Bump Microsoft.NET.Test.Sdk from 18.0.1 to 18.3.0 by dependabot[bot] · Pull Request #587 · guibranco/VTEX-SDK-dotnet

dependabot · 2026-03-02T01:16:04Z

Updated Microsoft.NET.Test.Sdk from 18.0.1 to 18.3.0.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.3.0 What's Changed

Fix answer file splitting by @nohwnd in Fix answer file splitting microsoft/vstest#15306

Internal fixes and updates

Bump branding to 18.1 by @nohwnd in Bump branding to 18.1 microsoft/vstest#15286
Remove stale copy of S.ComponentModel.Composition from testplatform packages by @ViktorHofer in Remove stale copy of S.ComponentModel.Composition from testplatform packages microsoft/vstest#15287
Update codeflow metadata to fix backflow by @premun in Update codeflow metadata to fix backflow microsoft/vstest#15291
[main] Update dependencies from devdiv/DevDiv/vs-code-coverage by @dotnet-maestro[bot] in [main] Update dependencies from devdiv/DevDiv/vs-code-coverage microsoft/vstest#15283
Update Microsoft.Build.Utilities.Core by @Youssef1313 in Update Microsoft.Build.Utilities.Core microsoft/vstest#15300
Disable DynamicNative instrumentation by default by @nohwnd in Disable DynamicNative instrumentation by default microsoft/vstest#15299
[main] Source code updates from dotnet/dotnet by @dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15293
[main] Source code updates from dotnet/dotnet by @dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15302
[main] Source code updates from dotnet/dotnet by @dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15314
Delete sha1 custom implementation we are not using for a long time by @nohwnd in Delete sha1 custom implementation we are not using for a long time microsoft/vstest#15313
[main] Source code updates from dotnet/dotnet by @dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15315
Update branding to 18.3.0 by @nohwnd in Update branding to 18.3.0 microsoft/vstest#15321
[main] Update dependencies from devdiv/DevDiv/vs-code-coverage by @dotnet-maestro[bot] in [main] Update dependencies from devdiv/DevDiv/vs-code-coverage microsoft/vstest#15325
[main] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in [main] Update dependencies from dotnet/arcade microsoft/vstest#15264
Revert adding dotnet_host_path workaround by @nohwnd in Revert adding dotnet_host_path workaround microsoft/vstest#15328
[main] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in [main] Update dependencies from dotnet/arcade microsoft/vstest#15338
[main] Source code updates from dotnet/dotnet by @dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15322
[main] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in [main] Update dependencies from dotnet/arcade microsoft/vstest#15343
Change PreReleaseVersionLabel from 'preview' to 'release' by @nohwnd in Change PreReleaseVersionLabel from 'preview' to 'release' microsoft/vstest#15352
[rel/18.3] Update dependencies from devdiv/DevDiv/vs-code-coverage by @dotnet-maestro[bot] in [rel/18.3] Update dependencies from devdiv/DevDiv/vs-code-coverage microsoft/vstest#15354
[rel/18.3] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in [rel/18.3] Update dependencies from dotnet/arcade microsoft/vstest#15389
[rel/18.3] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in [rel/18.3] Update dependencies from dotnet/arcade microsoft/vstest#15400
Update build tools to 17.11.48 to be source buildable by @nohwnd in Update build tools to 17.11.48 to be source buildable microsoft/vstest#15310
Disable publishing on RTM by @nohwnd in Disable publishing on RTM microsoft/vstest#15296
Don't access nuget.org for package feeds by @nohwnd in Don't access nuget.org for package feeds microsoft/vstest#15316
No nuget access fix tests by @nohwnd in No nuget access fix tests microsoft/vstest#15317
Disable Dependabot updates in dependabot.yml by @mmitche in Disable Dependabot updates in dependabot.yml microsoft/vstest#15324

New Contributors

@premun made their first contribution in Update codeflow metadata to fix backflow microsoft/vstest#15291

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

--- updated-dependencies: - dependency-name: Microsoft.NET.Test.Sdk dependency-version: 18.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

guibranco

Automatically approved by gstraccini[bot]

