chore(deps): Bump WolverineFx from 5.39.3 to 6.1.0

[dependabot]

Updated WolverineFx from 5.39.3 to 6.1.0.

Release notes

Sourced from WolverineFx's releases.

6.1.0

Wolverine 6.1.0

Minor release. Critter Stack dependency refresh, plus the rollup of the entire post-6.0.0 6.0.x line — most significantly the AOT runtime-scanning-elimination work and a new command-line handler-discovery diagnostic.

ℹ️ There was no standalone 6.0.1 tag/GitHub release (it shipped as a NuGet version only), so the changelog below covers every PR merged since 6.0.0 — which includes everything released as 6.0.1 through 6.0.3.

Dependencies

• Marten / Marten.AspNetCore / Marten.Newtonsoft: 9.0.1 → 9.2.0
• JasperFx.* (non-RuntimeCompiler): 2.1.3 → 2.2.0 (#​2938)
• Polecat: 4.1.1 (unchanged — already latest)
• JasperFx.RuntimeCompiler: 5.0.0 (unchanged — own 5.x line)

Marten 9.2.0 now bundles JasperFx.Events.SourceGenerator as an analyzer, so projects referencing Wolverine.Marten receive it transitively. The previously-explicit analyzer references were dropped from the 8 Marten-referencing projects to avoid running the generator twice, which produced duplicate Evolve/*Evolver build errors (#​2939). PolecatTests retains its explicit reference because Polecat does not bundle the generator.

New & Noteworthy

AOT: eliminate runtime assembly scanning — AOT Publishing. Static-mode apps no longer scan assemblies at startup; discovery now flows through source-generated manifests:

• Handlers + message types — #​2906 / #​2928
• HTTP endpoints — #​2925 / #​2929
• gRPC services (incl. the direct-mapped mode) — #​2926 / #​2930 / #​2934
• [WolverineHandlerModule] assemblies, with no filesystem probe — #​2905 / #​2935
• Extension discovery manifest — #​2902 / #​2918
• Remaining ad-hoc discovery scans routed through JasperFx TypeQuery — #​2909 / #​2932
• Generated HTTP/gRPC types attached by full name instead of a GetTypes() scan — #​2908 / #​2936

Command-line handler-discovery diagnostic — Command Line Integration · Command Line Diagnostics tutorial. New dotnet run -- wolverine-diagnostics describe-handlers <Type> runs DescribeHandlerMatch from the CLI so you can troubleshoot handler discovery without editing your bootstrapping code — #​2921 / #​2923

Build-time OpenAPI generation — Command Line Integration. dotnet run -- openapi generates the OpenAPI document without starting the host (no database/broker required) — #​2903 / #​2911

SQS fair queues on standard queues — support MessageGroupId on standard Amazon SQS queues — #​2886 / #​2889

SignalR ClaimsPrincipal — the connection's ClaimsPrincipal is now exposed on SignalREnvelope — #​2927 / #​2937

EF Core transactional outbox timing fix — the EF Core transaction and outbox flush now complete before the HTTP response is written — #​2917 / #​2920

Mixed-lifetime IEnumerable<T> support; Lamar removed — handlers depending on a mixed singleton/scoped IEnumerable<T> now resolve every element correctly; Lamar is no longer used or supported, and the built-in ServiceProvider is the container — #​2896 / #​2914

Aggregate handler naming clarity — clarified and guarded the *AggregateHandler naming convention vs. [ReadAggregate] — #​2924

Production code-generation guidance — Code Generation. How to drop Roslyn from production images, with a linked CqrsMinimalApi sample — #​2900 / #​2912

Bug fixes

• Ancillary store outbox schema for projection side effects — #​2887 / #​2888
• NRE from null-Sender routes built during description mode — #​2897 / #​2899

What's Changed

• Improve tests by @​dmytro-pryvedeniuk in Improve tests JasperFx/wolverine#2884
• Fix ancillary store outbox schema for projection side effects (GH-2887) by @​jeremydmiller in Fix ancillary store outbox schema for projection side effects (GH-2887) JasperFx/wolverine#2888
• Support MessageGroupId on standard SQS queues for fair queues (GH-2886) by @​jeremydmiller in Support MessageGroupId on standard SQS queues for fair queues (GH-2886) JasperFx/wolverine#2889
• Repoint JasperFx.SourceGeneration → JasperFx.SourceGenerator 2.0.1 by @​jeremydmiller in Repoint JasperFx.SourceGeneration → JasperFx.SourceGenerator 2.0.1 JasperFx/wolverine#2891
  ... (truncated)

6.0.0

Wolverine 6.0.0 — Critter Stack 2026

The messaging/orchestration release completing the Critter Stack 2026 wave, on the final foundation (JasperFx 2.0 / Weasel 9.0 / Marten 9.0 / Polecat 4.0).

Highlights

• Foundation (final): JasperFx 2.0.0 / JasperFx.RuntimeCompiler 5.0.0 / Marten 9.0.0 / Polecat 4.0.0 / Weasel 9.0.0. Targets net9.0;net10.0.
• Runtime codegen decoupled from core (BREAKING): WolverineFx no longer ships Roslyn. Apps in the default TypeLoadMode.Dynamic must add WolverineFx.RuntimeCompilation, or pre-generate via codegen write + TypeLoadMode.Static (the trimmer then drops Roslyn). See the migration guide.
• ServiceLocationPolicy.NotAllowed is the default (BREAKING) — restructure registrations, allow-list per type, or call opts.RestoreV5Defaults() to revert.
• AOT-clean (pillar #​213): every packaged library carries IsAotCompatible=true (except the intentional WolverineFx.RuntimeCompilation); Static-mode publish drops Roslyn.
• Cold-start (pillar #​212): Tier-1 pre-generated static handler registry skips handler-discovery scanning in Static mode.
• Newtonsoft extracted to WolverineFx.Newtonsoft / WolverineFx.Http.Newtonsoft; IForwardsTo<T> discovery now explicit; removed [Obsolete] APIs (EventForwardingToWolverine, RedisTransport.BuildRedisStreamUri, PulsarEndpoint.UriFor).

Migration guide: https://wolverinefx.net/guide/migration.html (or docs/guide/migration.md). Master plan: wolverine#​2715. Remaining release-cut comms items tracked in #​2745.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 4 package(s) with unknown licenses.

See the Details below.

License Issues

backend/src/RunCoach.Api/RunCoach.Api.csproj

Package	Version	License	Issue Type
JasperFx	2.2.0	Null	Unknown License
JasperFx.Events	2.2.0	Null	Unknown License
JasperFx.SourceGenerator	2.2.0	Null	Unknown License
WolverineFx	6.1.0	Null	Unknown License

Allowed Licenses:

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, Unlicense, CC0-1.0, CC-BY-4.0, Zlib, BSL-1.0, Python-2.0, PSF-2.0, Artistic-2.0, MPL-2.0, WTFPL, PostgreSQL

Excluded from license check:

pkg:githubactions/SonarSource/sonarqube-scan-action, pkg:npm/runcoach-frontend

OpenSSF Scorecard

Package	Version	Score	Details
nuget/FastExpressionCompiler	5.4.1	🟢 3.7	Details Check Score Reason Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/2 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/JasperFx	2.2.0	Unknown	Unknown
nuget/JasperFx.Events	2.2.0	Unknown	Unknown
nuget/JasperFx.SourceGenerator	2.2.0	Unknown	Unknown
nuget/WolverineFx	6.1.0	Unknown	Unknown

Scanned Files

• backend/src/RunCoach.Api/RunCoach.Api.csproj

[dependabot]

Looks like WolverineFx is updatable in another way, so this is no longer needed.

[leehopper]

Superseded by #125, which upgraded the full Critter Stack together — Marten 9.2.1 + Marten.EntityFrameworkCore 9.2.1 + WolverineFx/.EntityFrameworkCore/.Marten 6.1.0 (+ new WolverineFx.RuntimeCompilation 6.1.0). These four PRs each failed CI in isolation because the packages are interdependent and must move as one. Auto-closed now that main carries the target versions.