Skip to content

Bump test dependencies to resolve System.Net.Http vulnerability, update workflows and README#692

Merged
HarithaVattikuti merged 4 commits into
actions:mainfrom
priya-kinthali:deps-workflow-readme-updates
Jan 13, 2026
Merged

Bump test dependencies to resolve System.Net.Http vulnerability, update workflows and README#692
HarithaVattikuti merged 4 commits into
actions:mainfrom
priya-kinthali:deps-workflow-readme-updates

Conversation

@priya-kinthali
Copy link
Copy Markdown
Contributor

@priya-kinthali priya-kinthali commented Dec 23, 2025

Description:
This PR includes:

  • Bumps test dependencies in __tests__/e2e-test-csproj/test.csproj to their latest available versions:

    • Microsoft.NET.Test.Sdk from 15.5.0-preview-20170810-02 to 18.0.1.
    • MSTest.TestAdapter from 1.1.18 to 4.0.2.
    • MSTest.TestFramework from 1.1.18 to 4.0.2.

  • Updates workflow configuration for improved clarity and removes references to older .NET versions.

  • Updates the README:

    • Removes references for deprecated .NET versions.
    • Bumps actions/checkout from 5 to 6.
    • Adds a note recommending the use of pwsh or bash when generating a temporary global.json on Windows to avoid formatting issues.

Related issues:
#676
#683

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.
Copilot AI review requested due to automatic review settings December 23, 2025 09:17
@priya-kinthali priya-kinthali requested a review from a team as a code owner December 23, 2025 09:17
Copilot AI reviewed Dec 23, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability (CVE-2018-8292) in the transitive dependency System.Net.Http 4.3.0 by upgrading test dependencies to their latest versions, and resolves documentation issues related to Windows CMD shell formatting of global.json files. The changes include comprehensive version updates throughout test files and workflows to use .NET 8.0, 9.0, and 10.0.

Key Changes:

  • Upgraded test dependencies: Microsoft.NET.Test.Sdk to 18.0.1, MSTest.TestAdapter and MSTest.TestFramework to 4.0.2, successfully eliminating the System.Net.Http 4.3.0 vulnerability
  • Updated all test files and workflows from .NET 6.0/7.0 references to 9.0/10.0 for current relevance
  • Consolidated workflow test jobs to reduce duplication while maintaining comprehensive coverage across all supported operating systems
  • Added documentation note about Windows shell requirements for global.json generation

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
__tests__/e2e-test-csproj/test.csproj Updated test dependencies to latest secure versions (Microsoft.NET.Test.Sdk 18.0.1, MSTest packages 4.0.2)
__tests__/e2e-test-csproj/packages.lock.json Regenerated lock file with updated dependencies targeting net10.0, removing vulnerable System.Net.Http 4.3.0
__tests__/e2e-test-csproj/Test.cs Fixed assertion parameter order to follow MSTest conventions (expected, actual)
__tests__/e2e-test-csproj/AssemblyInfo.cs Added DoNotParallelize attribute for sequential test execution
__tests__/verify-dotnet.ps1 Added support for .NET 10.0 framework mapping
__tests__/setup-dotnet.test.ts Updated test version references from 6.0 to 10.0
__tests__/installer.test.ts Updated test version references from 3.1/6.0 to 10.0 for consistency
README.md Updated actions/checkout from v5 to v6, version examples to 8.0/9.0/10.0, and added Windows shell guidance
.github/workflows/test-dotnet.yml Updated matrix to test .NET 8.0, 9.0, 10.0 instead of 6.0, 7.0, 8.0, 9.0
.github/workflows/e2e-tests.yml Consolidated test jobs and updated versions to 9.0/10.0, expanding OS matrix to include ubuntu-latest and macos-latest

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment thread README.md Outdated
@priya-kinthali priya-kinthali self-assigned this Dec 23, 2025
aparnajyothi-y
aparnajyothi-y previously approved these changes Dec 29, 2025
View reviewed changes
@HarithaVattikuti HarithaVattikuti merged commit baa11fb into actions:main Jan 13, 2026
104 checks passed
This was referenced Jan 21, 2026
Closed
Closed
mergify Bot added a commit to ArcadeData/arcadedb that referenced this pull request May 3, 2026
@mergify
chore(deps): bump actions/setup-dotnet from 4.3.1 to 5.2.0 [skip ci]
f0474ec 
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4.3.1 to 5.2.0.
Release notes

*Sourced from [actions/setup-dotnet's releases](https://github.com/actions/setup-dotnet/releases).*

> v5.2.0
> ------
>
> What's changed
> --------------
>
> ### Enhancements
>
> * Add support for workloads input by [`@​gowridurgad`](https://github.com/gowridurgad) in [actions/setup-dotnet#693](https://redirect.github.com/actions/setup-dotnet/pull/693)
> * Add support for optional architecture input for cross-architecture .NET installs by [`@​priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-dotnet#700](https://redirect.github.com/actions/setup-dotnet/pull/700)
>
> ### Dependency Updates
>
> * Upgrade fast-xml-parser from 4.4.1 to 5.3.6 by [`@​dependabot`](https://github.com/dependabot) in [actions/setup-dotnet#671](https://redirect.github.com/actions/setup-dotnet/pull/671)
> * Upgrade minimatch from 3.1.2 to 3.1.5 by [`@​dependabot`](https://github.com/dependabot) in [actions/setup-dotnet#705](https://redirect.github.com/actions/setup-dotnet/pull/705)
>
> **Full Changelog**: <actions/setup-dotnet@v5...v5.2.0>
>
> v5.1.0
> ------
>
> What's Changed
> --------------
>
> ### Documentation
>
> * Readme update for environment variable on self hosted linux runners by [`@​priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-dotnet#689](https://redirect.github.com/actions/setup-dotnet/pull/689)
> * Contributor icon updates by [`@​Falco20019`](https://github.com/Falco20019) in [actions/setup-dotnet#604](https://redirect.github.com/actions/setup-dotnet/pull/604)
>
> ### Dependency updates
>
> * Upgrade actions/checkout from 5 to 6 by [`@​dependabot`](https://github.com/dependabot) in [actions/setup-dotnet#684](https://redirect.github.com/actions/setup-dotnet/pull/684)
> * Upgrade to latest actions packages by [`@​salmanmkc`](https://github.com/salmanmkc) in [actions/setup-dotnet#687](https://redirect.github.com/actions/setup-dotnet/pull/687)
> * Upgrade dependencies in testproject and checkout in Readme by [`@​priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-dotnet#692](https://redirect.github.com/actions/setup-dotnet/pull/692)
>
> New Contributors
> ----------------
>
> * [`@​priya-kinthali`](https://github.com/priya-kinthali) made their first contribution in [actions/setup-dotnet#689](https://redirect.github.com/actions/setup-dotnet/pull/689)
> * [`@​Falco20019`](https://github.com/Falco20019) made their first contribution in [actions/setup-dotnet#604](https://redirect.github.com/actions/setup-dotnet/pull/604)
>
> **Full Changelog**: <actions/setup-dotnet@v5...v5.1.0>
>
> v5.0.1
> ------
>
> What's Changed
> --------------
>
> * Upgrade typescript from 5.4.2 to 5.9.2 and document breaking changes in v5 by [`@​dependabot`](https://github.com/dependabot) in [actions/setup-dotnet#624](https://redirect.github.com/actions/setup-dotnet/pull/624)
> * Upgrade eslint-plugin-jest from 27.9.0 to 29.0.1 by [`@​dependabot`](https://github.com/dependabot) in [actions/setup-dotnet#648](https://redirect.github.com/actions/setup-dotnet/pull/648)
> * Upgrade actions/publish-action from 0.3.0 to 0.4.0 and update macos-13 to macos-15-intel by [`@​dependabot`](https://github.com/dependabot) in [actions/setup-dotnet#665](https://redirect.github.com/actions/setup-dotnet/pull/665)
>
> **Full Changelog**: <actions/setup-dotnet@v5...v5.0.1>
>
> v5.0.0
> ------
>
> What's Changed
> --------------
>
> ### Breaking Changes
>
> * Upgrade to Node.js 24 and modernize async usage by [`@​salmanmkc`](https://github.com/salmanmkc) in [actions/setup-dotnet#654](https://redirect.github.com/actions/setup-dotnet/pull/654)
>
> Make sure your runner is updated to this version or newer to use this release. v2.327.1 [Release Notes](https://github.com/actions/runner/releases/tag/v2.327.1)
>
> ### Dependency Updates

... (truncated)


Commits

* [`c2fa09f`](actions/setup-dotnet@c2fa09f) Bump minimatch from 3.1.2 to 3.1.5 ([#705](https://redirect.github.com/actions/setup-dotnet/issues/705))
* [`02574b1`](actions/setup-dotnet@02574b1) Add support for optional architecture input for cross-architecture .NET insta...
* [`16c7b3c`](actions/setup-dotnet@16c7b3c) Bump fast-xml-parser from 4.4.1 to 5.3.6 ([#671](https://redirect.github.com/actions/setup-dotnet/issues/671))
* [`131b410`](actions/setup-dotnet@131b410) Add support for workloads input ([#693](https://redirect.github.com/actions/setup-dotnet/issues/693))
* [`baa11fb`](actions/setup-dotnet@baa11fb) Bump test dependencies to resolve System.Net.Http vulnerability, update workf...
* [`24ec4f2`](actions/setup-dotnet@24ec4f2) Upgrade to latest actions packages ([#687](https://redirect.github.com/actions/setup-dotnet/issues/687))
* [`4c100cb`](actions/setup-dotnet@4c100cb) Fix icons ([#604](https://redirect.github.com/actions/setup-dotnet/issues/604))
* [`25328d8`](actions/setup-dotnet@25328d8) Bump actions/checkout from 5 to 6 ([#684](https://redirect.github.com/actions/setup-dotnet/issues/684))
* [`937b8dd`](actions/setup-dotnet@937b8dd) Update README with note on setting DOTNET\_INSTALL\_DIR for Linux permission is...
* [`2016bd2`](actions/setup-dotnet@2016bd2) Bump actions/publish-action from 0.3.0 to 0.4.0 and update macos-13 to macos-...
* Additional commits viewable in [compare view](actions/setup-dotnet@67a3573...c2fa09f)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=actions/setup-dotnet&package-manager=github\_actions&previous-version=4.3.1&new-version=5.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@YumNumm YumNumm mentioned this pull request May 12, 2026
Closed
@github-actions github-actions Bot mentioned this pull request May 18, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

5 participants

@priya-kinthali @HarithaVattikuti @aparnajyothi-y @mahabaleshwars