functions as a dynamic loader and interop wrapper for Microsoft DiaSymReader, with multiple loading paths (direct native DLLs, an environment-controlled alt path, and COM fallback). The primary security risk stems from environment-driven native library loading, which can be abused to execute attacker-controlled binaries. Mitigations should include: restricting and validating the alt-load path, verifying digital signatures or hashes of native binaries before loading, and avoiding SkipVerification unless strictly necessary. The COM fallback also warrants caution to ensure trusted COM components are used. Overall, moderate supply-chain risk due to load-path flexibility; no definitive malware detected within this fragment. Confidence: 0.78 Severity: 0.60 From: Tests/CrispyWaffle.I18n.PtBr.Tests/CrispyWaffle.I18n.PtBr.Tests.csproj → `nuget/microsoft.net.test.sdk@18.4.0` → `nuget/microsoft.codecoverage@18.4.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/microsoft.codecoverage@18.4.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): nuget `system.io.pipelines` is 100.0% likely to have a medium risk anomaly Notes: This is a .p7s file, which contains a digital signature for a document or email, using the PKCS #7 standard, which serves to verify the sender's identity and ensure the content hasn't been altered in transit. Confidence: 1.00 Severity: 0.60 From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/system.io.pipelines@8.0.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/system.io.pipelines@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License exception: nuget `system.threading.channels` with Classpath-exception-2.0 Exception: Classpath-exception-2.0 Comments: From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/system.threading.channels@8.0.0` ℹ Read more on: This package \| This alert \| What is a license exception? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: License exceptions should be carefully reviewed. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/system.threading.channels@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License exception: nuget `system.threading.ratelimiting` with Classpath-exception-2.0 Exception: Classpath-exception-2.0 Comments: From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/system.threading.ratelimiting@8.0.0` ℹ Read more on: This package \| This alert \| What is a license exception? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: License exceptions should be carefully reviewed. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/system.threading.ratelimiting@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

AppVeyorBot · 2026-04-07T16:57:55Z

❌ Build CrispyWaffle 10.0.1419 failed (commit 972ae47b00 by @dependabot[bot])

AppVeyorBot · 2026-04-07T20:16:18Z

❌ Build CrispyWaffle 10.0.1453 failed (commit 3a7e2c5080 by @guibranco)

github-actions · 2026-04-09T13:06:29Z

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2026-04-09T13:06:23Z INF scanning for exposed secrets...
1:06PM INF 794 commits scanned.
2026-04-09T13:06:25Z INF scan completed in 1.18s
2026-04-09T13:06:25Z INF no leaks found

AppVeyorBot · 2026-04-09T14:13:27Z

❌ Build CrispyWaffle 10.0.1484 failed (commit 82e6f7f078 by @guibranco)

dependabot · 2026-04-10T09:43:39Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

dependabot bot assigned guibranco Apr 7, 2026

dependabot bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file nuget packages labels Apr 7, 2026

dependabot bot mentioned this pull request Apr 7, 2026

Bump the microsoft group with 2 updates #884

Closed

guibranco enabled auto-merge (squash) April 7, 2026 15:27

dependabot bot mentioned this pull request Apr 7, 2026

Bump the testing group with 2 updates #885

Closed

github-actions bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 7, 2026

gstraccini bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label Apr 7, 2026

gstraccini bot approved these changes Apr 7, 2026

View reviewed changes

guibranco approved these changes Apr 7, 2026

View reviewed changes

gstraccini bot added the 🤖 bot Automated processes or integrations label Apr 7, 2026

Merge branch 'main' into dependabot/nuget/dependencies-92dd906eb4

34af095

Merge branch 'main' into dependabot/nuget/dependencies-92dd906eb4

c06e977

guibranco closed this Apr 10, 2026

auto-merge was automatically disabled April 10, 2026 09:43
Pull request was closed

dependabot bot deleted the dependabot/nuget/dependencies-92dd906eb4 branch April 10, 2026 09:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the dependencies group with 9 updates#886

Bump the dependencies group with 9 updates#886
dependabot[bot] wants to merge 3 commits intomainfrom
dependabot/nuget/dependencies-92dd906eb4

dependabot bot commented on behalf of github Apr 7, 2026

Uh oh!

guibranco left a comment

Uh oh!

socket-security bot commented Apr 7, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Apr 7, 2026 •

edited

Loading

Uh oh!

AppVeyorBot commented Apr 7, 2026

Uh oh!

AppVeyorBot commented Apr 7, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

AppVeyorBot commented Apr 9, 2026

Uh oh!

dependabot bot commented on behalf of github Apr 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot bot commented on behalf of github Apr 7, 2026

8.9.0

What's Changed

New features

Improvements

Fixes

Documentation

Others

18.4.0

What's Changed

New Contributors

7.2.1

What's Changed

New Contributors

7.2.0

What's Changed

New Contributors

7.1.2

What's Changed

7.1.1

What's Changed

7.1.0

What's Changed

New Contributors

7.1.0-alpha.1

What's Changed

New Contributors

7.1.0-alpha.0

What's Changed

New Contributors

7.0.0

What's Changed

7.0.0-rc.14

What's Changed

7.0.0-rc.13

What's Changed

7.0.0-rc.12

What's Changed

New Contributors

7.0.0-rc.11

What's Changed

7.0.0-rc.10

What's Changed

7.0.0-rc.9

What's Changed

New Contributors

7.0.0-rc.8

What's Changed

7.0.0-rc.7

What's Changed

7.0.0-rc.6

What's Changed

7.0.0-rc.5

What's Changed

7.0.0-rc.4

What's Changed

New Contributors

7.0.0-rc.3

What's Changed

7.0.0-rc.2

What's Changed

New Contributors

7.0.0-rc.1

What's Changed

7.0.0-alpha.6

What's Changed

7.0.0-alpha.5

7.0.0-alpha.4

What's Changed

7.0.0-alpha.3

What's Changed

7.0.0-alpha.2

What's Changed

7.0.0-alpha.1

7.0.0-alpha.0

10.22

New rules

False Positive

Bugs

socket-security bot commented Apr 7, 2026 •

edited

Loading

socket-security bot commented Apr 7, 2026 •

edited

Loading