chore: consolidate dependency management workflows and documentation

[rjmurillo]

Summary

• Disable dependabot for NuGet, consolidate to renovate-only
• Consolidate 4 overlapping auto-approve/merge workflows into 1
• Update renovate.json with proper package grouping and exclusion rules
• Add docs/dependency-management.md documenting package categories and upgrade policies

Problem

Both dependabot and renovate created duplicate PRs for every NuGet update. Dependabot NuGet PRs used "Bump X from A to B" titles that failed the required "Validate PR title" check (conventional commits required), so they could never auto-merge. Four overlapping auto-approve/merge workflows competed with each other, one of which had a broken step referencing a nonexistent step output (steps.cpr.outputs).

Changes

Dependabot config (.github/dependabot.yml)

Removed the nuget ecosystem. Retained github-actions ecosystem (dependabot's fetch-metadata action provides update-type classification for major version gating).

Workflow consolidation

Deleted 3 workflows, kept and expanded 1:

• Deleted: auto-approve-and-merge-renovate.yml, dependabot-auto-approve.yml, dependabot-auto-merge.yml
• Kept: dependabot-approve-and-auto-merge.yml with separate jobs for dependabot and renovate

Renovate config (renovate.json)

• Added ignoreDeps for Microsoft.CodeAnalysis.* core packages (same policy as former dependabot ignore list)
• Grouped BenchmarkDotNet + Perfolizer as benchmark-tooling with automerge: false (coordinated updates required due to transitive dependency constraints)
• Disabled System.CommandLine and System.CommandLine.Rendering updates until PerfDiff rewrite (fix: rewrite PerfDiff for System.CommandLine 2.0.3 (IConsole removal) #914)

Documentation

New docs/dependency-management.md covers:

• Package categories (shipped, build-time, test, benchmark, tools, infrastructure)
• Upgrade policies per category
• The VersionOverride pattern for non-shipped projects
• Lessons from the CS8032/SCI incident (v0.4.0 Warning "Could not load file or assembly System.Collections.Immutable Version=10.0.0.0 ..." #850)

Bot PR cleanup performed

Action	PRs
Closed (dependabot duplicates)	#903, #902, #890, #880, #909
Closed (superseded)	#877 (Meziantou 2.0.302, superseded by 3.x)
Closed (build failures)	#834 (BenchmarkDotNet), #832 (Perfolizer)
Closed (PerfDiff breakage)	#821 (dotnet monorepo)
Merged	#878, #882, #881, #879, #883, #884

Validation

• dotnet build /p:PedanticMode=true: 0 warnings, 0 errors
• dotnet format: no changes needed
• Tests cannot run locally (machine has .NET 10 only, test TFM is net8.0); CI will validate

Test plan

• CI build passes
• All tests pass
• No new bot PRs from dependabot for NuGet packages
• Renovate correctly picks up future dependency updates
• Auto-approve/merge workflow fires for new renovate PRs

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Consolidated dependency-update process: moved NuGet management to Renovate, removed several automated auto-approve/auto-merge workflows for bot PRs, and adjusted automerge/approval behavior and rules.
  • Renovate configuration updated with new groups, ignore lists, and automerge adjustments.

• Documentation

  • Added a dependency management guide detailing categories, upgrade policies, configuration patterns, and workflow recommendations.

[deepsource-io]

DeepSource Code Review

DeepSource reviewed changes in the commit range a7bf15d...57f629c on this pull request. Below is the summary for the review, and you can see the individual issues we found as review comments.

For detailed review results, please see the PR on DeepSource ↗

PR Report Card

Security	× 0 issues		Overall PR Quality
Reliability	× 0 issues
Complexity	× 0 issues
Hygiene	× 0 issues

Code Review Summary

Analyzer	Status	Summary	Details
C#		No new issues detected.	Review ↗

How are these analyzer statuses calculated?

Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings.

[gemini-code-assist]

Summary of Changes

Hello @rjmurillo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refines the project's dependency management strategy and automerge workflows. It transitions NuGet package updates entirely to Renovate, eliminating redundant bot PRs and title validation failures previously caused by Dependabot. The changes also consolidate multiple auto-approval workflows into one, enhancing efficiency and maintainability. Furthermore, the PR includes an upgrade of a key code analyzer and introduces comprehensive documentation on dependency policies, ensuring a more robust and transparent approach to managing external packages.

Highlights

• Dependency Bot Consolidation: Streamlined dependency management by disabling Dependabot for NuGet packages and consolidating all NuGet updates to Renovate, resolving issues with duplicate PRs and title validation failures.
• Workflow Consolidation: Consolidated four overlapping auto-approve/merge workflows into a single, unified workflow to manage both Dependabot (for GitHub Actions) and Renovate PRs more efficiently.
• Renovate Configuration Enhancements: Updated renovate.json to include ignoreDeps for core Microsoft.CodeAnalysis.* packages, grouped BenchmarkDotNet and Perfolizer for coordinated updates, and disabled System.CommandLine updates due to breaking changes.
• Meziantou.Analyzer Upgrade: Upgraded Meziantou.Analyzer from version 2.0.266 to 3.0.9, confirming no breaking changes for the project's SDK version and no new warnings or errors.
• Dependency Management Documentation: Introduced docs/dependency-management.md to document package categories, upgrade policies, the VersionOverride pattern, and lessons learned from past dependency issues.

Changelog

• .github/dependabot.yml
  • Removed the nuget package ecosystem configuration, effectively disabling Dependabot for NuGet updates.
  • Added comments explaining the rationale for disabling Dependabot for NuGet.
• build/targets/codeanalysis/Packages.props
  • Updated the Meziantou.Analyzer package version from 2.0.266 to 3.0.9.
• docs/dependency-management.md
  • Added a new markdown file documenting the project's dependency management strategy, including package categories, upgrade policies, configuration files, and the VersionOverride pattern.
• renovate.json
  • Added ignoreDeps for Microsoft.CodeAnalysis.CSharp, Microsoft.CodeAnalysis.CSharp.Workspaces, Microsoft.CodeAnalysis.Common, and Microsoft.CodeAnalysis.Workspaces.Common.
  • Added a new package rule to group BenchmarkDotNet and Perfolizer as benchmark-tooling with automerge: false.
  • Added a new package rule to disable updates for System.CommandLine and System.CommandLine.Rendering.

Ignored Files

• Ignored by pattern: .github/workflows/** (4)
  • .github/workflows/auto-approve-and-merge-renovate.yml
  • .github/workflows/dependabot-approve-and-auto-merge.yml
  • .github/workflows/dependabot-auto-approve.yml
  • .github/workflows/dependabot-auto-merge.yml

Activity

• Closed several Dependabot duplicate PRs (Bump Verify.Xunit from 31.9.3 to 31.12.5 #903, Bump SonarAnalyzer.CSharp from 10.17.0.131074 to 10.19.0.132793 #902, Bump DotNet.ReproducibleBuilds.Isolated from 1.2.39 to 2.0.2 #890, chore(deps): Bump dependabot/fetch-metadata from 2.4.0 to 2.5.0 #880, Bump Meziantou.Analyzer from 2.0.266 to 3.0.9 #909).
• Closed superseded PR chore(deps): update dependency meziantou.analyzer to 2.0.302 #877 (Meziantou 2.0.302).
• Closed build failure PRs chore(deps): update dependency benchmarkdotnet to 0.15.8 #834 (BenchmarkDotNet) and chore(deps): update dependency perfolizer to 0.6.7 #832 (Perfolizer).
• Closed PerfDiff breakage PR chore(deps): update dotnet monorepo #821 (dotnet monorepo).
• Merged multiple PRs (chore(deps): update dependency polyfill to 9.9.0 #878, chore(deps): update dependency verify.xunit to 31.12.5 #882, chore(deps): update dependency sonaranalyzer.csharp to 10.19.0.132793 #881, chore(deps): update dependabot/fetch-metadata action to v2.5.0 #879, chore(deps): update dependency dotnet.reproduciblebuilds to v2 #883, chore(deps): update dependency dotnet.reproduciblebuilds.isolated to v2 #884).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Dependabot NuGet updates disabled in favor of Renovate; Renovate configuration updated to manage NuGet and package rules; dependency-management docs added; several auto-approve/auto-merge GitHub Actions workflows removed or consolidated and one Dependabot workflow adjusted to include a dedicated Renovate job.