socket-security · 2026-03-02T01:16:43Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		High CVE: Regular Expression Denial of Service in npm `trim` CVE: GHSA-w5p7-h5w8-2hfq Regular Expression Denial of Service in trim (HIGH) Affected versions: < 0.0.3 Patched version: 0.0.3 From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/trim@0.0.1` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/trim@0.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm `terser-webpack-plugin` Eval Type: Function Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/terser-webpack-plugin@5.3.16` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/terser-webpack-plugin@5.3.16`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm `terser` Eval Type: Function Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/terser@5.46.0` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/terser@5.46.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `terser` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/terser@5.46.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/terser@5.46.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm `to-readable-stream` has 10 lines of code Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/to-readable-stream@1.0.0` ℹ Read more on: This package \| This alert \| What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/to-readable-stream@1.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm `trim-trailing-lines` has 6 lines of code Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/trim-trailing-lines@1.1.4` ℹ Read more on: This package \| This alert \| What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/trim-trailing-lines@1.1.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Deprecated by its maintainer: npm `trim` Reason: Use String.prototype.trim() instead From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/trim@0.0.1` ℹ Read more on: This package \| This alert \| What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/trim@0.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `undici` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/undici@7.22.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/undici@7.22.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `update-browserslist-db` in module child_process Module: child_process Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/update-browserslist-db@1.2.3` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/update-browserslist-db@1.2.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `update-notifier` in module child_process Module: child_process Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/update-notifier@5.1.0` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/update-notifier@5.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm `url-parse-lax` has 10 lines of code Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/url-parse-lax@3.0.0` ℹ Read more on: This package \| This alert \| What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/url-parse-lax@3.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `wait-on` in module https Module: https Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/wait-on@6.0.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/wait-on@6.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `wait-on` in module net Module: net Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/wait-on@6.0.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/wait-on@6.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm `web-namespaces` has 8 lines of code Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/web-namespaces@1.1.4` ℹ Read more on: This package \| This alert \| What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/web-namespaces@1.1.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `webpack-bundle-analyzer` in module http Module: http Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/webpack-bundle-analyzer@4.10.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack-bundle-analyzer@4.10.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `webpack-dev-server` in module net Module: net Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/webpack-dev-server@4.15.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack-dev-server@4.15.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm `webpack-dev-server` Eval Type: Function Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/webpack-dev-server@4.15.2` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack-dev-server@4.15.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `webpack-dev-server` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/webpack-dev-server@4.15.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack-dev-server@4.15.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `webpack-dev-server` in module http-proxy-middleware Module: http-proxy-middleware Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/webpack-dev-server@4.15.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack-dev-server@4.15.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm `webpack` Eval Type: eval Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/webpack@5.105.3` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack@5.105.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `webpack` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/webpack@5.105.3` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack@5.105.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm `webpack` Eval Type: Function Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/webpack@5.105.3` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack@5.105.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `webpack` in module http Module: http Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/webpack@5.105.3` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack@5.105.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `webpack` in module https Module: https Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/webpack@5.105.3` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack@5.105.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Deprecated by its maintainer: npm `whatwg-encoding` Reason: Use @exodus/bytes instead for a more spec-conformant and faster implementation From: `?` → `npm/@docusaurus/preset-classic@2.4.3` → `npm/whatwg-encoding@3.1.1` ℹ Read more on: This package \| This alert \| What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/whatwg-encoding@3.1.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `ws` in module net Module: net Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/ws@7.5.10` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ws@7.5.10`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `ws` in module tls Module: tls Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/ws@7.5.10` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ws@7.5.10`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `ws` in module http Module: http Location: Package overview From: `?` → `npm/@docusaurus/core@2.4.3` → `npm/ws@7.5.10` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ws@7.5.10`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 97 more rows in the dashboard

View full report

codacy-production · 2026-03-02T01:20:26Z

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (`e357c8f`)	1777	4	0.23%
Head commit (`8c3da42`)	1777 (+0)	4 (+0)	0.23% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#587)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings Change summary preferences

sonarqubecloud · 2026-03-02T01:26:42Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

AppVeyorBot · 2026-03-02T01:26:53Z

✅ Build VTEX-SDK-dotnet 3.0.765 completed (commit e18e363d34 by @dependabot[bot])

codecov · 2026-03-02T01:27:30Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.22%. Comparing base (e357c8f) to head (8c3da42).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #587   +/-   ##
=====================================
  Coverage   0.22%   0.22%           
=====================================
  Files        117     117           
  Lines       1777    1777           
  Branches      75      75           
=====================================
  Hits           4       4           
+ Misses      1773    1771    -2     
- Partials       0       2    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dependabot bot assigned guibranco Mar 2, 2026

dependabot bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file nuget Refers to nuget packages packages Packages labels Mar 2, 2026

guibranco enabled auto-merge (squash) March 2, 2026 01:16

gstraccini bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label Mar 2, 2026

github-actions bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Mar 2, 2026

gstraccini bot approved these changes Mar 2, 2026

View reviewed changes

guibranco approved these changes Mar 2, 2026

View reviewed changes

gstraccini bot added the 🤖 bot Automated processes or integrations label Mar 2, 2026

guibranco merged commit cff02e7 into main Mar 2, 2026
24 of 27 checks passed

guibranco deleted the dependabot/nuget/Tests/VTEX.Tests/Microsoft.NET.Test.Sdk-18.3.0 branch March 2, 2026 01:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump Microsoft.NET.Test.Sdk from 18.0.1 to 18.3.0#587

Bump Microsoft.NET.Test.Sdk from 18.0.1 to 18.3.0#587
guibranco merged 1 commit intomainfrom
dependabot/nuget/Tests/VTEX.Tests/Microsoft.NET.Test.Sdk-18.3.0

dependabot bot commented on behalf of github Mar 2, 2026

Uh oh!

guibranco left a comment

Uh oh!

socket-security bot commented Mar 2, 2026

Uh oh!

codacy-production bot commented Mar 2, 2026

Uh oh!

sonarqubecloud bot commented Mar 2, 2026

Uh oh!

AppVeyorBot commented Mar 2, 2026

Uh oh!

Uh oh!

codecov bot commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot bot commented on behalf of github Mar 2, 2026

18.3.0

What's Changed

Internal fixes and updates

New Contributors

Uh oh!

guibranco left a comment

Choose a reason for hiding this comment

Uh oh!

socket-security bot commented Mar 2, 2026

Uh oh!

codacy-production bot commented Mar 2, 2026

Coverage summary from Codacy

See diff coverage on Codacy

See your quality gate settings Change summary preferences

Uh oh!

sonarqubecloud bot commented Mar 2, 2026

Quality Gate passed

Uh oh!

AppVeyorBot commented Mar 2, 2026

Uh oh!

Uh oh!

codecov bot commented Mar 2, 2026

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants