build(repo): bump Scriban + test-infra packages#149
Draft
ottobolyos wants to merge 9 commits into
Draft
Conversation
ottobolyos
changed the title
ottobolyos
force-pushed
the
chore/deps-update-2026-04-27
branch
from
7a6a72a to
e3ae31b
Compare
PatrickRitchie
approved these changes
May 10, 2026
ottobolyos
force-pushed
the
chore/deps-update-2026-04-27
branch
2 times, most recently
from
37acda7 to
db007b8
Compare
Resolves the 11 advisories open against the 5.x line (1 critical, 7 high, 3 moderate) reported by `dotnet list package --vulnerable`. Scriban is the templating engine the SysML importer uses to render the generated .g.cs files under libraries/MTConnect.NET-Common/, libraries/MTConnect.NET-XML/ and libraries/MTConnect.NET-JSON-cppagent/. The 7.x line drops support for net6.0/net7.0 targets but the importer pins net8.0, so the bump is binary-compatible for this consumer.
Aligns every NUnit + xUnit test project on the same Test.Sdk version. Latest stable on the 17.x line; 18.x intentionally skipped pending a separate evaluation. Affected csprojs: - tests/MTConnect.NET-Common-Tests (16.11.0 -> 17.14.1) - tests/MTConnect.NET-HTTP-Tests (16.11.0 -> 17.14.1) - tests/MTConnect.NET-SHDR-Tests (17.4.0 -> 17.14.1) - tests/MTConnect.NET-XML-Tests (17.4.0 -> 17.14.1) - tests/IntegrationTests (17.4.0 -> 17.14.1) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans five test scopes.
Latest stable on the 6.x line. Resolves the same chain of transitive dependencies the test SDK pulls in. Affected csprojs: - tests/MTConnect.NET-Common-Tests (3.1.0 -> 6.0.4) - tests/MTConnect.NET-HTTP-Tests (3.1.0 -> 6.0.4) - tests/MTConnect.NET-SHDR-Tests (3.2.0 -> 6.0.4) - tests/MTConnect.NET-XML-Tests (3.2.0 -> 6.0.4) - tests/IntegrationTests (3.2.0 -> 6.0.4) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans five test scopes.
Latest stable on the 3.x line. NUnit stays on the 3.x line for now; the 4.x major rewrite (Assert.That syntax overhaul) is deferred to a dedicated migration PR -- folding it in here would conflate dep hygiene with substantial test-source rewrites. Affected csprojs: - tests/MTConnect.NET-Common-Tests (3.13.2 -> 3.14.0) - tests/MTConnect.NET-HTTP-Tests (3.13.2 -> 3.14.0) - tests/MTConnect.NET-SHDR-Tests (3.13.3 -> 3.14.0) - tests/MTConnect.NET-XML-Tests (3.13.3 -> 3.14.0) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans four test scopes.
Latest stable on the 4.x line. Pairs with the NUnit 3.14.0 bump. Affected csprojs: - tests/MTConnect.NET-Common-Tests (4.0.0 -> 4.6.0) - tests/MTConnect.NET-HTTP-Tests (4.0.0 -> 4.6.0) - tests/MTConnect.NET-SHDR-Tests (4.3.1 -> 4.6.0) - tests/MTConnect.NET-XML-Tests (4.3.1 -> 4.6.0) Cross-cutting commit per CONVENTIONS scope rule for "library-cross-cutting changes use the most-affected scope" -- scope `repo` because the bump spans four test scopes.
