feat(ci): add Dependabot NuGet configuration for net481-safe dependency updates#341
Merged
Merged
Conversation
- Add .github/dependabot.yml with weekly NuGet ecosystem updates - Group dependencies by type: analyzers, test frameworks, Microsoft packages, Graph/Identity/Telemetry - Apply semver-major ignore rules for .NET Framework 4.8.1 compatibility protection - Document configuration rationale, directory scoping, and post-merge verification in README Refs: #340
…upport Records the policy-audit, code-review, and feature-audit produced by the feature-review pass (zero blocking findings) so the branch's audit trail is complete before merge. Refs: #340
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Suggested title
feat(ci): add Dependabot NuGet configuration for net481-safe dependency updates
Summary
.github/dependabot.yml, enabling thenugetpackage ecosystem across all 16packages.configproject directories viadirectories: ["/*"].semver-major-scopedignoresafety net on eight Microsoft.NET-runtime-aligned package families (Microsoft.Extensions.*,Microsoft.Bcl.*,System.Text.Json,System.Drawing.Common,Microsoft.Graph*,Apache.Arrow*,Microsoft.Data.Analysis,Microsoft.ML*) so automated updates cannot introduce a.NET Framework 4.8.1(net481) incompatibility; minor/patch updates, including security patches, are unaffected.analyzers-dev-deps,test-frameworks,microsoft-extensions-and-bcl,graph-identity-telemetry) so shared-package updates arrive as one PR per group instead of one PR per directory.open-pull-requests-limit: 10.README.mdsection, "Dependency updates (Dependabot)", documenting the configuration and its rationale, with a corresponding## Contentsentry.docs/features/active/2026-07-16-dependabot-net481-support-340/and a task-researcher memory entry..cs/.csprojfiles are touched; no target-framework-moniker element changes.Why
The repository has no automated dependency-update tooling. NuGet package versions across all 16
packages.config-based project directories are updated manually, so known-vulnerable or stale dependency versions can persist unnoticed (user-story.md, Problem/Why).Every production project is fixed to
.NET Framework 4.8.1. Any automation introduced to solve the staleness problem must not itself become a source of framework-incompatible breakage, since the maintainer has no path to move these projects offnet481in the near term (user-story.md, Problem/Why). Dependabot has no native "TFM-aware ignore" primitive; per the feature's research, no currently-published version of any package referenced in this repo's 16packages.configfiles has droppednet481support — a verified negative finding, not an assumption — so the compatibility safety net is implemented as asemver-major-scopedignorerule set on the Microsoft.NET-runtime-aligned package families (spec.md, Constraints & Risks).Dependabot's NuGet updater is documented to be unable to update an indirect/transitive dependency independently of its parent, and
packages.configcarries no lockfile, which further motivates the grouped, ignore-scoped configuration rather than an unconstrained one (spec.md, Behavior).What Changed
CI / tooling configuration
.github/dependabot.yml(new, 62 lines):version: 2; oneupdates:entry withpackage-ecosystem: "nuget";directories: ["/*"];schedule.interval: "weekly";open-pull-requests-limit: 10; fourgroupsbuckets usingpatternsandgroup-by: "dependency-name"; anignorelist scoping eight Microsoft.NET-runtime-aligned package families toupdate-types: ["version-update:semver-major"].Documentation
README.md: new "Dependency updates (Dependabot)" section (per spec AC-12) plus a corresponding## Contentsentry.Feature planning/process artifacts (docs/features/active/2026-07-16-dependabot-net481-support-340/)
issue.md,spec.md,user-story.md,plan.2026-07-16T15-56.md,research/2026-07-16T16-10-dependabot-net481-support-research.md.evidence/baseline/,evidence/qa-gates/,evidence/other/— baseline capture, AC-2/AC-4/AC-10/YAML-validity check evidence, and the AC-5/AC-11 deferred-note and plan-completion-summary records..claude/agent-memory/task-researcher/MEMORY.mdandproject_dependabot_net481_340.md— task-researcher memory entry for this feature.No
.cs,.csproj,.props, or.targetsfiles are added or modified.Architecture / How It Fits Together
.github/dependabot.ymlis consumed directly by GitHub's hosted Dependabot service; there is no in-repo code path or entry point involved. The singlenugetecosystem entry scans every top-level directory (directories: ["/*"]) forpackages.configfiles, applies theignoresafety net when evaluating candidate versions, buckets matching packages into the fourgroups, and opens grouped pull requests on the configured weekly schedule, capped at 10 concurrently open PRs. TheREADME.mdsection is documentation only and does not change any runtime or build behavior.Verification
Completed (from plan/evidence artifacts in this feature folder):
.github/dependabot.ymldid not exist prior to this change;README.mdhad noDependency updates (Dependabot)entry (plan P0-T4, P0-T5;evidence/baseline/pre-change-state.2026-07-16T15-56.md).packages.configdirectory enumeration performed (Get-ChildItem -Path . -Filter packages.config -Recurse) and recorded as evidence supporting AC-3/AC-4 (evidence/qa-gates/ac4-packages-config-enumeration.2026-07-16T15-56.md).python -c "import yaml; yaml.safe_load(...)") (evidence/qa-gates/yaml-validity.2026-07-16T15-56.md).nugetupdate entry against the Dependabot v2 options reference (evidence/qa-gates/ac2-schema-structure-review.2026-07-16T15-56.md)..csproj/TFM-declaring element modifications (evidence/qa-gates/ac10-diff-review.2026-07-16T15-56.md).spec.mdanduser-story.md.Recommended (not part of this PR's automated toolchain — config/documentation-only change; no C# code, so the CSharpier/analyzer/nullable/MSTest toolchain does not apply):
Backward Compatibility / Migration Notes
.csprojcontent is modified (AC-10).Risks and Mitigations
directories: ["/*"]glob could under-match relative to an explicit 16-entry directory list, leaving somepackages.configdirectories unscanned.Mitigation: AC-5 is a pre-decided fallback: if the post-merge AC-11 check shows Dependabot scanning fewer directories than expected, the config is corrected in a follow-up commit to an explicit 16-entry
directories:list, removing the glob. This is documented as the only acceptable resolution path (spec.md, AC-5) and is intentionally deferred rather than blocking this merge..NET Framework 4.8.1support, which the project cannot recover from without an out-of-scope framework migration.Mitigation: The
ignorelist scopes eight Microsoft.NET-runtime-aligned package families tosemver-majorupdates only; per the feature's research, no currently-published version of any referenced package has droppednet481support (a verified negative finding). Minor/patch updates, including security patches, remain unaffected (AC-6, AC-7).Mitigation: Recorded as a deferred, tracked item in the feature's evidence (
ac5-ac11-deferred-note.2026-07-16T15-56.md); orchestrator-resolved as a non-blocking scope change. The feature is not considered fully verified until AC-11 passes or the AC-5 fallback has been applied and re-checked.Review Guide
Suggested order:
.github/dependabot.yml— the sole functional change; reviewdirectories,ignore,groups, andschedulevalues againstspec.mdAC-1–AC-9.README.md— new documentation section; confirm it matches AC-12's required content points.docs/features/active/2026-07-16-dependabot-net481-support-340/spec.mdanduser-story.md— acceptance-criteria source of truth.docs/features/active/2026-07-16-dependabot-net481-support-340/research/2026-07-16T16-10-dependabot-net481-support-research.md— technical basis for theignoresafety net and directory-scoping decision.evidence/subfolders — supporting verification records for AC-2, AC-4, AC-10, and YAML validity.No mechanical moves/renames and no core logic changes are present in this diff (17 files changed, 961 insertions(+), 0 deletions(-); 16 Markdown files and 1 YAML file).
Follow-ups
directories: ["/*"]with the explicit 16-entry directory list documented in the spec's Appendix A.GitHub Auto-close