chore(deps): defer .NET 10 major bumps in Dependabot (#25)

Pomdapis · sacha · web-flow · commit 271f8e1297ef · 2026-04-26T16:49:48.000+02:00
## Summary Closes Dependabot's open .NET-10-major bumps (#8 microsoft-extensions, #9 serilog) until Nexus (downstream consumer) is also ready to move. ## Why Both PRs failed CI with NU1605 — bumping Microsoft.Extensions.* / Serilog.Settings.Configuration to 10.x pulls transitive System.Text.Json 10.x, but the project pins on .NET 9 runtime (System.Text.Json 9.0.0). To accept the bump cleanly we'd need to pin System.Text.Json explicitly to 10.x, which crosses framework lines. ## Scope Adds an \`ignore\` block to the NuGet update group: \`\`\`yaml ignore: - dependency-name: "Microsoft.Extensions.*" update-types: ["version-update:semver-major"] - dependency-name: "Microsoft.AspNetCore.*" update-types: ["version-update:semver-major"] - dependency-name: "Serilog.Settings.Configuration" update-types: ["version-update:semver-major"] - dependency-name: "System.Text.Json" update-types: ["version-update:semver-major"] \`\`\` Patch and minor bumps stay enabled. \`Microsoft.AspNetCore.Mvc.Testing 9.0.x\` patches will still flow. ## Follow-up Lift this when Nexus also moves to .NET 10. Tracked informally for now; convert to a roadmap-input issue if useful. --------- Co-authored-by: sacha <sacha@scojhconsult.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,6 +11,18 @@ updates:
     open-pull-requests-limit: 5
     reviewers:
       - "Pomdapis"
+    # Defer .NET 10 major bumps until Nexus (downstream consumer) is also
+    # ready to move; otherwise transitive System.Text.Json / Configuration.Binder
+    # downgrades break the build (NU1605). Lift this once Nexus pins .NET 10.
+    ignore:
+      - dependency-name: "Microsoft.Extensions.*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "Microsoft.AspNetCore.*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "Serilog.Settings.Configuration"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "System.Text.Json"
+        update-types: ["version-update:semver-major"]
     groups:
       microsoft-extensions:
         patterns:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -50,6 +50,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - CodeQL Default Setup switched from `default` to `extended` query suite — adds maintainability/quality queries on top of security (csharp + actions).
+- Dependabot now skips semver-major bumps on `Microsoft.Extensions.*`, `Microsoft.AspNetCore.*`, `Serilog.Settings.Configuration`, and `System.Text.Json` until the project moves to .NET 10 alongside Nexus (#25). Patch and minor bumps continue to flow.
 
 ### Security
 
