From 032d7d2ac3d65c735e2d90f467364ca68d55f3b4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 17 May 2026 16:23:10 +0000
Subject: [PATCH 1/4] Bump the all-actions group with 23 updates

Bumps Aspire.Hosting.Redis from 13.3.0 to 13.3.3
Bumps Aspire.Hosting.Testing from 13.3.0 to 13.3.3
Bumps Aspire.MongoDB.Driver from 13.3.0 to 13.3.3
Bumps Aspire.StackExchange.Redis from 13.3.0 to 13.3.3
Bumps Auth0.ManagementApi from 8.2.0 to 8.3.0
Bumps FluentAssertions from 8.9.0 to 8.10.0
Bumps Microsoft.AspNetCore.Mvc.Testing from 10.0.7 to 10.0.8
Bumps Microsoft.AspNetCore.OpenApi from 10.0.7 to 10.0.8
Bumps Microsoft.AspNetCore.SignalR.Client from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Configuration from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Configuration.Abstractions from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Configuration.Binder from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.DependencyInjection from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.DependencyInjection.Abstractions from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Http.Resilience from 10.5.0 to 10.6.0
Bumps Microsoft.Extensions.Logging.Abstractions from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Options from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Options.ConfigurationExtensions from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.ServiceDiscovery from 10.5.0 to 10.6.0
Bumps MongoDB.Bson from 3.8.0 to 3.8.1
Bumps MongoDB.Driver from 3.8.0 to 3.8.1
Bumps SixLabors.ImageSharp from 3.1.12 to 4.0.0

---
updated-dependencies:
- dependency-name: Aspire.Hosting.Redis
  dependency-version: 13.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Aspire.Hosting.Testing
  dependency-version: 13.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Aspire.MongoDB.Driver
  dependency-version: 13.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Aspire.StackExchange.Redis
  dependency-version: 13.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Auth0.ManagementApi
  dependency-version: 8.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: FluentAssertions
  dependency-version: 8.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: Microsoft.AspNetCore.Mvc.Testing
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.AspNetCore.OpenApi
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.AspNetCore.SignalR.Client
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Caching.StackExchangeRedis
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Configuration
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Configuration.Abstractions
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Configuration.Binder
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.DependencyInjection
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Http.Resilience
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Options
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Options.ConfigurationExtensions
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.ServiceDiscovery
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: MongoDB.Bson
  dependency-version: 3.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: MongoDB.Driver
  dependency-version: 3.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: SixLabors.ImageSharp
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Directory.Packages.props                      | 44 +++++++++----------
 src/AppHost/AppHost.csproj                    |  2 +-
 .../Persistence.MongoDb.csproj                |  2 +
 3 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index fd0ca5c..65757b0 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -4,20 +4,20 @@
   </PropertyGroup>
   <ItemGroup>
     <!-- Aspire -->
-    <PackageVersion Include="Aspire.MongoDB.Driver" Version="13.3.0" />
-    <PackageVersion Include="Aspire.StackExchange.Redis" Version="13.3.0" />
-    <PackageVersion Include="Aspire.Hosting.Testing" Version="13.3.0" />
+    <PackageVersion Include="Aspire.MongoDB.Driver" Version="13.3.3" />
+    <PackageVersion Include="Aspire.StackExchange.Redis" Version="13.3.3" />
+    <PackageVersion Include="Aspire.Hosting.Testing" Version="13.3.3" />
     <!-- MongoDB -->
-    <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="10.0.7" />
-    <PackageVersion Include="MongoDB.Bson" Version="3.8.0" />
-    <PackageVersion Include="MongoDB.Driver" Version="3.8.0" />
+    <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="10.0.8" />
+    <PackageVersion Include="MongoDB.Bson" Version="3.8.1" />
+    <PackageVersion Include="MongoDB.Driver" Version="3.8.1" />
     <PackageVersion Include="MongoDB.EntityFrameworkCore" Version="10.0.1" />
     <!-- Azure Key Vault -->
     <PackageVersion Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.5.1" />
     <PackageVersion Include="Azure.Identity" Version="1.21.0" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.12" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="4.0.0" />
     <!-- MediatR -->
     <PackageVersion Include="MediatR" Version="14.1.0" />
     <!-- FluentValidation -->
@@ -26,23 +26,23 @@
     <PackageVersion Include="FluentValidation.TestHelper" Version="11.11.0" />
     <!-- Authentication -->
     <PackageVersion Include="Auth0.AspNetCore.Authentication" Version="1.7.0" />
-    <PackageVersion Include="Auth0.ManagementApi" Version="8.2.0" />
+    <PackageVersion Include="Auth0.ManagementApi" Version="8.3.0" />
     <!-- Email -->
     <PackageVersion Include="SendGrid" Version="9.29.3" />
     <!-- Microsoft Extensions -->
-    <PackageVersion Include="Microsoft.Extensions.Configuration" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.Options" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Options" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="10.0.8" />
     <!-- Testing -->
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.5.1" />
     <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
-    <PackageVersion Include="FluentAssertions" Version="8.9.0" />
+    <PackageVersion Include="FluentAssertions" Version="8.10.0" />
     <PackageVersion Include="NSubstitute" Version="5.3.0" />
     <PackageVersion Include="bUnit" Version="2.7.2" />
     <PackageVersion Include="NetArchTest.Rules" Version="1.3.2" />
@@ -50,10 +50,10 @@
     <PackageVersion Include="Microsoft.Playwright" Version="1.59.0" />
     <PackageVersion Include="Testcontainers.MongoDb" Version="4.11.0" />
     <PackageVersion Include="Testcontainers.Azurite" Version="4.11.0" />
-    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.8" />
     <!-- Aspire ServiceDefaults Dependencies -->
-    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="10.5.0" />
-    <PackageVersion Include="Microsoft.Extensions.ServiceDiscovery" Version="10.5.0" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="10.6.0" />
+    <PackageVersion Include="Microsoft.Extensions.ServiceDiscovery" Version="10.6.0" />
     <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.3" />
     <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.15.3" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.2" />
diff --git a/src/AppHost/AppHost.csproj b/src/AppHost/AppHost.csproj
index 2a45229..daaa050 100644
--- a/src/AppHost/AppHost.csproj
+++ b/src/AppHost/AppHost.csproj
@@ -6,7 +6,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Aspire.Hosting.Redis" Version="13.3.0" />
+    <PackageReference Include="Aspire.Hosting.Redis" Version="13.3.3" />
   </ItemGroup>
 
   <PropertyGroup>
diff --git a/src/Persistence.MongoDb/Persistence.MongoDb.csproj b/src/Persistence.MongoDb/Persistence.MongoDb.csproj
index dc1b951..1e6ca40 100644
--- a/src/Persistence.MongoDb/Persistence.MongoDb.csproj
+++ b/src/Persistence.MongoDb/Persistence.MongoDb.csproj
@@ -5,6 +5,8 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.Configuration" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" VersionOverride="10.0.8" />
     <PackageReference Include="MongoDB.Driver" />
     <PackageReference Include="MongoDB.EntityFrameworkCore" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" />

From 5c6961f08077dc42083145087780f2ff1d7678e9 Mon Sep 17 00:00:00 2001
From: mpaulosky <60372079+mpaulosky@users.noreply.github.com>
Date: Sun, 17 May 2026 09:48:52 -0700
Subject: [PATCH 2/4] Fix dependabot PR #293: Revert ImageSharp to 3.x and fix
 CPM violations

- Revert SixLabors.ImageSharp from 4.0.0 to 3.1.12 (4.x requires paid license)
- Remove VersionOverride from Persistence.MongoDb.csproj (violates central package management)
- Remove duplicate PackageReference for Microsoft.Extensions.Configuration
- Add dependabot ignore rule for ImageSharp 4.x+ to prevent future auto-updates
- Validated with dotnet restore and dotnet build --configuration Release

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/dependabot.yml                             | 4 ++++
 Directory.Packages.props                           | 2 +-
 src/Persistence.MongoDb/Persistence.MongoDb.csproj | 3 +--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 797c69f..4edfb9e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -39,6 +39,10 @@ updates:
       - "dependencies"
     reviewers:
       - "mpaulosky"
+    ignore:
+      # ImageSharp 4.x requires a paid commercial license
+      - dependency-name: "SixLabors.ImageSharp"
+        versions: ["[4,)"]
     groups:
       all-actions:
         patterns: [ "*" ]
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 65757b0..2bc510b 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -17,7 +17,7 @@
     <!-- Azure Key Vault -->
     <PackageVersion Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.5.1" />
     <PackageVersion Include="Azure.Identity" Version="1.21.0" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="4.0.0" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.12" />
     <!-- MediatR -->
     <PackageVersion Include="MediatR" Version="14.1.0" />
     <!-- FluentValidation -->
diff --git a/src/Persistence.MongoDb/Persistence.MongoDb.csproj b/src/Persistence.MongoDb/Persistence.MongoDb.csproj
index 1e6ca40..bf06ab0 100644
--- a/src/Persistence.MongoDb/Persistence.MongoDb.csproj
+++ b/src/Persistence.MongoDb/Persistence.MongoDb.csproj
@@ -5,8 +5,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Configuration" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" VersionOverride="10.0.8" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
     <PackageReference Include="MongoDB.Driver" />
     <PackageReference Include="MongoDB.EntityFrameworkCore" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" />

From 7669fb57263f85ad6b5842c4c3cdd6361776369c Mon Sep 17 00:00:00 2001
From: mpaulosky <60372079+mpaulosky@users.noreply.github.com>
Date: Sun, 17 May 2026 10:13:14 -0700
Subject: [PATCH 3/4] fix: align AppHost SDK with Aspire 13.3.3

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/AppHost/AppHost.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/AppHost/AppHost.csproj b/src/AppHost/AppHost.csproj
index daaa050..8f15fb8 100644
--- a/src/AppHost/AppHost.csproj
+++ b/src/AppHost/AppHost.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Aspire.AppHost.Sdk/13.2.1">
+<Project Sdk="Aspire.AppHost.Sdk/13.3.3">
 
   <ItemGroup>
     <ProjectReference Include="..\ServiceDefaults\ServiceDefaults.csproj" IsAspireProjectResource="false" />

From d93d658bab025845e41f02e53d9550291a87f0d0 Mon Sep 17 00:00:00 2001
From: mpaulosky <60372079+mpaulosky@users.noreply.github.com>
Date: Sun, 17 May 2026 12:53:45 -0700
Subject: [PATCH 4/4] docs: update MongoDB driver audit note

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 95ca518..da47407 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -9,7 +9,7 @@
 		<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
 		<!-- 
 		TEMPORARY: Lower NuGet audit level to critical-only to unblock CI
-		MongoDB.Driver 3.8.0 (latest) has hard dependencies on:
+		MongoDB.Driver 3.8.x has hard dependencies on:
 		  - Snappier 1.0.0 (HIGH severity: GHSA-pggp-6c3x-2xmx)
 		  - SharpCompress 0.30.1 (MODERATE severity: GHSA-6c8g-7p36-r338)
 		Revert to 'low' when MongoDB releases patched driver versions.