Skip to content

chore(deps): Bump the minor-and-patch group with 23 updates#300

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/nuget/backend/minor-and-patch-b9df65fb31
Open

chore(deps): Bump the minor-and-patch group with 23 updates#300
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/nuget/backend/minor-and-patch-b9df65fb31

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Updated Marten from 9.14.0 to 9.15.4.

Release notes

Sourced from Marten's releases.

9.15.4

What's Changed

New Contributors

Full Changelog: JasperFx/marten@v9.15.3...v9.15.4

9.15.3

This addresses a potential vulnerability from SQL injection via non-string constant in a LINQ Select projection

Not a common usage, but still.

What's Changed

Full Changelog: JasperFx/marten@9.15.2...v9.15.3

9.15.2

Marten 9.15.2

A patch release. Both fixes come out of the same 512-tenant-database production deployment, reported by @​erdtsieck, and both turned out to be worse than the reports described.

Bulk event insert ran a full schema apply on every batch

#​4946fixed in #​4949

The batch BulkInsertEventsAsync overloads opened with Storage.ApplyAllConfiguredChangesToDatabaseAsync() on every call.

That is not a cheap check. It calls Tenancy.BuildDatabases() and runs a full schema delta — partition introspection plus information_schema sweeps — across every database in the store. So a sharded store paid one apply per database, per batch. On the reporting deployment, each ~1,000-event batch was triggering 512 schema applies.

The measured effect: import throughput collapsed to ~17 events/s, against >3,000/s for the streaming overload. A 686k-event tenant projected to roughly 11 hours. The connection pool filled with ~370 backends whose last statement was Weasel's partition-introspection query, which fed directly into the server-wide connection pressure that deployment was already fighting.

That the streaming overload BulkInsertEventStreamAsync has no such call and is fine is the tell: the schema apply was never part of the contract. It was a leftover.

The apply is now:

  • skipped entirely when the effective AutoCreate is None — it is a no-op there by contract, so all that remained was the introspection cost; and
  • otherwise run at most once per database the import actually touches, memoized on IMartenDatabase.Identifier.

One subtlety worth recording, because it is the kind of thing that bites later: the memoized apply deliberately does not take a caller's CancellationToken. The first caller to arrive owns the single in-flight task that every concurrent caller for that database awaits — so binding that shared task to one caller's token would let a single cancelled batch fail sibling batches that were never cancelled. Each caller applies its own token at the await site instead. A schema apply is short and idempotent, so letting it run to completion is the cheaper trade.

Under AutoCreate.None, the event storage must already exist before import. That is the documented contract and it matches the streaming overload — but if you were previously relying on the per-call apply to create it for you under a non-None store, note the change.

The document bulk-insert path (BulkInsertAsync / BulkInsertDocumentsAsync) is unaffected. It routes through the ordinary per-feature EnsureStorageExistsAsync that Weasel already memoizes, not a full-store delta.

Tenant provisioning silently under-provisioned partitions

#​4944fixed in #​4950

AddPartitionToAllTables, and the tenant-provisioning paths built on it, walked the calling store's StoreOptions to decide which tables needed a list partition for a new tenant.

So any tool or host that provisions tenants from a store which doesn't register every document type silently under-provisioned. Document types unknown to the caller never got their partitions — and the tenant then failed with a Postgres 23514 check-constraint violation on first write to the missing partition. Nothing failed at provisioning time; the damage surfaced later, somewhere else.

The workaround was "the provisioning tool must register all document types," which re-creates schema knowledge in a second place and drifts as document types are added.

The sweep is now database-driven: it enumerates tenant list-partitioned tables from the Postgres catalog, so a partially-registered store still provisions every partitioned table it finds.

Scoping is enforced inside the catalog query rather than filtered in memory afterward:

  • Schema — the store's own AllSchemaNames() only. Foreign partitioned tables in a shared database are never touched.
  • Partition shape — LIST strategy, exactly one key column, and that column named tenant_id. This is the filter that matters most, and it is what keeps the sweep off Marten's own non-tenant list partitioning: UseArchivedStreamPartitioning keys mt_events on is_archived, and ByList() keys on its own field. Without it, a "helpful" sweep would start adding tenant partitions to tables partitioned on something else entirely.
  • External management — tables marked ByExternallyManagedListPartitions() are subtracted.

Opt out with SweepPartitionedTablesFromDatabase (default on). No Weasel change was required.

Known limitation, and it is a real one: a document type registered into a schema the calling store has never heard of stays invisible to the schema filter — a store cannot own a schema it does not know exists. Single-schema stores (the default, and the reporting deployment's shape) are fully covered. Closing this properly would need a persisted table list alongside mt_tenant_partitions.


... (truncated)

9.15.1

Patch release for a silent data-correctness regression. If you use ForTenant() on an identity-mapped or dirty-tracked session, upgrade.

Fixed

  • #​4947ForTenant() on an identity session stopped returning tenancy-neutral documents (reported by @​dervagabund, with a repro — thank you). A ForTenant() view of an identity- or dirty-tracked session no longer saw global (tenancy-neutral) documents tracked by the parent session. Since a global document has exactly one row per id for the whole database, LoadAsync through the ForTenant view missed the identity map, went to the database, and returned null for a document that is there. A silent wrong answer, not an error.

    Affected: 9.13.0, 9.14.x, 9.15.0. Introduced by the fix for #​4801, which tenant-scoped the identity map and version tracker for ForTenant sessions. That was correct for conjoined documents — where the same id means a different document per tenant — but it was applied per session rather than per document type, so it also isolated document types that are tenancy-neutral and must be shared.

    Sharing is now decided per document type. A nested ForTenant session shares the parent's identity-map and version-tracker entry for a type only when the storage is identity-mapped, the type is not Conjoined, and the nested session's database is the same instance as the parent's (under database-per-tenant, the same id in another tenant's database is a different document even for a tenancy-neutral type). The isolation introduced by #​4801 is preserved exactly — the Bug_4801 suite still passes, and the new tests include guard rails asserting conjoined documents stay isolated.

Full changelog: JasperFx/marten@9.15.0...9.15.1

9.15.0

Closed issues

  • #​4942 — sharded tenancy: auto-assign never repaired half-provisioned tenants (PR #​4945). findOrAssignTenantDatabaseAsync returned early on an existing assignment row, skipping createPartitionsForTenant + per-tenant event-sequence provisioning — so a tenant whose provisioning was interrupted (assignment committed, partitions missing) failed every write with 23514 forever. Both early-return paths (including a second race-window hole under the advisory lock) now run the same idempotent repair the explicit AddTenantToShardAsync(tenantId, databaseId) overload always ran, guarded to once per process per tenant via the resolution cache.
  • #​4941 — two-day silent projection outage (closed with full mapping). Root cause was #​4942; the invisibility was JasperFx/jasperfx#​506/#​507, fixed in JasperFx 2.27.0 which this release consumes.

Also in this release

  • Bundles the fixed JasperFx.Events.SourceGenerator analyzer (JasperFx/jasperfx#​505) — CS1061 compile break for no-parameterless-ctor aggregates with instance Apply returning the aggregate.
  • Follow-up enhancement filed as #​4944 (database-driven partition sweep via pg_inherits) for the #​4943 provisioning-tool scenario.

Verified against Wolverine (full solution + CoreTests/MartenTests/distribution/Http suites, zero failures) and CritterWatch before publishing. Thanks to @​erdtsieck for the dump-verified root-cause analysis.

9.14.1

Marten 9.14.1 is a patch release focused on a substantial round of LINQ query-translation improvements, plus event-store partitioning, high-water, and AoT fixes, and refreshed Weasel/JasperFx dependencies.

LINQ query translation

This release significantly expands what the LINQ provider can push down to PostgreSQL instead of falling back to slower strategies or throwing:

  • Collection Any(predicate) filters now translate to JSONPath and OR-of-containment strategies, and the old explode/ctid fallback has been replaced by a correlated EXISTS strategy. All() shapes and duplicated array fields moved onto the same EXISTS strategy. The net effect is correct, index-friendlier SQL for nested-collection predicates.
  • Indexing into complex child collections inside Where() clauses is now supported (e.g. x.Children[0].Name == "...").
  • Aggregates over collectionsSum/Min/Max/Average — can now be used inside Where() clauses.
  • Regex.IsMatch() is translated in Where() clauses.
  • IComparable.CompareTo() now works for non-string comparables such as Guid (#​4920), alongside broader CompareTo() coverage, string IsOneOf via the ?| operator, and CollectionIsEmpty via ICollectionAware.
  • GinIndexJsonDataMember() was added for member-scoped expression GIN indexes.

#​4916 — subclass queries now use duplicated fields and the base id

Querying a document subclass and filtering on a Duplicate()'d field or the base-class id previously emitted a JSONB filter (CAST(d.data ->> 'FarmId' as uuid)) instead of the real column, missing the duplicated column and the primary-key index:

o.Schema.For<Animal>().AddSubClass<Cow>().Duplicate(x => x.FarmId);

Query<Cow>().Where(x => x.FarmId == id)  // now: d.farm_id = :p0     (was: CAST(d.data ->> 'FarmId' ...))
Query<Cow>().Where(x => x.Id == id)      // now: d.id = :p0          (was: CAST(d.data ->> 'Id' ...))

A subclass shares its parent's table, so the parent's column-backed members (duplicated fields, the id, the soft-delete flag) are now inherited by the subclass's query member resolution. Querying the parent type was already correct and is unchanged.

Event store, partitioning & daemon

  • #​4924 — hyphenated / GUID tenant ids under UseTenantPartitionedEvents. Registering a tenant whose partition suffix contains a - (so every GUID tenant id) made ApplyAllConfiguredChangesToDatabaseAsync() throw 42601 because the per-tenant CREATE SEQUENCE / DROP SEQUENCE DDL emitted the identifier unquoted. The schema-apply statements are now quoted (matching the quick-append function and the imperative provisioning path), so hyphenated tenants migrate cleanly. Quote — not sanitize — so the append function can still resolve the sequence by its raw suffix.
  • #​4915 — projection coordinator shutdown. The projection coordinator now drains on disposal, and via the Weasel 9.16.3 bump the advisory-lock ObjectDisposedException path latches-and-rethrows so a HotCold cold node's leadership loop terminates instead of re-polling a disposed data source during shutdown.
  • #​4913 — high-water scan under partitioning (JasperFx 2.26.0). Under UseTenantPartitionedEvents the store-global high-water agent was continuously running select max(seq_id) from mt_events, an unfiltered scan that fans out across every tenant partition on every poll. That store-global mark is not used to advance tenant projections (they advance per-tenant), so the recurring scan is now skipped under partitioning; tenant high water is driven by the per-tenant coordinator and poll timer.
  • jasperfx#​502 (#​4922)GetProjectionStatusesAsync now resolves the correct named database.

AoT / trimming

  • #​4917 — corrected AoT annotations in the event graph.
  • The AddEventType / QueryRawEventDataOnly generic-constraint tightening was reversed, and event-mapping construction now routes through the cached GenericFactoryCache while preserving the trimming root (#​4930).

Dependencies

  • Weasel 9.16.3 (#​4932) — advisory-lock disposed-pool fix (marten#​4915).
  • JasperFx 2.26.0 — the #​4913 high-water fix, plus 2.25.0's ShardState.DatabaseIdentifier (jasperfx#​501).

Closed issues

#​4913, #​4915, #​4916, #​4917, #​4924, and jasperfx#​502.

Commits viewable in compare view.

Updated Marten.EntityFrameworkCore from 9.14.0 to 9.15.4.

Release notes

Sourced from Marten.EntityFrameworkCore's releases.

9.15.4

What's Changed

New Contributors

Full Changelog: JasperFx/marten@v9.15.3...v9.15.4

9.15.3

This addresses a potential vulnerability from SQL injection via non-string constant in a LINQ Select projection

Not a common usage, but still.

What's Changed

Full Changelog: JasperFx/marten@9.15.2...v9.15.3

9.15.2

Marten 9.15.2

A patch release. Both fixes come out of the same 512-tenant-database production deployment, reported by @​erdtsieck, and both turned out to be worse than the reports described.

Bulk event insert ran a full schema apply on every batch

#​4946fixed in #​4949

The batch BulkInsertEventsAsync overloads opened with Storage.ApplyAllConfiguredChangesToDatabaseAsync() on every call.

That is not a cheap check. It calls Tenancy.BuildDatabases() and runs a full schema delta — partition introspection plus information_schema sweeps — across every database in the store. So a sharded store paid one apply per database, per batch. On the reporting deployment, each ~1,000-event batch was triggering 512 schema applies.

The measured effect: import throughput collapsed to ~17 events/s, against >3,000/s for the streaming overload. A 686k-event tenant projected to roughly 11 hours. The connection pool filled with ~370 backends whose last statement was Weasel's partition-introspection query, which fed directly into the server-wide connection pressure that deployment was already fighting.

That the streaming overload BulkInsertEventStreamAsync has no such call and is fine is the tell: the schema apply was never part of the contract. It was a leftover.

The apply is now:

  • skipped entirely when the effective AutoCreate is None — it is a no-op there by contract, so all that remained was the introspection cost; and
  • otherwise run at most once per database the import actually touches, memoized on IMartenDatabase.Identifier.

One subtlety worth recording, because it is the kind of thing that bites later: the memoized apply deliberately does not take a caller's CancellationToken. The first caller to arrive owns the single in-flight task that every concurrent caller for that database awaits — so binding that shared task to one caller's token would let a single cancelled batch fail sibling batches that were never cancelled. Each caller applies its own token at the await site instead. A schema apply is short and idempotent, so letting it run to completion is the cheaper trade.

Under AutoCreate.None, the event storage must already exist before import. That is the documented contract and it matches the streaming overload — but if you were previously relying on the per-call apply to create it for you under a non-None store, note the change.

The document bulk-insert path (BulkInsertAsync / BulkInsertDocumentsAsync) is unaffected. It routes through the ordinary per-feature EnsureStorageExistsAsync that Weasel already memoizes, not a full-store delta.

Tenant provisioning silently under-provisioned partitions

#​4944fixed in #​4950

AddPartitionToAllTables, and the tenant-provisioning paths built on it, walked the calling store's StoreOptions to decide which tables needed a list partition for a new tenant.

So any tool or host that provisions tenants from a store which doesn't register every document type silently under-provisioned. Document types unknown to the caller never got their partitions — and the tenant then failed with a Postgres 23514 check-constraint violation on first write to the missing partition. Nothing failed at provisioning time; the damage surfaced later, somewhere else.

The workaround was "the provisioning tool must register all document types," which re-creates schema knowledge in a second place and drifts as document types are added.

