chore(deps): defer .NET 10 major bumps in Dependabot#25
Merged
Conversation
added 3 commits
April 26, 2026 15:53
PR #23 incorrectly bumped CHANGELOG to [1.0.0-preview.2] - 2026-04-26 with the quality-sweep entries, but tag v1.0.0-preview.2 was already cut on 2026-04-25 from a different commit set (PRs #1-7) and published to nuget.org. This commit: - Rewrites [1.0.0-preview.2] - 2026-04-25 with the actual published content (Adapters.Shared, OSS governance, security fixes #1-3, Dependabot bumps #4-7) — derived from the auto-generated GitHub release notes for v1.0.0-preview.2. - Adds [1.0.0-preview.3] - 2026-04-26 with everything since v1.0.0-preview.2: documentation buildout (#14, #15, #17, #20-22), CodeQL extended query suite, softprops/action-gh-release SHA pin (#16, alert #28). After merge, tag v1.0.0-preview.3 will be cut to publish.
# Conflicts: # CHANGELOG.md
Microsoft.Extensions.* 10.x and Serilog.Settings.Configuration 10.x pull in transitive System.Text.Json 10.x, which breaks the .NET 9 pin with NU1605 (package downgrade detected). Need to coordinate the major bump with Nexus (downstream consumer) before flipping the framework. Until then, ignore semver-major bumps on: - Microsoft.Extensions.* - Microsoft.AspNetCore.* - Serilog.Settings.Configuration - System.Text.Json Patch and minor bumps stay enabled. Lift this once Nexus is on .NET 10. Closes the open Dependabot major bumps (#8, #9) which would have required corresponding pin work to merge cleanly.
This was referenced Apr 26, 2026
There was a problem hiding this comment.
Pull request overview
Defers Dependabot’s .NET 10 major NuGet update PRs until the downstream consumer (Nexus) is ready, to avoid NU1605 downgrade failures while staying on .NET 9.
Changes:
- Add Dependabot
ignorerules to block semver-major updates for selected .NET 10–driving packages/groups. - Update
CHANGELOG.mdwith a new1.0.0-preview.3section, adjust dates, and update release links.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/dependabot.yml |
Adds ignore entries to suppress .NET 10 major bumps while allowing minor/patch updates. |
CHANGELOG.md |
Adds/adjusts preview release entries and updates the [Unreleased] comparison link and new tag link. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes Dependabot's open .NET-10-major bumps (#8 microsoft-extensions, #9 serilog) until Nexus (downstream consumer) is also ready to move.
Why
Both PRs failed CI with NU1605 — bumping Microsoft.Extensions.* / Serilog.Settings.Configuration to 10.x pulls transitive System.Text.Json 10.x, but the project pins on .NET 9 runtime (System.Text.Json 9.0.0). To accept the bump cleanly we'd need to pin System.Text.Json explicitly to 10.x, which crosses framework lines.
Scope
Adds an `ignore` block to the NuGet update group:
```yaml
ignore:
update-types: ["version-update:semver-major"]
update-types: ["version-update:semver-major"]
update-types: ["version-update:semver-major"]
update-types: ["version-update:semver-major"]
```
Patch and minor bumps stay enabled. `Microsoft.AspNetCore.Mvc.Testing 9.0.x` patches will still flow.
Follow-up
Lift this when Nexus also moves to .NET 10. Tracked informally for now; convert to a roadmap-input issue if useful.