Skip to content

Bump the dotnet-tools group with 2 updates#177

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/nuget/dot-config/dotnet-tools-ed2898e97a
Open

Bump the dotnet-tools group with 2 updates#177
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/nuget/dot-config/dotnet-tools-ed2898e97a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 28, 2026

Updated cyclonedx from 6.1.0 to 6.2.0.

Release notes

Sourced from cyclonedx's releases.

6.2.0

Added

  • `--configuration` / `-c` CLI option (#​1056, fixes #​1028) — passes `-p:Configuration=` to `dotnet restore` so MSBuild evaluates conditional `PackageReference` items during restore. Configuration-specific packages (e.g. debug-only `Avalonia.Diagnostics`) are no longer included in the SBOM when a Release configuration is requested.
  • NuGet license file support (#​1011, #​1002) — packages declaring `` now have their license file embedded as base64-encoded text in the BOM when `--include-license-text` is specified; without the flag the license is still detected but not embedded

Fixed

  • Suppress `aka.ms/deprecateLicenseUrl` stub URL (#​1011) — NuGet auto-injects `https://aka.ms/deprecateLicenseUrl\` into `` for packages packed with ``; this URL is now correctly ignored rather than being emitted as a license entry in the BOM
  • Fix null-URL license stub (#​1011) — packages with no `` no longer produce a spurious `License { Name="Unknown - See URL", Url=null }` node in the BOM
  • Fix `UNLICENSED` emitted as SPDX id (#​1004, fixes #​915) — `UNLICENSED` is a NuGet-specific token that is not a valid SPDX identifier; it is now emitted as `license.name` instead of `license.id` to keep BOM output valid

Changed

  • Upgrade CycloneDX.Core from 12.0.1 to 12.1.1 (#​1084)
  • Bump System.CommandLine from 2.0.0 to 2.0.5 (#​1083)

Contributors

Thanks to everyone who contributed to this release:

  • @​mus65 — NuGet license file support (#​1011)
  • @​jainlakshya — UNLICENSED license expression handling (#​1004, fixes #​915)
  • @​trivalik — requested NuGet license file support (#​1002)
  • @​alexandrehtrb — reported the conditional compilation issue that led to the `--configuration` flag (#​1028)
  • @​south11235 — reported the UNLICENSED invalid BOM issue (#​915)

6.1.1

Fixed

  • Fix crash when a nuspec declares an exact-range version constraint across multiple projects (#​1071) — when a package's nuspec dependency uses an exact version range (e.g. [1.0.0]) and multiple versions of that package are present in a multi-project solution, the tool no longer crashes with "Unable to locate valid bom ref"; the dependency edge is resolved to the version that satisfies the range

Commits viewable in compare view.

Updated dotnet-ef from 8.0.25 to 8.0.26.

Release notes

Sourced from dotnet-ef's releases.

8.0.26

Release

What's Changed

Full Changelog: dotnet/efcore@v8.0.25...v8.0.26

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the dotnet-tools group with 2 updates
b1ae717 
Bumps cyclonedx from 6.1.0 to 6.2.0
Bumps dotnet-ef from 8.0.25 to 8.0.26

---
updated-dependencies:
- dependency-name: cyclonedx
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet-tools
- dependency-name: dotnet-ef
  dependency-version: 8.0.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-tools
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Apr 28, 2026
@dependabot dependabot Bot requested a review from tass500 as a code owner April 28, 2026 04:26
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code labels Apr 28, 2026
@dependabot dependabot Bot mentioned this pull request Apr 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tass500 tass500 Awaiting requested review from tass500 tass500 is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants