Bump the dependencies group with 7 updates by dependabot[bot] · Pull Request #894 · guibranco/CrispyWaffle

This is an early alpha release, suitable for testing in pre-production environments. This release fixes a stack overflow error in ExchangeDeclareAsync that was reported several times:

Other fixes:

Ensure that the underlying timer for Task.Delay is canceled. by @lukebakken in Ensure that the underlying timer for Task.Delay is canceled. rabbitmq/rabbitmq-dotnet-client#1426
Fix #1429 by @lukebakken in Fix #1429 rabbitmq/rabbitmq-dotnet-client#1431
Port #1434 to main by @lukebakken in Port #1434 to main rabbitmq/rabbitmq-dotnet-client#1442
Add cancellation to initial socket connection by @lukebakken in Add cancellation to initial socket connection rabbitmq/rabbitmq-dotnet-client#1428

Full Changelog: rabbitmq/rabbitmq-dotnet-client@v7.0.0-alpha.1...v7.0.0-alpha.2

7.0.0-alpha.1

GitHub Milestone

This alpha release includes changes from #1347, which adds async methods to the public API, and is appropriate to test in your pre-production environments.

7.0.0-alpha.0

This is a very early pre-release of version 7. The goal is to test publishing the NuGet package from GitHub Actions.

https://www.nuget.org/packages/RabbitMQ.Client/7.0.0-alpha.0

Commits viewable in compare view.

Updated SonarAnalyzer.CSharp from 10.22.0.136894 to 10.23.0.137933.

Release notes

Sourced from SonarAnalyzer.CSharp's releases.

10.23

This release brings a bunch of fixes! Enjoy.

Bug Fixes

NET-3557 - Fix SE AD0001 when SyntaxTreeOptionsProvider is null
NET-3519 - Fix AD0001: NRE in PropertiesAccessCorrectField

False Positives

NET-3532 - Fix S2583 FP: Any called two times
NET-3468 - Fix S1144 FP: Erroneously flagged Add() method used in Collection Initializer
NET-3454 - Fix S3267 FP: ref struct in foreach body cannot be captured in LINQ lambda
NET-3164 - Fix S125 FP: Improve semicolon heuristic
NET-2559 - Fix S5944 FP: When method name is also a class name of generic argument
NET-2438 - Fix S1067 FP: Do not raise an issue inside Equals() implementation
NET-1565 - Fix S1192 FP: Shouldn't raise on Dapper parameters
NET-1168 - Fix S1172 FP: When parameter conditionally used in local function
NET-52 - Fix S4017 FP: Do not raise when implementing abstract class/interface

False Negatives

NET-1642 - Fix S3415, S2701, S2699, S2187 FN: Support NUnit 4.0
NET-348 - Fix S4144 FN: Methods with generic return types

Commits viewable in compare view.

Updated System.Security.Permissions from 10.0.3 to 10.0.5.

Release notes

Sourced from System.Security.Permissions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated System.Text.Encoding.CodePages from 10.0.2 to 10.0.5.

Release notes

Sourced from System.Text.Encoding.CodePages's releases.

No release notes found for this version range.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps FluentAssertions from 8.8.0 to 8.9.0 Bumps Microsoft.Extensions.Http from 10.0.2 to 10.0.5 Bumps Microsoft.NET.Test.Sdk from 18.3.0 to 18.4.0 Bumps RabbitMQ.Client from 6.8.1 to 7.2.1 Bumps SonarAnalyzer.CSharp from 10.22.0.136894 to 10.23.0.137933 Bumps System.Security.Permissions from 10.0.3 to 10.0.5 Bumps System.Text.Encoding.CodePages from 10.0.2 to 10.0.5 --- updated-dependencies: - dependency-name: FluentAssertions dependency-version: 8.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: Microsoft.Extensions.Http dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: Microsoft.NET.Test.Sdk dependency-version: 18.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: RabbitMQ.Client dependency-version: 7.2.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: SonarAnalyzer.CSharp dependency-version: 10.23.0.137933 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: System.Security.Permissions dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: System.Text.Encoding.CodePages dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

guibranco

Automatically approved by gstraccini[bot]

github-actions · 2026-04-10T15:19:11Z

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2026-04-10T15:19:08Z INF scanning for exposed secrets...
3:19PM INF 793 commits scanned.
2026-04-10T15:19:09Z INF scan completed in 1.18s
2026-04-10T15:19:09Z INF no leaks found

socket-security · 2026-04-10T15:19:31Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nuget/sonaranalyzer.csharp@10.22.0.136894 ⏵ 10.23.0.137933
	nuget/system.text.encoding.codepages@10.0.2 ⏵ 10.0.5
	nuget/microsoft.extensions.http@10.0.2 ⏵ 10.0.5
	nuget/system.security.permissions@10.0.3 ⏵ 10.0.5
	nuget/rabbitmq.client@6.8.1 ⏵ 7.2.1
	nuget/fluentassertions@8.8.0 ⏵ 8.9.0
	nuget/microsoft.net.test.sdk@18.3.0 ⏵ 18.4.0