Changes

Cohort / File(s)	Summary
Dependabot config \.github/dependabot.yml	Removed NuGet manager block and replaced it with comments pointing to renovate.json as NuGet source of truth.
Renovate config renovate.json	Enabled NuGet manager, added ignoreDeps for specific Microsoft.CodeAnalysis packages, updated analyzer rule (added System.Formats.Asn1 and switched labels→addLabels), added benchmark-tooling group, and disabled System.CommandLine manager.
Consolidated workflow \.github/workflows/dependabot-approve-and-auto-merge.yml	Renamed/standardized steps and tokens, refined triggers and permissions, simplified actor checks, and added a dedicated Renovate job for PR approvals.
Removed workflows \.github/workflows/auto-approve-and-merge-renovate.yml, \.github/workflows/dependabot-auto-approve.yml, \.github/workflows/dependabot-auto-merge.yml	Deleted workflows that previously auto-approved/auto-merged Dependabot/Removate PRs.
Documentation docs/dependency-management.md	Added dependency-management documentation describing Renovate-first policy, dependency categories, upgrade rules, VersionOverride pattern, and workflow guidance.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Bot as Renovate/Dependabot Bot
    participant GH as GitHub (Pull Request)
    participant Actions as GitHub Actions
    participant Approver as Approve Job
    participant Merger as Auto-merge Job

    Bot->>GH: Open dependency PR
    GH->>Actions: Trigger workflow (pull_request_target)
    Actions->>Approver: Validate actor & token (GH_TOKEN / GH_ACTIONS_PR_WRITE)
    Approver->>GH: Approve PR (if conditions met)
    Actions->>Merger: Enable auto-merge (if non-major & allowed)
    Merger->>GH: Merge PR (squash) or leave for manual merge

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: resolve CS8032 assembly version mismatch (#850) #888 — Related changes to Renovate/Dependabot NuGet handling and package rules.
• Create renovate-approve-and-auto-merge.yml #487 — Related removal/adjustment of Renovate auto-approve/auto-merge workflow.

Suggested reviewers

• MattKotsenas

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main objective: consolidating dependency management workflows and documentation by disabling Dependabot NuGet updates, removing duplicate workflows, and centralizing to Renovate.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/dependency-management-cleanup

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request does a great job of consolidating dependency management by moving from a dual-bot (Dependabot + Renovate) setup to a Renovate-first approach for NuGet packages. The changes are well-structured, and the addition of docs/dependency-management.md provides excellent context for future maintenance. I have one minor suggestion to improve the clarity of the new documentation, but overall this is a solid improvement to the repository's maintenance story.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅ (target: 95.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (a7bf15d)	2073	1843	88.90%
Head commit (57f629c)	2073 (+0)	1843 (+0)	88.90% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#915)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

renovate.json (1)

1-12: ⚠️ Potential issue | 🟠 Major

Add Renovate security alert configuration.

The configuration is missing security scanning requirements mandated by the coding guidelines. Add both osvVulnerabilityAlerts (OSV.dev vulnerability checking) and vulnerabilityAlerts (GitHub Dependabot integration) to enable vulnerability-driven PRs.

Proposed addition

 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended"
   ],
   "enabledManagers": ["nuget"],
+  "osvVulnerabilityAlerts": true,
+  "vulnerabilityAlerts": {
+    "enabled": true
+  },
   "ignoreDeps": [
     "Microsoft.CodeAnalysis.CSharp",
     "Microsoft.CodeAnalysis.CSharp.Workspaces",
     "Microsoft.CodeAnalysis.Common",
     "Microsoft.CodeAnalysis.Workspaces.Common"
   ],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 1 - 12, Add OSV and GitHub Dependabot
vulnerability scanning to the Renovate config by adding top-level keys
"osvVulnerabilityAlerts" and "vulnerabilityAlerts" in renovate.json and set them
to enable vulnerability-driven PRs; update the JSON structure to include these
keys alongside existing settings (e.g., with proper comma placement after
"enabledManagers" or "ignoreDeps") so the file remains valid and Renovate will
create OSV and GitHub vulnerability alerts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-approve-and-auto-merge.yml:
- Around line 6-49: The workflow currently sets top-level permissions (contents:
write) which grants more access than needed; move the permissions block down
into each job and set minimal scopes per job: for the dependabot job grant only
pull-requests: write and contents: read (or remove contents entirely if not
needed) and for the renovate job grant only pull-requests: write (no contents:
write), updating the job definitions named "dependabot" and "renovate" to
include job-level permissions entries instead of the global permissions key so
each job has least-privilege access.

In `@docs/dependency-management.md`:
- Around line 23-27: The Markdown under the "Upgrade policy:" heading is missing
a separating blank line before the bullet list; insert a single blank line
immediately after the "**Upgrade policy:**" line so the list is recognized as a
separate block (update the docs/dependency-management.md content around the
"Upgrade policy:" header and its following bullets).
- Around line 1-116: Add a new "Troubleshooting" section to the "Dependency
Management" doc that lists common failures (e.g., "Renovate PR not auto-merged",
"Analyzer-compat update blocked", "PerfDiff build failures", "VersionOverride
conflicts") and for each give one-line remediation steps and pointers to the
responsible artifacts (mention Renovate config/renovate.json and the
consolidated workflow dependabot-approve-and-auto-merge.yml for auto-merge
issues; call out ValidateAnalyzerHostCompatibility and
AnalyzerAssemblyCompatibilityTests for analyzer-compat blocks; mention
VersionOverride usage and bench/perfdiff exclusions for tooling conflicts).
Ensure the section includes: symptoms, quick fixes, and next steps (who to
contact or which CI job to re-run), and add a short note reminding authors to
include a similar "Troubleshooting" section in all markdown docs (per the
**/*.md guideline).
- Around line 1-116: The docs/dependency-management.md change lacks evidence of
completing the required markdown validation checklist from
markdown.instructions.md; open markdown.instructions.md, run the required
formatting/linting and link checks, add a table of contents if the guidelines
demand, and validate the referenced workflow link, then update the PR
description to include the completed checklist items (formatting/lint results,
link validation results, TOC status, and any cross-file checks) and note any
deviations or follow-up actions before resubmitting.

---

Outside diff comments:
In `@renovate.json`:
- Around line 1-12: Add OSV and GitHub Dependabot vulnerability scanning to the
Renovate config by adding top-level keys "osvVulnerabilityAlerts" and
"vulnerabilityAlerts" in renovate.json and set them to enable
vulnerability-driven PRs; update the JSON structure to include these keys
alongside existing settings (e.g., with proper comma placement after
"enabledManagers" or "ignoreDeps") so the file remains valid and Renovate will
create OSV and GitHub vulnerability alerts.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/dependency-management.md`:
- Around line 114-117: Add a new "Troubleshooting" section to
docs/dependency-management.md that covers diagnosing assembly load failures
(include CS8032 as an example), steps to verify assembly version compatibility
(how to inspect binding redirects, assembly versions and runtimes), and guidance
for when a dependency update breaks CI (how to revert/restore lockfiles, pin
versions, run local CI reproductions and use the consolidated workflow
.github/workflows/dependabot-approve-and-auto-merge.yml and Renovate settings as
context). Reference the tools and files mentioned (Dependabot, Renovate,
.github/workflows/dependabot-approve-and-auto-merge.yml, renovate.json) and
provide concise actionable steps for each troubleshooting item.
- Around line 23-26: Insert a blank line immediately after the "**Upgrade
policy:**" heading so the Markdown list (lines starting with "-
`Microsoft.CodeAnalysis.*` ..." and the subsequent list items) is separated from
the heading; update the section around the "**Upgrade policy:**" heading in
docs/dependency-management.md to include that blank line to satisfy Markdown
lint rules.

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-approve-and-auto-merge.yml:
- Around line 35-49: Add a missing trailing newline to the end of the workflow
file so it ends with a newline character; open the
.github/workflows/dependabot-approve-and-auto-merge.yml and ensure the file
terminates with a single newline after the last line (the renovate job / the
"Approve PR" step block) and save the file so tools that expect a final newline
will not error.

In `@docs/dependency-management.md`:
- Around line 112-117: Add a "## Troubleshooting" section at the end of
docs/dependency-management.md that includes brief, actionable checks for the
three suggested failure modes: CS8032 assembly load failures (check
System.Collections.Immutable and System.Reflection.Metadata versions in shipped
analyzer, run AnalyzerAssemblyCompatibilityTests, link issue `#850`), Renovate not
creating PRs (check Renovate dashboard, validate renovate.json syntax, verify
packages are not in ignoreDeps or disabled), and Auto-merge not working (verify
platformAutomerge: true in renovate.json, confirm per-package automerge rules
and that required status checks are passing); use the same heading style as "##
Workflow" so it is discoverable and concise.
- Around line 22-26: The "Upgrade policy:" bullet list is not surrounded by
blank lines which breaks markdown rendering; edit the section containing the
"Upgrade policy:" heading and the three list items (`Microsoft.CodeAnalysis.*`
note, `System.Collections.Immutable`/... automerge note, and the
`ValidateAnalyzerHostCompatibility` / `AnalyzerAssemblyCompatibilityTests`
sentence) to insert a blank line both before the first list item and after the
last list item so the list is separated from surrounding paragraphs.
- Around line 1-4: Add a short table of contents at the top of the "Dependency
Management" document that links to the major sections (e.g., Renovate,
Dependabot, GitHub Actions, and any other headings present) so readers can
quickly navigate; update the top of the file under the "Dependency Management"
heading to include the TOC with anchor links matching the existing section
headings.

In `@renovate.json`:
- Around line 3-5: The Renovate configuration currently relies on
"config:recommended" but lacks an explicit security/vulnerability declaration;
add an explicit vulnerability alerting/security policy entry to renovate.json
(e.g., enable vulnerabilityAlerts, pin digests or set "security" rules) so the
policy is visible and enforced; update the top-level config near the existing
"extends": ["config:recommended"] entry and add keys like "vulnerabilityAlerts":
{"enabled": true} or the repository-specific "security" settings to make the
requirement explicit.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-approve-and-auto-merge.yml:
- Around line 1-5: The workflow uses the pull_request_target trigger which
cannot be fully exercised locally; update the workflow file header or add a
README note in the repository documenting how this workflow was validated —
e.g., state that validation was performed on GitHub Actions by opening test PRs
(or describe any gh act workaround used) and that final verification occurs when
the workflow runs in CI; reference the workflow name "Auto-Approve and
Auto-Merge Bot PRs" and the "pull_request_target" trigger in the note so
reviewers know why local testing is limited and where validation evidence can be
found.

---

Duplicate comments:
In `@docs/dependency-management.md`:
- Around line 1-4: Update docs/dependency-management.md to include a short
"Validation Checklist" section that lists completed steps (markdown lint run,
link checks passed, TOC reviewed) and attach or reference the lint/link-check
run IDs or timestamps; explicitly state whether docs/rules/ and README.md were
updated for this workflow change and if not, add a documented exception
explaining why; mention that you read the markdown instruction file and
completed the checklist before submitting and include links or filenames of
related commits/PRs as evidence.
- Around line 113-118: Add a Troubleshooting section to this document
(docs/dependency-management.md) that covers common failure modes for the
consolidated workflow (.github/workflows/dependabot-approve-and-auto-merge.yml)
and Renovate behavior (renovate.json), including: how to diagnose why a
Dependabot PR didn’t enable auto-merge (check dependabot/fetch-metadata output
and GitHub Actions logs), why Renovate-managed NuGet PRs were not auto-merged
(verify platformAutomerge, per-package automerge flags like
analyzer-compat/benchmark-tooling), and steps to recover (manual approval/merge,
re-run workflow, inspect workflow artifacts/logs); alternatively, if this file
is intentionally exempt from troubleshooting, add a clear “No troubleshooting
required” exception statement referencing the same workflow and renovate.json.

All review threads resolved. Changes addressed in subsequent commits.

All review threads resolved. Dismissing to unblock auto-merge.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.}

[cursor]

Bugbot Autofix prepared fixes for 1 of the 1 bugs found in the latest run.

• ✅ Fixed: Transitive pin package missing from analyzer-compat rule
  • Added System.Formats.Asn1 to the analyzer-compat rule in renovate.json and updated the shipped packages documentation in docs/dependency-management.md.