MTConnect.NET-MQTT depends directly on Microsoft.Extensions.Hosting 7.0.0, which transitively brings System.Text.Json 7.0.0. That version is flagged by GHSA-hh2w-p6rv-4g7w (High severity, affects >= 7.0.0, <= 8.0.3; patched in 8.0.4). On net8.0+ the runtime ships System.Text.Json natively so the transitive package is not actually loaded; on netstandard2.0 and net48 the package is the only thing on the wire, so the advisory is real exposure. Add per-TFM conditional <PackageReference Include="System.Text.Json" Version="8.0.5" /> for netstandard2.0 and net48 in MTConnect.NET-MQTT (the rooting library that pulls in Hosting). This forces the NuGet resolver to pick 8.0.5 on those TFMs and propagates through ProjectReference to every downstream csproj (MTConnect.NET, MTConnect.NET-Applications-Agents, MTConnect.NET-Applications-Adapter, MTConnect.NET-AgentModule-MqttRelay, MTConnect.NET-AgentModule-MqttAdapter, MTConnect.NET-AgentModule-MqttBroker, MTConnect.NET-AdapterModule-MQTT, MTConnect.NET-Adapter, MTConnect.NET-Agent, MTConnect.NET-Client-MQTT, MTConnect.NET-Agent-Embedded, Agent). Verified via project.assets.json: BEFORE .NETFramework,Version=v4.8 :: System.Text.Json/7.0.0 .NETStandard,Version=v2.0 :: System.Text.Json/7.0.0 AFTER .NETFramework,Version=v4.8 :: System.Text.Json/8.0.5 .NETStandard,Version=v2.0 :: System.Text.Json/8.0.5 Note: dotnet list package --vulnerable --include-transitive on [net8.0] still reports the transitive 7.0.0 in the static dependency graph. On net8.0+ the in-runtime System.Text.Json supersedes the transitive package at load time, so the GHSA exposure is closed in practice; the per-TFM mitigation here closes the netstandard2.0 and net48 surface where the package is load-bearing on the wire. Solution build remains green (0 errors).
tests/IntegrationTests/IntegrationTests.csproj reported three High transitive vulnerabilities: * System.Net.Http 4.3.0 -- GHSA-7jgj-8wvc-jh57 * System.Text.Json 6.0.5 -- GHSA-8g4q-xg66-9fp4 * System.Text.RegularExpressions 4.3.0 -- GHSA-cmhx-cq75-c4mj The first and third were transitive dependencies of xunit 2.4.2; the second came from Divergic.Logging.Xunit 4.2.0 (which still resolves to System.Text.Json 6.0.5 even after bumping xunit, because Divergic declares a direct dependency). Bump: * Microsoft.Extensions.Logging.Abstractions 7.0.0 -> 8.0.2 (per the finding's guidance to move off the 7.x line entirely). * xunit 2.4.2 -> 2.9.2 (per the finding; resolves the System.Net.Http and System.Text.RegularExpressions transitives). * Add a direct PackageReference for System.Text.Json 8.0.5 to override the Divergic.Logging.Xunit transitive 6.0.5. BEFORE dotnet list ... --vulnerable --include-transitive on net8.0: > System.Net.Http 4.3.0 High GHSA-7jgj-8wvc-jh57 > System.Text.Json 6.0.5 High GHSA-8g4q-xg66-9fp4 > System.Text.RegularExpressions 4.3.0 High GHSA-cmhx-cq75-c4mj AFTER "The given project IntegrationTests has no vulnerable packages given the current sources." Solution-level build (MTConnect.NET.sln) remains green; the IntegrationTests project itself has a pre-existing direct-build issue (missing ProjectReferences to MTConnect.NET-Agent types) that is orthogonal to this dependency bump.
… pre-pipeline regen When commits 566b262 + 3000897 routed the Pallet measurement subclasses through the rich `MeasurementModel` pipeline (the same shape CuttingTools measurements have used since v1.x), the new `Pallets.Measurement.scriban` template intentionally dropped the `public new const string DescriptionText` field — Pallet measurements derive from the typed `Measurement` base partial and have no consumer reaching for a static DescriptionText on the subclass (`grep -r '\(Height\|Length\|Width\|Swing\|Weight\)Measurement\.DescriptionText' libraries/ tests/` returns empty). The ten subclass .g.cs files (`HeightMeasurement`, `LengthMeasurement`, `WidthMeasurement`, `SwingMeasurement`, `WeightMeasurement` and their `Loaded*` counterparts) kept the field as a left-over context line because the parent commit's regen happened with stale on-disk .g.cs that still carried the field, and the `300089753` patch only added the new `TypeId` / `CodeId` / ctor scaffolding above it. A fresh regen against the current `Pallets.Measurement.scriban` template strips the field cleanly. Confirmed byte-identical output between Scriban 7.1.0 and 7.2.0, so the cleanup is independent of any version bump. `AssetCountDataItem.g.cs` and `InterfaceStateDataItem.g.cs` carry trailing-whitespace and final-newline normalisations that the same fresh regen produces — same root cause (stale on-disk text from older Scriban runs). `dotnet build MTConnect.NET.sln --configuration Debug` completes clean (0 errors, 353 warnings — unchanged from baseline).
7.2.0 is the latest stable; dependabot opened the same bump as TrakHound#163 against master (covers the lone build-time consumer under `build/MTConnect.NET-SysML-Import/`). Adopt 7.2.0 here so TrakHound#149's deps sweep closes the same advisory window that TrakHound#163 targets, then close TrakHound#163 in favour. Output reproducibility: regenerated the .g.cs tree under Scriban 7.1.0 then under 7.2.0 against the same v2.7 XMI snapshot (`/tmp/mtconnect-sysml` at tag `v2.7`) — diff between the two `libraries/` trees is empty (`git diff` confirms byte-identical output). The 12-file drift the parent commit scrubs is independent of the version bump. `dotnet build MTConnect.NET.sln --configuration Debug` continues to complete with 0 errors / 353 warnings after the bump.
ottobolyos
force-pushed
the
chore/deps-update-2026-04-27
branch
from
db007b8 to
f3b4ce0
Compare
ottobolyos
added a commit
to ottobolyos/mtconnect.net
that referenced
this pull request
May 21, 2026
git rerere captured the HTTP-Tests dependency-version resolution from the first merge attempt but not the 'modify/delete' resolution for the renamed IntegrationTests project, so the second refresh kept the old tests/IntegrationTests/ tree alongside the renamed tests/MTConnect.NET-Integration-Tests/. Both paths in tree confuses the Release build (CSC reads devices-tpl.xml from the old path even though it's only in the new path on disk). Integration-branch hygiene only — TrakHound#149 itself still references the old path against master, which is correct until TrakHound#150 merges first; the union here is just enforcing the post-TrakHound#150 layout for E2E.
ottobolyos
added a commit
to ottobolyos/mtconnect.net
that referenced
this pull request
May 21, 2026
First-pass conflict resolution kept HEAD's (TrakHound#149 deps-update) version of MTConnect.NET-HTTP-Tests.csproj which carried newer Test.Sdk + NUnit + coverlet pins but lost the second ProjectReference that test/coverage-and-compliance added when it lifted the per-test AgentRunner host into a shared MTConnect.NET-Tests-Agents project. The HTTP-Tests files (HttpClientFixture.cs, SampleStream.cs) consume `MTConnect.Tests.Agents.AgentRunner` from that project; without the ProjectReference the project no longer compiles. Re-add the Tests-Agents ProjectReference while keeping TrakHound#149's newer dep versions. Integration-branch hygiene only — the actual fix needs to land in TrakHound#150 when the deps bumps eventually reach it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #126.
Closes #163.
Summary
Bumps Scriban (the SysML importer's templating engine) from 5.9.0 to 7.2.0 and supersedes Dependabot's mechanical 5.9.0 -> 7.0.0 bump in #126 and the follow-up 7.2.0 bump in #163, sweeping the test-infrastructure packages that Dependabot left out at the same time.
build(sysml-import): bump Scriban 5.9.0 -> 7.2.0. Closes 1 critical + 7 high + 3 moderate advisories on the 5.x line. Dependabot can only edit the<PackageReference Version="...">value; this PR also carries the matching SysML re-import against 7.2.0's template engine so the generated.g.csoutputs stay in lock-step with the bump (commits9243a75f+f3b4ce05).build(repo): bumpMicrosoft.NET.Test.Sdkto 17.14.1 across the five test projects (latest stable 17.x; 18.x intentionally skipped pending a separate evaluation).build(repo): bumpcoverlet.collectorto 6.0.4 across the five test projects (latest stable 6.x).build(repo): bumpNUnitto 3.14.0 across the four NUnit test projects. NUnit stays on the 3.x line; the 4.x major rewrite (Assert.That syntax overhaul) is deferred to a dedicated migration PR.build(repo): bumpNUnit3TestAdapterto 4.6.0 across the four NUnit test projects (latest stable 4.x).build(repo): pinSystem.Text.Json8.0.5 onnetstandard2.0/net48in the MQTT projects to clear the F-S-H2 transitive High advisory chain.build(integration-tests): pin transitive package versions to clear remaining High advisories on the integration-tests project (F-S-H4, F-Si-L14).