View full report

socket-security · 2026-04-10T15:19:33Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): nuget `microsoft.bcl.asyncinterfaces` is 100.0% likely to have a medium risk anomaly Notes: The fragment is not conventional executable source code; it is a binary-like payload rich in signing-related data (certificates, OCSP/CRL references) with references to NuGet/Microsoft ecosystems. This necessitates provenance verification and strict supply-chain validation to prevent misuse or tampering in a package delivery context. Further context about how this artifact is consumed is required to determine actual risk in a given project. Confidence: 1.00 Severity: 0.60 From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/microsoft.bcl.asyncinterfaces@8.0.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/microsoft.bcl.asyncinterfaces@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): nuget `microsoft.codecoverage` Notes: This C# assembly functions as a dynamic loader and interop wrapper for Microsoft DiaSymReader, with multiple loading paths (direct native DLLs, an environment-controlled alt path, and COM fallback). The primary security risk stems from environment-driven native library loading, which can be abused to execute attacker-controlled binaries. Mitigations should include: restricting and validating the alt-load path, verifying digital signatures or hashes of native binaries before loading, and avoiding SkipVerification unless strictly necessary. The COM fallback also warrants caution to ensure trusted COM components are used. Overall, moderate supply-chain risk due to load-path flexibility; no definitive malware detected within this fragment. Confidence: 0.78 Severity: 0.60 From: Tests/CrispyWaffle.I18n.PtBr.Tests/CrispyWaffle.I18n.PtBr.Tests.csproj → `nuget/microsoft.net.test.sdk@18.4.0` → `nuget/microsoft.codecoverage@18.4.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/microsoft.codecoverage@18.4.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): nuget `system.io.pipelines` is 100.0% likely to have a medium risk anomaly Notes: This is a .p7s file, which contains a digital signature for a document or email, using the PKCS #7 standard, which serves to verify the sender's identity and ensure the content hasn't been altered in transit. Confidence: 1.00 Severity: 0.60 From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/system.io.pipelines@8.0.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/system.io.pipelines@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License exception: nuget `system.threading.channels` with Classpath-exception-2.0 Exception: Classpath-exception-2.0 Comments: From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/system.threading.channels@8.0.0` ℹ Read more on: This package \| This alert \| What is a license exception? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: License exceptions should be carefully reviewed. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/system.threading.channels@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License exception: nuget `system.threading.ratelimiting` with Classpath-exception-2.0 Exception: Classpath-exception-2.0 Comments: From: Src/CrispyWaffle.RabbitMQ/CrispyWaffle.RabbitMQ.csproj → `nuget/rabbitmq.client@7.2.1` → `nuget/system.threading.ratelimiting@8.0.0` ℹ Read more on: This package \| This alert \| What is a license exception? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: License exceptions should be carefully reviewed. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore nuget/system.threading.ratelimiting@8.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

AppVeyorBot · 2026-04-10T15:38:18Z

❌ Build CrispyWaffle 10.0.1495 failed (commit 380a98b38b by @dependabot[bot])

dependabot · 2026-04-10T17:49:14Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

dependabot bot assigned guibranco Apr 10, 2026

dependabot bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file nuget packages labels Apr 10, 2026

This was referenced Apr 10, 2026

Bump the microsoft group with 2 updates #892

Closed

Bump the testing group with 2 updates #893

Closed

guibranco enabled auto-merge (squash) April 10, 2026 15:18

github-actions bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 10, 2026

gstraccini bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label Apr 10, 2026

gstraccini bot approved these changes Apr 10, 2026

View reviewed changes

guibranco approved these changes Apr 10, 2026

View reviewed changes

gstraccini bot added the 🤖 bot Automated processes or integrations label Apr 10, 2026

guibranco closed this Apr 10, 2026

auto-merge was automatically disabled April 10, 2026 17:49
Pull request was closed

dependabot bot deleted the dependabot/nuget/dependencies-9a896ee1b4 branch April 10, 2026 17:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the dependencies group with 7 updates#894

Bump the dependencies group with 7 updates#894
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/nuget/dependencies-9a896ee1b4

dependabot bot commented on behalf of github Apr 10, 2026

Uh oh!

guibranco left a comment

Uh oh!

github-actions bot commented Apr 10, 2026

Uh oh!

socket-security bot commented Apr 10, 2026

Uh oh!

socket-security bot commented Apr 10, 2026

Uh oh!

AppVeyorBot commented Apr 10, 2026

Uh oh!

dependabot bot commented on behalf of github Apr 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot bot commented on behalf of github Apr 10, 2026

8.9.0

What's Changed

New features

Improvements

Fixes

Documentation

Others

18.4.0

What's Changed

New Contributors

7.2.1

What's Changed

New Contributors

7.2.0

What's Changed

New Contributors

7.1.2

What's Changed

7.1.1

What's Changed

7.1.0

What's Changed

New Contributors

7.1.0-alpha.1

What's Changed

New Contributors

7.1.0-alpha.0

What's Changed

New Contributors

7.0.0

What's Changed

7.0.0-rc.14

What's Changed

7.0.0-rc.13

What's Changed

7.0.0-rc.12

What's Changed

New Contributors

7.0.0-rc.11

What's Changed

7.0.0-rc.10

What's Changed

7.0.0-rc.9

What's Changed

New Contributors

7.0.0-rc.8

What's Changed

7.0.0-rc.7

What's Changed

7.0.0-rc.6

What's Changed

7.0.0-rc.5

What's Changed

7.0.0-rc.4

What's Changed

New Contributors

7.0.0-rc.3

What's Changed

7.0.0-rc.2

What's Changed

New Contributors

7.0.0-rc.1

What's Changed

7.0.0-alpha.6

What's Changed

7.0.0-alpha.5

7.0.0-alpha.4

What's Changed

7.0.0-alpha.3

What's Changed

7.0.0-alpha.2

What's Changed

7.0.0-alpha.1

7.0.0-alpha.0

10.23

Bug Fixes

False Positives

False Negatives