The sweep is now database-driven: it enumerates tenant list-partitioned tables from the Postgres catalog, so a partially-registered store still provisions every partitioned table it finds.

Scoping is enforced inside the catalog query rather than filtered in memory afterward:

  • Schema — the store's own AllSchemaNames() only. Foreign partitioned tables in a shared database are never touched.
  • Partition shape — LIST strategy, exactly one key column, and that column named tenant_id. This is the filter that matters most, and it is what keeps the sweep off Marten's own non-tenant list partitioning: UseArchivedStreamPartitioning keys mt_events on is_archived, and ByList() keys on its own field. Without it, a "helpful" sweep would start adding tenant partitions to tables partitioned on something else entirely.
  • External management — tables marked ByExternallyManagedListPartitions() are subtracted.

Opt out with SweepPartitionedTablesFromDatabase (default on). No Weasel change was required.

Known limitation, and it is a real one: a document type registered into a schema the calling store has never heard of stays invisible to the schema filter — a store cannot own a schema it does not know exists. Single-schema stores (the default, and the reporting deployment's shape) are fully covered. Closing this properly would need a persisted table list alongside mt_tenant_partitions.


... (truncated)

9.15.1

Patch release for a silent data-correctness regression. If you use ForTenant() on an identity-mapped or dirty-tracked session, upgrade.

Fixed

  • #​4947ForTenant() on an identity session stopped returning tenancy-neutral documents (reported by @​dervagabund, with a repro — thank you). A ForTenant() view of an identity- or dirty-tracked session no longer saw global (tenancy-neutral) documents tracked by the parent session. Since a global document has exactly one row per id for the whole database, LoadAsync through the ForTenant view missed the identity map, went to the database, and returned null for a document that is there. A silent wrong answer, not an error.

    Affected: 9.13.0, 9.14.x, 9.15.0. Introduced by the fix for #​4801, which tenant-scoped the identity map and version tracker for ForTenant sessions. That was correct for conjoined documents — where the same id means a different document per tenant — but it was applied per session rather than per document type, so it also isolated document types that are tenancy-neutral and must be shared.

    Sharing is now decided per document type. A nested ForTenant session shares the parent's identity-map and version-tracker entry for a type only when the storage is identity-mapped, the type is not Conjoined, and the nested session's database is the same instance as the parent's (under database-per-tenant, the same id in another tenant's database is a different document even for a tenancy-neutral type). The isolation introduced by #​4801 is preserved exactly — the Bug_4801 suite still passes, and the new tests include guard rails asserting conjoined documents stay isolated.

Full changelog: JasperFx/marten@9.15.0...9.15.1

9.15.0

Closed issues

  • #​4942 — sharded tenancy: auto-assign never repaired half-provisioned tenants (PR #​4945). findOrAssignTenantDatabaseAsync returned early on an existing assignment row, skipping createPartitionsForTenant + per-tenant event-sequence provisioning — so a tenant whose provisioning was interrupted (assignment committed, partitions missing) failed every write with 23514 forever. Both early-return paths (including a second race-window hole under the advisory lock) now run the same idempotent repair the explicit AddTenantToShardAsync(tenantId, databaseId) overload always ran, guarded to once per process per tenant via the resolution cache.
  • #​4941 — two-day silent projection outage (closed with full mapping). Root cause was #​4942; the invisibility was JasperFx/jasperfx#​506/#​507, fixed in JasperFx 2.27.0 which this release consumes.

Also in this release

  • Bundles the fixed JasperFx.Events.SourceGenerator analyzer (JasperFx/jasperfx#​505) — CS1061 compile break for no-parameterless-ctor aggregates with instance Apply returning the aggregate.
  • Follow-up enhancement filed as #​4944 (database-driven partition sweep via pg_inherits) for the #​4943 provisioning-tool scenario.

Verified against Wolverine (full solution + CoreTests/MartenTests/distribution/Http suites, zero failures) and CritterWatch before publishing. Thanks to @​erdtsieck for the dump-verified root-cause analysis.

9.14.1

Marten 9.14.1 is a patch release focused on a substantial round of LINQ query-translation improvements, plus event-store partitioning, high-water, and AoT fixes, and refreshed Weasel/JasperFx dependencies.

LINQ query translation

This release significantly expands what the LINQ provider can push down to PostgreSQL instead of falling back to slower strategies or throwing:

  • Collection Any(predicate) filters now translate to JSONPath and OR-of-containment strategies, and the old explode/ctid fallback has been replaced by a correlated EXISTS strategy. All() shapes and duplicated array fields moved onto the same EXISTS strategy. The net effect is correct, index-friendlier SQL for nested-collection predicates.
  • Indexing into complex child collections inside Where() clauses is now supported (e.g. x.Children[0].Name == "...").
  • Aggregates over collectionsSum/Min/Max/Average — can now be used inside Where() clauses.
  • Regex.IsMatch() is translated in Where() clauses.
  • IComparable.CompareTo() now works for non-string comparables such as Guid (#​4920), alongside broader CompareTo() coverage, string IsOneOf via the ?| operator, and CollectionIsEmpty via ICollectionAware.
  • GinIndexJsonDataMember() was added for member-scoped expression GIN indexes.

#​4916 — subclass queries now use duplicated fields and the base id

Querying a document subclass and filtering on a Duplicate()'d field or the base-class id previously emitted a JSONB filter (CAST(d.data ->> 'FarmId' as uuid)) instead of the real column, missing the duplicated column and the primary-key index:

o.Schema.For<Animal>().AddSubClass<Cow>().Duplicate(x => x.FarmId);

Query<Cow>().Where(x => x.FarmId == id)  // now: d.farm_id = :p0     (was: CAST(d.data ->> 'FarmId' ...))
Query<Cow>().Where(x => x.Id == id)      // now: d.id = :p0          (was: CAST(d.data ->> 'Id' ...))

A subclass shares its parent's table, so the parent's column-backed members (duplicated fields, the id, the soft-delete flag) are now inherited by the subclass's query member resolution. Querying the parent type was already correct and is unchanged.

Event store, partitioning & daemon

  • #​4924 — hyphenated / GUID tenant ids under UseTenantPartitionedEvents. Registering a tenant whose partition suffix contains a - (so every GUID tenant id) made ApplyAllConfiguredChangesToDatabaseAsync() throw 42601 because the per-tenant CREATE SEQUENCE / DROP SEQUENCE DDL emitted the identifier unquoted. The schema-apply statements are now quoted (matching the quick-append function and the imperative provisioning path), so hyphenated tenants migrate cleanly. Quote — not sanitize — so the append function can still resolve the sequence by its raw suffix.
  • #​4915 — projection coordinator shutdown. The projection coordinator now drains on disposal, and via the Weasel 9.16.3 bump the advisory-lock ObjectDisposedException path latches-and-rethrows so a HotCold cold node's leadership loop terminates instead of re-polling a disposed data source during shutdown.
  • #​4913 — high-water scan under partitioning (JasperFx 2.26.0). Under UseTenantPartitionedEvents the store-global high-water agent was continuously running select max(seq_id) from mt_events, an unfiltered scan that fans out across every tenant partition on every poll. That store-global mark is not used to advance tenant projections (they advance per-tenant), so the recurring scan is now skipped under partitioning; tenant high water is driven by the per-tenant coordinator and poll timer.
  • jasperfx#​502 (#​4922)GetProjectionStatusesAsync now resolves the correct named database.

AoT / trimming

  • #​4917 — corrected AoT annotations in the event graph.
  • The AddEventType / QueryRawEventDataOnly generic-constraint tightening was reversed, and event-mapping construction now routes through the cached GenericFactoryCache while preserving the trimming root (#​4930).

Dependencies

  • Weasel 9.16.3 (#​4932) — advisory-lock disposed-pool fix (marten#​4915).
  • JasperFx 2.26.0 — the #​4913 high-water fix, plus 2.25.0's ShardState.DatabaseIdentifier (jasperfx#​501).

Closed issues

#​4913, #​4915, #​4916, #​4917, #​4924, and jasperfx#​502.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Authentication.JwtBearer from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.AspNetCore.Authentication.JwtBearer's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.DataProtection.EntityFrameworkCore from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.AspNetCore.DataProtection.EntityFrameworkCore's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Identity.EntityFrameworkCore from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.AspNetCore.Identity.EntityFrameworkCore's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.EntityFrameworkCore.Design from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.EntityFrameworkCore.Design's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.AI.Evaluation from 10.7.0 to 10.8.0.

Release notes

Sourced from Microsoft.Extensions.AI.Evaluation's releases.

10.8.0

This release adds new experimental APIs to Microsoft.Extensions.AI.Abstractions and updates the OpenAI dependency to 2.12.0, alongside documentation, test, and repository maintenance.

Experimental API Changes

New Experimental APIs

  • New experimental API: AIFunctionNameAttribute and AIParameterNameAttribute #​7610 by @​jozkee (co-authored by @​jeffhandley @​Copilot)
  • New experimental API: ToolApprovalRequestContent.RequiresConfirmation (MEAI001) #​7549 by @​javiercn (co-authored by @​Copilot)

What's Changed

AI

  • Upgrade OpenAI dependency to 2.12.0 #​7608 by @​jozkee (co-authored by @​Copilot)
  • Auto-detect audio format in OpenAISpeechToTextClient #​7575 by @​jozkee (co-authored by @​Copilot)
  • Fix ImageGeneratingChatClient duplicating preceding content and dropping following content #​7624 by @​jozkee (co-authored by @​Copilot)

Vector Data

  • Make all test methods virtual in VectorData.ConformanceTests #​7606 by @​adamsitnik (co-authored by @​Copilot)

Documentation Updates

  • Remove links to ai-samples repo #​7574 by @​gewarren
  • Fix up docs with Copilot (MEVD) #​7597 by @​gewarren
  • Fix up docs with Copilot (M.E.ServiceDiscovery) #​7598 by @​gewarren (co-authored by @​Copilot)
  • Fix up docs with Copilot (MEAI) #​7600 by @​gewarren
  • Fix up docs with Copilot #​7601 by @​gewarren

Test Improvements

  • Fix flaky StampedeTests and harden related test waits #​7572 by @​jeffhandley (co-authored by @​Copilot)
  • Fix SQLitePCLRaw.lib.e_sqlite3 vulnerability by replacing SemanticKernel connectors with CommunityToolkit #​7579 by @​adamsitnik (co-authored by @​Copilot)
  • Removing SemanticKernel Connectors dependency and replacing it #​7584 by @​adamsitnik (co-authored by @​Copilot)
  • Migrate to xUnit v3 #​7607 by @​adamsitnik (co-authored by @​shyamnamboodiripad @​Copilot)

Repository Infrastructure Updates

  • Update OTel GenAI conventions skill for standalone semconv-genai repo #​7519 by @​jeffhandley (co-authored by @​Copilot)
  • Bump dotnet-coverage from 18.7.0 to 18.8.0 #​7552
  • [main] Update dependencies from dotnet/arcade #​7559
  • Fix transitive MessagePack vulnerability in AI template AppHost projects #​7561 by @​adamsitnik (co-authored by @​Copilot)
  • Bump esbuild, @​vitejs/plugin-react and vite in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7564
  • Bump tmp from 0.2.6 to 0.2.7 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7569
  • Bump js-yaml from 4.1.1 to 4.2.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7570
  • Bump PowerShell from 7.6.2 to 7.6.3 #​7576
  • Remove duplicate 'WebAPI' classification from template #​7577 by @​danroth27
  • [main] Update dependencies from dotnet/arcade #​7590
  • Eliminate redundant Correctness CI stage by merging into Build #​7594 by @​adamsitnik (co-authored by @​Copilot)
  • Update Agent Framework to 1.13.0 #​7613 by @​jeffhandley (co-authored by @​Copilot)
    ... (truncated)

Commits viewable in compare view.

Updated Microsoft.Extensions.AI.Evaluation.Quality from 10.7.0 to 10.8.0.

Release notes

Sourced from Microsoft.Extensions.AI.Evaluation.Quality's releases.

10.8.0

This release adds new experimental APIs to Microsoft.Extensions.AI.Abstractions and updates the OpenAI dependency to 2.12.0, alongside documentation, test, and repository maintenance.

Experimental API Changes

New Experimental APIs

  • New experimental API: AIFunctionNameAttribute and AIParameterNameAttribute #​7610 by @​jozkee (co-authored by @​jeffhandley @​Copilot)
  • New experimental API: ToolApprovalRequestContent.RequiresConfirmation (MEAI001) #​7549 by @​javiercn (co-authored by @​Copilot)

What's Changed

AI

  • Upgrade OpenAI dependency to 2.12.0 #​7608 by @​jozkee (co-authored by @​Copilot)
  • Auto-detect audio format in OpenAISpeechToTextClient #​7575 by @​jozkee (co-authored by @​Copilot)
  • Fix ImageGeneratingChatClient duplicating preceding content and dropping following content #​7624 by @​jozkee (co-authored by @​Copilot)

Vector Data

  • Make all test methods virtual in VectorData.ConformanceTests #​7606 by @​adamsitnik (co-authored by @​Copilot)

Documentation Updates

  • Remove links to ai-samples repo #​7574 by @​gewarren
  • Fix up docs with Copilot (MEVD) #​7597 by @​gewarren
  • Fix up docs with Copilot (M.E.ServiceDiscovery) #​7598 by @​gewarren (co-authored by @​Copilot)
  • Fix up docs with Copilot (MEAI) #​7600 by @​gewarren
  • Fix up docs with Copilot #​7601 by @​gewarren

Test Improvements

  • Fix flaky StampedeTests and harden related test waits #​7572 by @​jeffhandley (co-authored by @​Copilot)
  • Fix SQLitePCLRaw.lib.e_sqlite3 vulnerability by replacing SemanticKernel connectors with CommunityToolkit #​7579 by @​adamsitnik (co-authored by @​Copilot)
  • Removing SemanticKernel Connectors dependency and replacing it #​7584 by @​adamsitnik (co-authored by @​Copilot)
  • Migrate to xUnit v3 #​7607 by @​adamsitnik (co-authored by @​shyamnamboodiripad @​Copilot)

Repository Infrastructure Updates

  • Update OTel GenAI conventions skill for standalone semconv-genai repo #​7519 by @​jeffhandley (co-authored by @​Copilot)
  • Bump dotnet-coverage from 18.7.0 to 18.8.0 #​7552
  • [main] Update dependencies from dotnet/arcade #​7559
  • Fix transitive MessagePack vulnerability in AI template AppHost projects #​7561 by @​adamsitnik (co-authored by @​Copilot)
  • Bump esbuild, @​vitejs/plugin-react and vite in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7564
  • Bump tmp from 0.2.6 to 0.2.7 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7569
  • Bump js-yaml from 4.1.1 to 4.2.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7570
  • Bump PowerShell from 7.6.2 to 7.6.3 #​7576
  • Remove duplicate 'WebAPI' classification from template #​7577 by @​danroth27
  • [main] Update dependencies from dotnet/arcade #​7590
  • Eliminate redundant Correctness CI stage by merging into Build #​7594 by @​adamsitnik (co-authored by @​Copilot)
  • Update Agent Framework to 1.13.0 #​7613 by @​jeffhandley (co-authored by @​Copilot)
    ... (truncated)

Commits viewable in compare view.

Updated Microsoft.Extensions.AI.Evaluation.Reporting from 10.7.0 to 10.8.0.

Release notes

Sourced from Microsoft.Extensions.AI.Evaluation.Reporting's releases.

10.8.0

This release adds new experimental APIs to Microsoft.Extensions.AI.Abstractions and updates the OpenAI dependency to 2.12.0, alongside documentation, test, and repository maintenance.

Experimental API Changes

New Experimental APIs

  • New experimental API: AIFunctionNameAttribute and AIParameterNameAttribute #​7610 by @​jozkee (co-authored by @​jeffhandley @​Copilot)
  • New experimental API: ToolApprovalRequestContent.RequiresConfirmation (MEAI001) #​7549 by @​javiercn (co-authored by @​Copilot)

What's Changed

AI

  • Upgrade OpenAI dependency to 2.12.0 #​7608 by @​jozkee (co-authored by @​Copilot)
  • Auto-detect audio format in OpenAISpeechToTextClient #​7575 by @​jozkee (co-authored by @​Copilot)
  • Fix ImageGeneratingChatClient duplicating preceding content and dropping following content #​7624 by @​jozkee (co-authored by @​Copilot)

Vector Data

  • Make all test methods virtual in VectorData.ConformanceTests #​7606 by @​adamsitnik (co-authored by @​Copilot)

Documentation Updates

  • Remove links to ai-samples repo #​7574 by @​gewarren
  • Fix up docs with Copilot (MEVD) #​7597 by @​gewarren
  • Fix up docs with Copilot (M.E.ServiceDiscovery) #​7598 by @​gewarren (co-authored by @​Copilot)
  • Fix up docs with Copilot (MEAI) #​7600 by @​gewarren
  • Fix up docs with Copilot #​7601 by @​gewarren

Test Improvements

  • Fix flaky StampedeTests and harden related test waits #​7572 by @​jeffhandley (co-authored by @​Copilot)
  • Fix SQLitePCLRaw.lib.e_sqlite3 vulnerability by replacing SemanticKernel connectors with CommunityToolkit #​7579 by @​adamsitnik (co-authored by @​Copilot)
  • Removing SemanticKernel Connectors dependency and replacing it #​7584 by @​adamsitnik (co-authored by @​Copilot)
  • Migrate to xUnit v3 #​7607 by @​adamsitnik (co-authored by @​shyamnamboodiripad @​Copilot)

Repository Infrastructure Updates

  • Update OTel GenAI conventions skill for standalone semconv-genai repo #​7519 by @​jeffhandley (co-authored by @​Copilot)
  • Bump dotnet-coverage from 18.7.0 to 18.8.0 #​7552
  • [main] Update dependencies from dotnet/arcade #​7559
  • Fix transitive MessagePack vulnerability in AI template AppHost projects #​7561 by @​adamsitnik (co-authored by @​Copilot)
  • Bump esbuild, @​vitejs/plugin-react and vite in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7564
  • Bump tmp from 0.2.6 to 0.2.7 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7569
  • Bump js-yaml from 4.1.1 to 4.2.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7570
  • Bump PowerShell from 7.6.2 to 7.6.3 #​7576
  • Remove duplicate 'WebAPI' classification from template #​7577 by @​danroth27
  • [main] Update dependencies from dotnet/arcade #​7590
  • Eliminate redundant Correctness CI stage by merging into Build #​7594 by @​adamsitnik (co-authored by @​Copilot)
  • Update Agent Framework to 1.13.0 #​7613 by @​jeffhandley (co-authored by @​Copilot)
    ... (truncated)

Commits viewable in compare view.

Updated Microsoft.Extensions.Configuration.EnvironmentVariables from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.Extensions.Configuration.EnvironmentVariables's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Configuration.Json from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.Extensions.Configuration.Json's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Configuration.UserSecrets from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.Extensions.Configuration.UserSecrets's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.TimeProvider.Testing from 10.7.0 to 10.8.0.

Release notes

Sourced from Microsoft.Extensions.TimeProvider.Testing's releases.

10.8.0

This release adds new experimental APIs to Microsoft.Extensions.AI.Abstractions and updates the OpenAI dependency to 2.12.0, alongside documentation, test, and repository maintenance.

Experimental API Changes

New Experimental APIs

  • New experimental API: AIFunctionNameAttribute and AIParameterNameAttribute #​7610 by @​jozkee (co-authored by @​jeffhandley @​Copilot)
  • New experimental API: ToolApprovalRequestContent.RequiresConfirmation (MEAI001) #​7549 by @​javiercn (co-authored by @​Copilot)

What's Changed

AI

  • Upgrade OpenAI dependency to 2.12.0 #​7608 by @​jozkee (co-authored by @​Copilot)
  • Auto-detect audio format in OpenAISpeechToTextClient #​7575 by @​jozkee (co-authored by @​Copilot)
  • Fix ImageGeneratingChatClient duplicating preceding content and dropping following content #​7624 by @​jozkee (co-authored by @​Copilot)

Vector Data

  • Make all test methods virtual in VectorData.ConformanceTests #​7606 by @​adamsitnik (co-authored by @​Copilot)

Documentation Updates

  • Remove links to ai-samples repo #​7574 by @​gewarren
  • Fix up docs with Copilot (MEVD) #​7597 by @​gewarren
  • Fix up docs with Copilot (M.E.ServiceDiscovery) #​7598 by @​gewarren (co-authored by @​Copilot)
  • Fix up docs with Copilot (MEAI) #​7600 by @​gewarren
  • Fix up docs with Copilot #​7601 by @​gewarren

Test Improvements

  • Fix flaky StampedeTests and harden related test waits #​7572 by @​jeffhandley (co-authored by @​Copilot)
  • Fix SQLitePCLRaw.lib.e_sqlite3 vulnerability by replacing SemanticKernel connectors with CommunityToolkit #​7579 by @​adamsitnik (co-authored by @​Copilot)
  • Removing SemanticKernel Connectors dependency and replacing it #​7584 by @​adamsitnik (co-authored by @​Copilot)
  • Migrate to xUnit v3 #​7607 by @​adamsitnik (co-authored by @​shyamnamboodiripad @​Copilot)

Repository Infrastructure Updates

  • Update OTel GenAI conventions skill for standalone semconv-genai repo #​7519 by @​jeffhandley (co-authored by @​Copilot)
  • Bump dotnet-coverage from 18.7.0 to 18.8.0 #​7552
  • [main] Update dependencies from dotnet/arcade #​7559
  • Fix transitive MessagePack vulnerability in AI template AppHost projects #​7561 by @​adamsitnik (co-authored by @​Copilot)
  • Bump esbuild, @​vitejs/plugin-react and vite in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7564
  • Bump tmp from 0.2.6 to 0.2.7 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7569
  • Bump js-yaml from 4.1.1 to 4.2.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7570
  • Bump PowerShell from 7.6.2 to 7.6.3 #​7576
  • Remove duplicate 'WebAPI' classification from template #​7577 by @​danroth27
  • [main] Update dependencies from dotnet/arcade #​7590
  • Eliminate redundant Correctness CI stage by merging into Build #​7594 by @​adamsitnik (co-authored by @​Copilot)
  • Update Agent Framework to 1.13.0 #​7613 by @​jeffhandley (co-authored by @​Copilot)
    ... (truncated)

Commits viewable in compare view.

Updated Npgsql.EntityFrameworkCore.PostgreSQL from 10.0.2 to 10.0.3.

Release notes

Sourced from Npgsql.EntityFrameworkCore.PostgreSQL's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated OpenTelemetry from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry's releases.

1.17.0

For highlights and announcements pertaining to this release see: Release Notes > 1.17.0.

The following changes are from the previous release 1.17.0-rc.1.

... (truncated)

1.17.0-rc.1

The following changes are from the previous release 1.16.0.

  • NuGet: OpenTelemetry v1.17.0-rc.1

    • Fixed a metric point reclaim data race on CPU ARM architectures.
      (#​7401)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Replaced the vendored copy of
      EnvironmentVariablesConfigurationProvider with a direct
      Microsoft.Extensions.Configuration.EnvironmentVariables package dependency.
      Consumers gain automatic pickup of upstream bug fixes and security patches;
      no public API or behavioural change.
      (#​7146)

    • Added a verbose OpenTelemetry-Sdk self-diagnostics event that is emitted
      when an activity is dropped because its local (in-process) parent is not
      recorded.
      (#​7427)

    • Added support for a Schema URL on Resource instances.
      (#​7472)

    • Fixed a metric storage leak that occurred when meters and instruments were
      repeatedly created and disposed.
      (#​7466)

    • Added ExcludedTagKeys property to MetricStreamConfiguration to support
      excluding specific tag keys from metric streams.
      (#​7373)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.17.0-rc.1

    • Fixed TraceContextPropagator to normalize empty tracestate header values
      to null when extracting trace context.
      (#​7407,
      #​7433)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Experimental (pre-release builds only): Updated EnvironmentVariableCarrier.Get
      to read only the normalized environment variable name, following the updated
      environment variable carrier specification.
      Non-normalized carrier keys are no longer matched, even when they would
      normalize to the requested key.
      ... (truncated)

1.17.0-beta.1

The following changes are from the previous release 1.16.0-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.17.0-beta.1

    • Added a verbose-level diagnostic event for ignored metrics.
      (#​7429)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Fix double unit suffixes in metric names when using OpenMetrics.
      (#​7454)

    • Fix incorrect handling of leading digits in metric names for OpenMetrics.
      (#​7454)

    • Add PrometheusAspNetCoreOptions.ScopeInfoEnabled property to enable or
      disable scope labels in Prometheus metrics. Defaults to true.
      (#​7436)

    • Added support for the dots and values Prometheus UTF-8 name escaping
      schemes when negotiated via the Accept header.
      (#​7439)

    • Add PrometheusAspNetCoreOptions.TargetInfoEnabled property to enable or
      disable the target_info metric in Prometheus metrics. Defaults to true.
      (#​7438)

    • Added support for the allow-utf-8 Prometheus UTF-8 name escaping scheme
      when negotiated via the Accept header.
      (#​7440)

    • Add PrometheusAspNetCoreOptions.ResourceConstantLabels property to select
      resource attributes to add to each metric as constant labels. Defaults to
      null (no resource attributes are added as metric labels).
      (#​7471)

    • Add PrometheusAspNetCoreOptions.MaxScrapeResponseSizeBytes to configure
      the maximum size of a scrape response. The default is now ~166 MiB.
      (#​7487)

    • A scrape whose serialized output exceeds the maximum scrape response size
      limit now responds with HTTP 500.
      (#​7487)

    • Fixed the Prometheus text exposition format emitting redundant comments.
      (#​7491)

    • Made Accept header content negotiation consistent with the
      PrometheusHttpListener endpoint.
      ... (truncated)

Commits viewable in compare view.

Updated OpenTelemetry.Api from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry.Api's releases.

1.17.0

For highlights and announcements pertaining to this release see: Release Notes > 1.17.0.

The following changes are from the previous release 1.17.0-rc.1.

... (truncated)

1.17.0-rc.1

The following changes are from the previous release 1.16.0.

  • NuGet: OpenTelemetry v1.17.0-rc.1

    • Fixed a metric point reclaim data race on CPU ARM architectures.
      (#​7401)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Replaced the vendored copy of
      EnvironmentVariablesConfigurationProvider with a direct
      Microsoft.Extensions.Configuration.EnvironmentVariables package dependency.
      Consumers gain automatic pickup of upstream bug fixes and security patches;
      no public API or behavioural change.
      (#​7146)

    • Added a verbose OpenTelemetry-Sdk self-diagnostics event that is emitted
      when an activity is dropped because its local (in-process) parent is not
      recorded.
      (#​7427)

    • Added support for a Schema URL on Resource instances.
      (#​7472)

    • Fixed a metric storage leak that occurred when meters and instruments were
      repeatedly created and disposed.
      (#​7466)

    • Added ExcludedTagKeys property to MetricStreamConfiguration to support
      excluding specific tag keys from metric streams.
      (#​7373)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.17.0-rc.1

    • Fixed TraceContextPropagator to normalize empty tracestate header values
      to null when extracting trace context.
      (#​7407,
      #​7433)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Experimental (pre-release builds only): Updated EnvironmentVariableCarrier.Get
      to read only the normalized environment variable name, following the updated
      environment variable carrier specification.
      Non-normalized carrier keys are no longer matched, even when they would
      normalize to the requested key.
      ... (truncated)

1.17.0-beta.1

The following changes are from the previous release 1.16.0-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.17.0-beta.1

    • Added a verbose-level diagnostic event for ignored metrics.
      (#​7429)

    • The library is now marked as trim and AOT compatible.
      (#​7441)

    • Fix double unit suffixes in metric names when using OpenMetrics.
      (#​7454)

    • Fix incorrect handling of leading digits in metric names for OpenMetrics.
      (#​7454)

    • Add PrometheusAspNetCoreOptions.ScopeInfoEnabled property to enable or
      disable scope labels in Prometheus metrics. Defaults to true.
      (#​7436)

    • Added support for the dots and values Prometheus UTF-8 name escaping
      schemes when negotiated via the Accept header.
      (#​7439)

    • Add PrometheusAspNetCoreOptions.TargetInfoEnabled property to enable or
      disable the target_info metric in Prometheus metrics. Defaults to true.
      (#​7438)

    • Added support for the allow-utf-8 Prometheus UTF-8 name escaping scheme
      when negotiated via the Accept header.
      (#​7440)

    • Add PrometheusAspNetCoreOptions.ResourceConstantLabels property to select
      resource attributes to add to each metric as constant labels. Defaults to
      null (no resource attributes are added as metric labels).
      (#​7471)

    • Add PrometheusAspNetCoreOptions.MaxScrapeResponseSizeBytes to configure
      the maximum size of a scrape response. The default is now ~166 MiB.
      (#​7487)

    • A scrape whose serialized output exceeds the maximum scrape response size
      limit now responds with HTTP 500.
      (#​7487)

    • Fixed the Prometheus text exposition format emitting redundant comments.
      (#​7491)

    • Made Accept header content negotiation consistent with the
      PrometheusHttpListener endpoint.
      ... (truncated)

Commits viewable in compare view.

Updated OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.16.0 to 1.17.0.

Release notes

Sourced from OpenTelemetry.Exporter.OpenTelemetryProtocol's releases.

1.17.0

For highlights and announcements pertaining to this release see: Release Notes > 1.17.0.

The following changes are from the previous release 1.17.0-rc.1.

Description has been truncated

Bumps Marten from 9.14.0 to 9.15.4
Bumps Marten.EntityFrameworkCore from 9.14.0 to 9.15.4
Bumps Microsoft.AspNetCore.Authentication.JwtBearer from 10.0.9 to 10.0.10
Bumps Microsoft.AspNetCore.DataProtection.EntityFrameworkCore from 10.0.9 to 10.0.10
Bumps Microsoft.AspNetCore.Identity.EntityFrameworkCore from 10.0.9 to 10.0.10
Bumps Microsoft.EntityFrameworkCore.Design from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.AI.Evaluation from 10.7.0 to 10.8.0
Bumps Microsoft.Extensions.AI.Evaluation.Quality from 10.7.0 to 10.8.0
Bumps Microsoft.Extensions.AI.Evaluation.Reporting from 10.7.0 to 10.8.0
Bumps Microsoft.Extensions.Configuration.EnvironmentVariables from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.Configuration.Json from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.Configuration.UserSecrets from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.TimeProvider.Testing from 10.7.0 to 10.8.0
Bumps Npgsql.EntityFrameworkCore.PostgreSQL from 10.0.2 to 10.0.3
Bumps OpenTelemetry from 1.16.0 to 1.17.0
Bumps OpenTelemetry.Api from 1.16.0 to 1.17.0
Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.16.0 to 1.17.0
Bumps OpenTelemetry.Extensions.Hosting from 1.16.0 to 1.17.0
Bumps SonarAnalyzer.CSharp from 10.28.0.143324 to 10.29.0.143774
Bumps WolverineFx from 6.17.0 to 6.19.0
Bumps WolverineFx.EntityFrameworkCore from 6.17.0 to 6.19.0
Bumps WolverineFx.Marten from 6.17.0 to 6.19.0
Bumps WolverineFx.RuntimeCompilation from 6.17.0 to 6.19.0

---
updated-dependencies:
- dependency-name: Marten
  dependency-version: 9.15.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: Marten.EntityFrameworkCore
  dependency-version: 9.15.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: Microsoft.AspNetCore.Authentication.JwtBearer
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: Microsoft.AspNetCore.Identity.EntityFrameworkCore
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: Microsoft.EntityFrameworkCore.Design
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: Microsoft.Extensions.AI.Evaluation
  dependency-version: 10.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: Microsoft.Extensions.AI.Evaluation.Quality
  dependency-version: 10.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: Microsoft.Extensions.AI.Evaluation.Reporting
  dependency-version: 10.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: Microsoft.Extensions.Configuration.EnvironmentVariables
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: Microsoft.Extensions.Configuration.Json
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: Microsoft.Extensions.Configuration.UserSecrets
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: Microsoft.Extensions.TimeProvider.Testing
  dependency-version: 10.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: Npgsql.EntityFrameworkCore.PostgreSQL
  dependency-version: 10.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: OpenTelemetry
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: OpenTelemetry.Api
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: OpenTelemetry.Extensions.Hosting
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: SonarAnalyzer.CSharp
  dependency-version: 10.29.0.143774
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: WolverineFx
  dependency-version: 6.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: WolverineFx.EntityFrameworkCore
  dependency-version: 6.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: WolverineFx.Marten
  dependency-version: 6.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: WolverineFx.RuntimeCompilation
  dependency-version: 6.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jul 16, 2026
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 68 package(s) with unknown licenses.
See the Details below.

License Issues

backend/tests/RunCoach.Api.Tests/RunCoach.Api.Tests.csproj

PackageVersionLicenseIssue Type
Microsoft.Extensions.AI10.8.0NullUnknown License
Microsoft.Extensions.AI.Abstractions10.8.0NullUnknown License
Microsoft.Extensions.AI.Evaluation10.8.0NullUnknown License
Microsoft.Extensions.AI.Evaluation.Quality10.8.0NullUnknown License
Microsoft.Extensions.AI.Evaluation.Reporting10.8.0NullUnknown License
Microsoft.Extensions.Caching.Abstractions10.0.10NullUnknown License
Microsoft.Extensions.Configuration10.0.10NullUnknown License
Microsoft.Extensions.Configuration.Abstractions10.0.10NullUnknown License
Microsoft.Extensions.Configuration.Binder10.0.10NullUnknown License
Microsoft.Extensions.Configuration.EnvironmentVariables10.0.10NullUnknown License
Microsoft.Extensions.Configuration.FileExtensions10.0.10NullUnknown License
Microsoft.Extensions.Configuration.Json10.0.10NullUnknown License
Microsoft.Extensions.Configuration.UserSecrets10.0.10NullUnknown License
Microsoft.Extensions.DependencyInjection10.0.10NullUnknown License
Microsoft.Extensions.DependencyInjection.Abstractions10.0.10NullUnknown License
Microsoft.Extensions.DependencyModel10.0.10NullUnknown License
Microsoft.Extensions.Diagnostics10.0.10NullUnknown License
Microsoft.Extensions.Diagnostics.Abstractions10.0.10NullUnknown License
Microsoft.Extensions.FileProviders.Abstractions10.0.10NullUnknown License
Microsoft.Extensions.FileProviders.Physical10.0.10NullUnknown License
Microsoft.Extensions.FileSystemGlobbing10.0.10NullUnknown License
Microsoft.Extensions.Hosting.Abstractions10.0.10NullUnknown License
Microsoft.Extensions.Logging10.0.10NullUnknown License
Microsoft.Extensions.Logging.Abstractions10.0.10NullUnknown License
Microsoft.Extensions.Options10.0.10NullUnknown License
Microsoft.Extensions.Options.ConfigurationExtensions10.0.10NullUnknown License
Microsoft.Extensions.Primitives10.0.10NullUnknown License
Microsoft.Extensions.TimeProvider.Testing10.8.0NullUnknown License
SonarAnalyzer.CSharp10.29.0.143774NullUnknown License
System.Numerics.Tensors10.0.10NullUnknown License

