Fixing Dependabot updates (#16827)

OrchardCMS · Oct 4, 2024 · dc94fdd · dc94fdd
1 parent 027711f
commit dc94fdd
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 24 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,11 +1,21 @@
 version: 2
 updates:
-  - package-ecosystem: "nuget" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # Dependabot can handle at most 150 "manifests", so for NuGet, csprojs referencing packages (see docs:
+  # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph#are-there-limits-which-affect-the-dependency-graph-data).
+  # Thus, it would fail for the whole solution.
+  # Grouping updates per directories or otherwise trying to have smaller batches is unnecessary, because due to
+  # centralized package management, Dependabot will find all dependencies from any project. So, just processing the
+  # OrchardCore project.
+  - package-ecosystem: "nuget"
+    directory: "/src/OrchardCore/OrchardCore"
     schedule:
       interval: "weekly"
     groups:
-       # Grouped version updates configuration
        all-dependencies:
           patterns:
             - "*"
+    ignore:
+      # We'll update GraphQL for v3 because it's breaking, see https://github.com/OrchardCMS/OrchardCore/issues/16826.
+      - dependency-name: "GraphQL*"
+      # See the corresponding comment in Directory.Packages.props.
+      - dependency-name: "System.Drawing.Common"
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -1,18 +1,15 @@
 <Project>
-
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
   </PropertyGroup>
-
   <PropertyGroup>
     <!-- Special case - this property is used by a DotNetCliToolReference -->
     <DotNetXunitVersion>2.3.0</DotNetXunitVersion>
   </PropertyGroup>
-
   <ItemGroup>
     <PackageVersion Include="AngleSharp" Version="1.1.2" />
-    <PackageVersion Include="AWSSDK.S3" Version="3.7.403.5" />
+    <PackageVersion Include="AWSSDK.S3" Version="3.7.404.1" />
     <PackageVersion Include="AWSSDK.Extensions.NETCore.Setup" Version="3.7.301" />
     <PackageVersion Include="Azure.Communication.Email" Version="1.0.1" />
     <PackageVersion Include="Azure.Communication.Sms" Version="1.0.1" />
@@ -41,19 +38,16 @@
     <PackageVersion Include="Lucene.Net.Spatial" Version="4.8.0-beta00016" />
     <PackageVersion Include="MailKit" Version="4.8.0" />
     <PackageVersion Include="Markdig" Version="0.37.0" />
-    <PackageVersion Include="MessagePack" Version="2.2.60" />
     <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.7.5" />
     <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="8.9.1" />
     <PackageVersion Include="Microsoft.Identity.Web" Version="3.2.0" />
-
     <!--
       Important: the version of the Microsoft.IdentityModel.Protocols.OpenIdConnect package MUST
       match the IdentityModel version transitively referenced by OpenIddict to ensure we don't
       accidentally end up referencing inconsistent versions (which is not supported by IM).
  
       See https://github.com/OrchardCMS/OrchardCore/pull/16057 for more information.
     -->
-
     <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.1.0" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
     <PackageVersion Include="MimeKit" Version="4.8.0" />
@@ -91,15 +85,13 @@
     <PackageVersion Include="YesSql.Filters.Query" Version="5.1.1" />
     <PackageVersion Include="ZString" Version="2.6.0" />
   </ItemGroup>
-
   <ItemGroup>
     <GlobalPackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
-    <GlobalPackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeStyle" Version="4.11.0"/>
+    <GlobalPackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeStyle" Version="4.11.0" />
   </ItemGroup>
-
-  <!-- These versions are used for tansitive dependency forced upgrades only. For instance when a package reference a vulnerable version. -->
-  <!-- To list all vulnerable direct references run 'dotnet list package -vulnerable' -->
-  <!-- To list all vulnerable transitive references run 'dotnet list package -vulnerable -include-transitive' -->
+  <!-- These versions are used for tansitive dependency forced upgrades only. E.g. when a package references a vulnerable version. -->
+  <!-- To list all vulnerable direct references run 'dotnet list package -vulnerable' (use double dash, just XML comments can't contain it) -->
+  <!-- To list all vulnerable transitive references run 'dotnet list package -vulnerable -include-transitive' (use double dash, just XML comments can't contain it) -->
   <!-- The dependency graphs are generated using 'dotnet nuget why <.sln> <package id>' -->
   <ItemGroup>
     <!--
@@ -110,7 +102,6 @@
                  └─ System.Text.RegularExpressions (v4.3.0)
     -->
     <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
-
     <!--
       Azure.Extensions.AspNetCore.DataProtection.Blobs (v1.3.4)
       └─ Microsoft.AspNetCore.DataProtection (v3.1.32)
@@ -119,8 +110,8 @@
                └─ System.Windows.Extensions (v4.7.0)
                   └─ System.Drawing.Common (v4.7.0)
     -->
+    <!-- When removing this, remove the corresponding ignore in dependabot.yml too. -->
     <PackageVersion Include="System.Drawing.Common" Version="4.7.2" />
-
     <!--
       Microsoft.AspNetCore.DataProtection.StackExchangeRedis (v8.0.8)
       └─ Microsoft.AspNetCore.DataProtection (v8.0.8)
@@ -130,21 +121,18 @@
     -->
     <PackageVersion Include="System.Formats.Asn1" Version="8.0.1" />
   </ItemGroup>
-
   <!-- These versions are used for the NuGet packages that are dependent on the current TFM -->
   <!-- Versions are preset for the default TFM (there may be no TFM in an evaluation phase) -->
   <PropertyGroup>
     <AspNetCorePackagesVersion>8.0.8</AspNetCorePackagesVersion>
     <MicrosoftExtensionsPackagesVersion>8.0.8</MicrosoftExtensionsPackagesVersion>
   </PropertyGroup>
-
   <!-- When dual-targeting frameworks, add both of them to CommonTargetFrameworks above, when add PropertyGroups like
   below. -->
   <!--<PropertyGroup Condition="$(TargetFramework) == 'net7.0'">
     <AspNetCorePackagesVersion>7.0.14</AspNetCorePackagesVersion>
     <MicrosoftExtensionsPackagesVersion>7.0.14</MicrosoftExtensionsPackagesVersion>
   </PropertyGroup>-->
-
   <!-- 'Microsoft.AspNetCore' packages that are not included in the ASP.NET Core shared framework -->
   <ItemGroup>
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.Facebook" Version="$(AspNetCorePackagesVersion)" />
@@ -157,11 +145,9 @@
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="$(AspNetCorePackagesVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.Owin" Version="$(AspNetCorePackagesVersion)" />
   </ItemGroup>
-
   <!-- 'Microsoft.Extensions' packages that are not included in the ASP.NET Core shared framework -->
   <ItemGroup>
     <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="$(MicrosoftExtensionsPackagesVersion)" />
     <!-- Microsoft.Extensions.Http.Resilience is not here because it diverged from the common Microsoft.Extensions versioning. -->
   </ItemGroup>
-
 </Project>
diff --git a/src/docs/resources/libraries/README.md b/src/docs/resources/libraries/README.md
@@ -26,7 +26,6 @@ The below table lists the different .NET libraries used in Orchard Core:
 | [Lucene.Net](https://github.com/apache/lucenenet) | .NET full-text search engine. | [Apache-2.0](https://github.com/apache/lucenenet/blob/master/LICENSE.txt) |
 | [MailKit](https://github.com/jstedfast/MailKit) | A cross-platform .NET library for IMAP, POP3, and SMTP. | [MIT](https://github.com/jstedfast/MailKit/blob/master/LICENSE) |
 | [Markdig](https://github.com/lunet-io/markdig) | .NET Markdown engine. | [BSD-2-Clause](https://github.com/lunet-io/markdig/blob/master/license.txt) |
-| [MessagePack](https://github.com/neuecc/MessagePack-CSharp) | Extremely Fast MessagePack Serializer for C# | [MIT](https://github.com/neuecc/MessagePack-CSharp/blob/master/LICENSE) |
 | [Microsoft.Extensions.Http.Resilience](https://github.com/dotnet/extensions/tree/main/src/Libraries/Microsoft.Extensions.Http.Resilience) | Resilience mechanisms for HttpClient built on the Polly framework. | [MIT](https://github.com/dotnet/extensions/blob/main/LICENSE) |
 | [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) | Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C. | [MIT](https://github.com/AzureAD/microsoft-identity-web/blob/master/LICENSE) |
 | [Microsoft.SourceLink.GitHub](https://github.com/dotnet/sourcelink) | Source Link enables a great source debugging experience. | [MIT](https://github.com/dotnet/sourcelink/blob/main/License.txt) |