Refactor project dependencies #2696

martincostello · 2025-08-12T10:20:15Z

Split dependencies into groups to make management easier.
Remove MSBuild variables for versions.
Fix samples using .NET 8 instead of 9.
Remove redundant properties.
Sort some properties.
Update test behaviour for Microsoft.Extensions.TimeProvider.Testing upgrade due to changes in Respect AutoAdvance for GetTimestamp in FakeTimeProvider dotnet/extensions#5783.

Resolves dependabot alerts for CVE-2024-30105 and CVE-2024-43485 in the DependencyInjection sample.

- Split dependencies into groups to make management easier. - Remove MSBuild variables for versions. - Fix samples using .NET 8 instead of 9. - Remove redundant properties. - Sort some properties. - Update test behaviour for Microsoft.Extensions.TimeProvider.Testing upgrade due to changes in dotnet/extensions#5783.

Copilot

Pull Request Overview

This PR refactors project dependencies to improve maintainability and security, splitting dependencies into logical groups while removing MSBuild variables for version management. The changes standardize all sample projects to use .NET 9.0 and move common properties to Directory.Build.props files.

Consolidates common project properties into Directory.Build.props files
Updates sample projects from .NET 8.0 to .NET 9.0 for consistency
Removes MSBuild variables and replaces them with explicit version declarations

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
test/Polly.Core.Tests/Retry/RetryResilienceStrategyTests.cs	Updates test to use standard FakeTimeProvider instead of custom throwing implementation
samples//.csproj	Removes redundant project properties that are now inherited from Directory.Build.props
samples/Directory.Build.props	Adds common properties like ImplicitUsings and Nullable, sorts properties alphabetically
Directory.Packages.props	Removes MSBuild variables and replaces with explicit version declarations grouped by purpose
Directory.Build.props	Adds ManagePackageVersionsCentrally property
.github/dependabot.yml	Adds Polly package grouping for dependabot updates

samples/Intro.FSharp/Program.fs

codecov · 2025-08-12T10:24:44Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.23%. Comparing base (a4b66fb) to head (96f1f6f).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2696   +/-   ##
=======================================
  Coverage   96.23%   96.23%           
=======================================
  Files         311      311           
  Lines        7322     7322           
  Branches     1012     1012           
=======================================
  Hits         7046     7046           
  Misses        222      222           
  Partials       54       54

Flag	Coverage Δ
linux	`96.23% <ø> (ø)`
macos	`96.23% <ø> (ø)`
windows	`96.22% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

martincostello · 2025-08-12T10:36:50Z

Manually verified the versions referenced by the various TGMs in the NuGet packages haven't been changed.

Fix xpath to get the previous release veresion broken by #2696.

Updated [Polly](https://github.com/App-vNext/Polly) from 8.6.2 to 8.6.3. <details> <summary>Release notes</summary> _Sourced from [Polly's releases](https://github.com/App-vNext/Polly/releases)._ ## 8.6.3 ## What's Changed * Add release notes configuration by @martincostello in App-vNext/Polly#2678 * Simplify release workflow by @martincostello in App-vNext/Polly#2679 * Sign-off commits by @martincostello in App-vNext/Polly#2694 * Add GitHub sponsorship by @martincostello in App-vNext/Polly#2695 * Refactor project dependencies by @martincostello in App-vNext/Polly#2696 * Add zizmor by @martincostello in App-vNext/Polly#2698 * Update benchmarks by @martincostello in App-vNext/Polly#2712 * Reduce async overhead by @pentp in App-vNext/Polly#2664 * Update benchmarks by @martincostello in App-vNext/Polly#2713 ## New Contributors * @pentp made their first contribution in App-vNext/Polly#2664 **Full Changelog**: App-vNext/Polly@8.6.2...8.6.3 Commits viewable in [compare view](App-vNext/Polly@8.6.2...8.6.3). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Polly&package-manager=nuget&previous-version=8.6.2&new-version=8.6.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [Polly](https://github.com/App-vNext/Polly) from 8.6.1 to 8.6.3. <details> <summary>Release notes</summary> _Sourced from [Polly's releases](https://github.com/App-vNext/Polly/releases)._ ## 8.6.3 ## What's Changed * Add release notes configuration by @martincostello in App-vNext/Polly#2678 * Simplify release workflow by @martincostello in App-vNext/Polly#2679 * Sign-off commits by @martincostello in App-vNext/Polly#2694 * Add GitHub sponsorship by @martincostello in App-vNext/Polly#2695 * Refactor project dependencies by @martincostello in App-vNext/Polly#2696 * Add zizmor by @martincostello in App-vNext/Polly#2698 * Update benchmarks by @martincostello in App-vNext/Polly#2712 * Reduce async overhead by @pentp in App-vNext/Polly#2664 * Update benchmarks by @martincostello in App-vNext/Polly#2713 ## New Contributors * @pentp made their first contribution in App-vNext/Polly#2664 **Full Changelog**: App-vNext/Polly@8.6.2...8.6.3 ## 8.6.2 ## What's Changed * Performance tweaks by @martincostello in App-vNext/Polly#2667 * Update dependencies by @martincostello in App-vNext/Polly#2668 * Update benchmark results by @martincostello in App-vNext/Polly#2669 ## New Contributors * @pentp made their first contribution in App-vNext/Polly#2667 **Full Changelog**: App-vNext/Polly@8.6.1...8.6.2 Commits viewable in [compare view](App-vNext/Polly@8.6.1...8.6.3). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Polly&package-manager=nuget&previous-version=8.6.1&new-version=8.6.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Copilot AI review requested due to automatic review settings August 12, 2025 10:20

martincostello added enhancement dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code labels Aug 12, 2025

Copilot AI reviewed Aug 12, 2025

View reviewed changes

samples/Intro.FSharp/Program.fs Show resolved Hide resolved

martincostello merged commit 8eee77a into main Aug 12, 2025
27 checks passed

martincostello deleted the fix-dependabot-alerts branch August 12, 2025 10:36

martincostello added a commit that referenced this pull request Aug 22, 2025

Fix bump-version.ps1

07cef2a

Fix xpath to get the previous release veresion broken by #2696.

martincostello mentioned this pull request Aug 22, 2025

Fix after-release and update CHANGELOG #2714

Merged

dependabot bot mentioned this pull request Aug 22, 2025

Bump Polly from 8.6.2 to 8.6.3 jamesmoore/SDMeta#430

Merged

martincostello added a commit that referenced this pull request Aug 22, 2025

Fix bump-version.ps1

ce13dba

Fix xpath to get the previous release veresion broken by #2696.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Refactor project dependencies #2696

Refactor project dependencies #2696

Uh oh!

martincostello commented Aug 12, 2025

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

codecov bot commented Aug 12, 2025 •

edited

Loading

Uh oh!

martincostello commented Aug 12, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Refactor project dependencies #2696

Refactor project dependencies #2696

Uh oh!

Conversation

martincostello commented Aug 12, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

codecov bot commented Aug 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

martincostello commented Aug 12, 2025

Uh oh!

Uh oh!

Uh oh!

codecov bot commented Aug 12, 2025 •

edited

Loading