backend/src/RunCoach.Api/RunCoach.Api.csproj

PackageVersionLicenseIssue Type
JasperFx2.27.0NullUnknown License
JasperFx.Events2.27.0NullUnknown License
JasperFx.SourceGenerator2.27.0NullUnknown License
Marten9.15.4NullUnknown License
Marten.EntityFrameworkCore9.15.4NullUnknown License
Microsoft.AspNetCore.Authentication.JwtBearer10.0.10NullUnknown License
Microsoft.AspNetCore.DataProtection.EntityFrameworkCore10.0.10NullUnknown License
Microsoft.AspNetCore.Identity.EntityFrameworkCore10.0.10NullUnknown License
Microsoft.EntityFrameworkCore10.0.10NullUnknown License
Microsoft.EntityFrameworkCore.Abstractions10.0.10NullUnknown License
Microsoft.EntityFrameworkCore.Analyzers10.0.10NullUnknown License
Microsoft.EntityFrameworkCore.Design10.0.10NullUnknown License
Microsoft.EntityFrameworkCore.Relational10.0.10NullUnknown License
Microsoft.Extensions.DependencyModel10.0.10NullUnknown License
Microsoft.IdentityModel.Abstractions8.19.2NullUnknown License
Microsoft.IdentityModel.JsonWebTokens8.19.2NullUnknown License
Microsoft.IdentityModel.Logging8.19.2NullUnknown License
Microsoft.IdentityModel.Protocols8.19.2NullUnknown License
Microsoft.IdentityModel.Protocols.OpenIdConnect8.19.2NullUnknown License
Microsoft.IdentityModel.Tokens8.19.2NullUnknown License
Npgsql.EntityFrameworkCore.PostgreSQL10.0.3NullUnknown License
OpenTelemetry1.17.0NullUnknown License
OpenTelemetry.Api1.17.0NullUnknown License
OpenTelemetry.Api.ProviderBuilderExtensions1.17.0NullUnknown License
OpenTelemetry.Exporter.OpenTelemetryProtocol1.17.0NullUnknown License
OpenTelemetry.Extensions.Hosting1.17.0NullUnknown License
SonarAnalyzer.CSharp10.29.0.143774NullUnknown License
System.IdentityModel.Tokens.Jwt8.19.2NullUnknown License
Weasel.Core9.16.3NullUnknown License
Weasel.EntityFrameworkCore9.16.3NullUnknown License
Weasel.Postgresql9.16.3NullUnknown License
Weasel.Storage9.16.3NullUnknown License
WolverineFx6.19.0NullUnknown License
WolverineFx.EntityFrameworkCore6.19.0NullUnknown License
WolverineFx.Marten6.19.0NullUnknown License
WolverineFx.Postgresql6.19.0NullUnknown License
WolverineFx.RDBMS6.19.0NullUnknown License
WolverineFx.RuntimeCompilation6.19.0NullUnknown License
Allowed Licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, Unlicense, CC0-1.0, CC-BY-4.0, OFL-1.1, Zlib, BSL-1.0, Python-2.0, PSF-2.0, Artistic-2.0, MPL-2.0, WTFPL, PostgreSQL
Excluded from license check: pkg:githubactions/SonarSource/sonarqube-scan-action, pkg:npm/runcoach-frontend

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
nuget/Microsoft.Extensions.AI 10.8.0 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.AI.Abstractions 10.8.0 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.AI.Evaluation 10.8.0 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.AI.Evaluation.Quality 10.8.0 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.AI.Evaluation.Reporting 10.8.0 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.Caching.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Configuration 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Configuration.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Configuration.Binder 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Configuration.EnvironmentVariables 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Configuration.FileExtensions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Configuration.Json 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Configuration.UserSecrets 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.DependencyInjection 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.DependencyInjection.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.DependencyModel 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Diagnostics 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Diagnostics.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.FileProviders.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.FileProviders.Physical 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.FileSystemGlobbing 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Hosting.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Logging 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Logging.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Options 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Options.ConfigurationExtensions 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.Primitives 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.TimeProvider.Testing 10.8.0 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/SonarAnalyzer.CSharp 10.29.0.143774 UnknownUnknown
nuget/System.Numerics.Tensors 10.0.10 UnknownUnknown
nuget/JasperFx 2.27.0 UnknownUnknown
nuget/JasperFx.Events 2.27.0 UnknownUnknown
nuget/JasperFx.SourceGenerator 2.27.0 UnknownUnknown
nuget/Marten 9.15.4 UnknownUnknown
nuget/Marten.EntityFrameworkCore 9.15.4 UnknownUnknown
nuget/Microsoft.AspNetCore.Authentication.JwtBearer 10.0.10 UnknownUnknown
nuget/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore 10.0.10 UnknownUnknown
nuget/Microsoft.AspNetCore.Identity.EntityFrameworkCore 10.0.10 UnknownUnknown
nuget/Microsoft.Bcl.Cryptography 10.0.2 UnknownUnknown
nuget/Microsoft.EntityFrameworkCore 10.0.10 UnknownUnknown
nuget/Microsoft.EntityFrameworkCore.Abstractions 10.0.10 UnknownUnknown
nuget/Microsoft.EntityFrameworkCore.Analyzers 10.0.10 UnknownUnknown
nuget/Microsoft.EntityFrameworkCore.Design 10.0.10 UnknownUnknown
nuget/Microsoft.EntityFrameworkCore.Relational 10.0.10 UnknownUnknown
nuget/Microsoft.Extensions.DependencyModel 10.0.10 UnknownUnknown
nuget/Microsoft.IdentityModel.Abstractions 8.19.2 UnknownUnknown
nuget/Microsoft.IdentityModel.JsonWebTokens 8.19.2 UnknownUnknown
nuget/Microsoft.IdentityModel.Logging 8.19.2 UnknownUnknown
nuget/Microsoft.IdentityModel.Protocols 8.19.2 UnknownUnknown
nuget/Microsoft.IdentityModel.Protocols.OpenIdConnect 8.19.2 UnknownUnknown
nuget/Microsoft.IdentityModel.Tokens 8.19.2 UnknownUnknown
nuget/Npgsql.EntityFrameworkCore.PostgreSQL 10.0.3 🟢 5.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/26 approved changesets -- score normalized to 0
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
SAST🟢 6SAST tool is not run on all commits -- score normalized to 6
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
nuget/OpenTelemetry 1.17.0 🟢 8.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
CII-Best-Practices🟢 5badge detected: Passing
Vulnerabilities🟢 100 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST🟢 10SAST tool is run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
nuget/OpenTelemetry.Api 1.17.0 🟢 8.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
CII-Best-Practices🟢 5badge detected: Passing
Vulnerabilities🟢 100 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST🟢 10SAST tool is run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
nuget/OpenTelemetry.Api.ProviderBuilderExtensions 1.17.0 🟢 8.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
CII-Best-Practices🟢 5badge detected: Passing
Vulnerabilities🟢 100 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST🟢 10SAST tool is run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
nuget/OpenTelemetry.Exporter.OpenTelemetryProtocol 1.17.0 🟢 8.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
CII-Best-Practices🟢 5badge detected: Passing
Vulnerabilities🟢 100 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST🟢 10SAST tool is run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
nuget/OpenTelemetry.Extensions.Hosting 1.17.0 🟢 8.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
CII-Best-Practices🟢 5badge detected: Passing
Vulnerabilities🟢 100 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST🟢 10SAST tool is run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
nuget/SonarAnalyzer.CSharp 10.29.0.143774 UnknownUnknown
nuget/System.IdentityModel.Tokens.Jwt 8.19.2 UnknownUnknown
nuget/Weasel.Core 9.16.3 UnknownUnknown
nuget/Weasel.EntityFrameworkCore 9.16.3 UnknownUnknown
nuget/Weasel.Postgresql 9.16.3 UnknownUnknown
nuget/Weasel.Storage 9.16.3 UnknownUnknown
nuget/WolverineFx 6.19.0 UnknownUnknown
nuget/WolverineFx.EntityFrameworkCore 6.19.0 UnknownUnknown
nuget/WolverineFx.Marten 6.19.0 UnknownUnknown
nuget/WolverineFx.Postgresql 6.19.0 UnknownUnknown
nuget/WolverineFx.RDBMS 6.19.0 UnknownUnknown
nuget/WolverineFx.RuntimeCompilation 6.19.0 UnknownUnknown

Scanned Files

  • backend/src/RunCoach.Api/RunCoach.Api.csproj
  • backend/tests/RunCoach.Api.Tests/RunCoach.Api.Tests.csproj

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant