Skip to content

Upgrade dependencies, fix MA0074 build errors, and group dependabot updates#2545

Merged
lahma merged 1 commit into
sebastienros:mainfrom
lahma:fix-dependency-upgrades
Jun 23, 2026
Merged

Upgrade dependencies, fix MA0074 build errors, and group dependabot updates#2545
lahma merged 1 commit into
sebastienros:mainfrom
lahma:fix-dependency-upgrades

Conversation

@lahma

@lahma lahma commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Why

#2544 (the weekly Dependabot bump) fails to build on every platform. The root cause is the Meziantou.Analyzer 3.0.1013.0.109 bump, which promotes MA0074 (use a Contains overload that takes a StringComparison). Because warnings are treated as errors, five existing string.Contains(string) calls in the Intl code break the build:

  • Jint/Native/Intl/JsNumberFormat.cs (3 sites)
  • Jint/Native/Intl/LocaleConstructor.cs
  • Jint/Native/Intl/DisplayNamesPrototype.cs

What

Fix the build (MA0074) — add StringComparison.Ordinal to the five flagged calls. This is behaviour-identical: string.Contains(string) already performs an ordinal comparison, and Ordinal matches the adjacent EndsWith(..., StringComparison.Ordinal) calls in the same methods.

Upgrade all packages to their latest stable versions (so we don't have to update again right away; prereleases/betas were intentionally skipped):

Package From To
ICU4N 60.1.0-alpha.439 60.1.0-alpha.440
Meziantou.Analyzer 3.0.101 3.0.109
Microsoft.Extensions.DependencyInjection 10.0.8 10.0.9
Microsoft.Extensions.TimeProvider.Testing 10.6.0 10.7.0
Verify.NUnit 31.19.0 31.20.0
YantraJS.Core 1.2.405 1.2.406
BenchmarkDotNet.TestAdapter 0.13.12 0.15.8
Microsoft.NET.Test.Sdk 18.6.0 18.7.0
System.Text.Json 10.0.8 10.0.9
Spectre.Console.Cli 0.45.0 0.55.0
Zio 0.22.2 0.24.0

The first six rows are the bumps originally proposed by #2544; the rest bring the remaining packages current. Packages with only prerelease updates available (M.E.DI 11.0-preview, Newtonsoft.Json 13.0.5-beta1, System.Text.Json 11.0-preview, xunit 4.0-pre, Spectre 1.0-alpha) were left on their latest stable.

Improve Dependabot grouping — replace the single catch-all all-dependencies group with logical, purpose-based groups so each weekly PR is cohesive and easy to review/revert instead of one large mixed bump:

  • analyzers — Meziantou.Analyzer, Microsoft.CodeAnalysis.*, PolySharp
  • testing — xunit, NUnit, test SDK, assertion/helper libraries, Verify, Test262Harness, etc.
  • benchmark — BenchmarkDotNet*
  • js-engine-comparisons — Jurassic, NiL.JS, YantraJS.Core
  • acornima — the lockstep parser packages
  • microsoft — remaining Microsoft.* / System.* runtime packages

Groups are ordered most-specific first since Dependabot assigns each dependency to the first matching group.

Testing

  • dotnet build --configuration Release — succeeds, 0 warnings / 0 errors
  • Jint.Tests — 3131 passed (net10.0), 3069 passed (net472), 0 failed
  • Jint.Tests.CommonScripts — 28 passed on both TFMs
  • Jint.Tests.PublicInterface — all green except CanUseTimeProvider on net472, which is a pre-existing timing-sensitive test (a 100 ms window around the real system clock on cold-start JIT) that fails identically on unmodified main; none of the bumped packages are on its code path.

This PR supersedes #2544.

🤖 Generated with Claude Code

…dates

Supersedes sebastienros#2544, which failed to build because the Meziantou.Analyzer
3.0.101 -> 3.0.109 bump promotes MA0074 (use a Contains overload with a
StringComparison) and warnings are treated as errors. Add
StringComparison.Ordinal to the five flagged string.Contains calls in the
Intl code; this is behaviour-identical (string.Contains(string) already
compares ordinally) and matches the adjacent EndsWith(..., Ordinal) calls.

Bring all packages to their latest stable versions so we don't have to
update again shortly (prereleases/betas intentionally skipped):
- ICU4N 60.1.0-alpha.439 -> .440
- Meziantou.Analyzer 3.0.101 -> 3.0.109
- Microsoft.Extensions.DependencyInjection 10.0.8 -> 10.0.9
- Microsoft.Extensions.TimeProvider.Testing 10.6.0 -> 10.7.0
- Verify.NUnit 31.19.0 -> 31.20.0
- YantraJS.Core 1.2.405 -> 1.2.406
- BenchmarkDotNet.TestAdapter 0.13.12 -> 0.15.8 (aligns with BenchmarkDotNet)
- Microsoft.NET.Test.Sdk 18.6.0 -> 18.7.0
- System.Text.Json 10.0.8 -> 10.0.9
- Spectre.Console.Cli 0.45.0 -> 0.55.0
- Zio 0.22.2 -> 0.24.0

Replace the catch-all dependabot "all-dependencies" group with logical
groups (analyzers, testing, benchmark, js-engine-comparisons, acornima,
microsoft) so weekly update PRs are cohesive instead of one large mixed PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013iGpTz8AqQM1m6eRoF9jDr
@lahma lahma force-pushed the fix-dependency-upgrades branch from 970c908 to 24f6868 Compare June 23, 2026 13:23
@lahma lahma enabled auto-merge (squash) June 23, 2026 13:24
@lahma lahma merged commit 8c64ed8 into sebastienros:main Jun 23, 2026
4 checks passed
@lahma lahma deleted the fix-dependency-upgrades branch June 28, 2026 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant