From eaa89455d159ee6cfb99f11d329c7f8326677b4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= <zoltan.lehoczky@lombiq.com>
Date: Thu, 3 Oct 2024 23:17:21 +0200
Subject: [PATCH 1/4] Batching Dependabot updates per directories

---
 .github/dependabot.yml | 49 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a0ae63c5d47..c0deefe784b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,11 +1,54 @@
 version: 2
 updates:
-  - package-ecosystem: "nuget" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # Dependabot can handle at most 150 "manifests", so for NuGet, csprojs referencing packages (see docs:
+  # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph#are-there-limits-which-affect-the-dependency-graph-data).
+  # We're grouping updates per directories to have smaller batches.
+  # /src/OrchardCore
+  - package-ecosystem: "nuget"
+    directory: "/src/OrchardCore"
+    schedule:
+      interval: "weekly"
+    groups:
+       all-dependencies:
+          patterns:
+            - "*"
+  # /src/OrchardCore.Modules
+  - package-ecosystem: "nuget"
+    directory: "/src/OrchardCore.Modules"
+    schedule:
+      interval: "weekly"
+    groups:
+       all-dependencies:
+          patterns:
+            - "*"
+  # /src/OrchardCore.Themes
+  - package-ecosystem: "nuget"
+    directory: "/src/OrchardCore.Themes"
+    schedule:
+      interval: "weekly"
+    groups:
+       all-dependencies:
+          patterns:
+            - "*"
+  # All other folders under src/.
+  - package-ecosystem: "nuget"
+    directories: 
+      - "/src/OrchardCore.Build"
+      - "/src/OrchardCore.Cms.Web"
+      - "/src/OrchardCore.Mvc.Web"
+      - "/src/Templates**"
+    schedule:
+      interval: "weekly"
+    groups:
+       all-dependencies:
+          patterns:
+            - "*"
+  # /test
+  - package-ecosystem: "nuget"
+    directory: "/test"
     schedule:
       interval: "weekly"
     groups:
-       # Grouped version updates configuration
        all-dependencies:
           patterns:
             - "*"

From 9d7698b6d76c366fcfba311357dd5bb189138201 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= <zoltan.lehoczky@lombiq.com>
Date: Fri, 4 Oct 2024 01:33:55 +0200
Subject: [PATCH 2/4] Fixing Dependabot updates

---
 .github/dependabot.yml                 | 53 +++++---------------------
 Directory.Packages.props               | 28 ++++----------
 src/docs/resources/libraries/README.md |  1 -
 3 files changed, 17 insertions(+), 65 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c0deefe784b..bdbcf2043ab 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,53 +2,20 @@ version: 2
 updates:
   # Dependabot can handle at most 150 "manifests", so for NuGet, csprojs referencing packages (see docs:
   # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph#are-there-limits-which-affect-the-dependency-graph-data).
-  # We're grouping updates per directories to have smaller batches.
-  # /src/OrchardCore
+  # Thus, it would fail for the whole solution.
+  # Grouping updates per directories or otherwise trying to have smaller batches is unnecessary, because due to
+  # centralized package management, Dependabot will find all dependencies from any project. So, just processing the
+  # OrchardCore project.
   - package-ecosystem: "nuget"
-    directory: "/src/OrchardCore"
-    schedule:
-      interval: "weekly"
-    groups:
-       all-dependencies:
-          patterns:
-            - "*"
-  # /src/OrchardCore.Modules
-  - package-ecosystem: "nuget"
-    directory: "/src/OrchardCore.Modules"
-    schedule:
-      interval: "weekly"
-    groups:
-       all-dependencies:
-          patterns:
-            - "*"
-  # /src/OrchardCore.Themes
-  - package-ecosystem: "nuget"
-    directory: "/src/OrchardCore.Themes"
-    schedule:
-      interval: "weekly"
-    groups:
-       all-dependencies:
-          patterns:
-            - "*"
-  # All other folders under src/.
-  - package-ecosystem: "nuget"
-    directories: 
-      - "/src/OrchardCore.Build"
-      - "/src/OrchardCore.Cms.Web"
-      - "/src/OrchardCore.Mvc.Web"
-      - "/src/Templates**"
-    schedule:
-      interval: "weekly"
-    groups:
-       all-dependencies:
-          patterns:
-            - "*"
-  # /test
-  - package-ecosystem: "nuget"
-    directory: "/test"
+    directory: "/src/OrchardCore/OrchardCore"
     schedule:
       interval: "weekly"
     groups:
        all-dependencies:
           patterns:
             - "*"
+    ignore:
+      # We'll update GraphQL for v3 because it's breaking, see https://github.com/OrchardCMS/OrchardCore/issues/16826.
+      - dependency-name: "GraphQL*"
+      # See the corresponding comment in Directory.Packages.props.
+      - dependency-name: "System.Drawing.Common"
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 3d06fcdc244..1c7fcc1f572 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -1,18 +1,15 @@
 <Project>
-
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
   </PropertyGroup>
-
   <PropertyGroup>
     <!-- Special case - this property is used by a DotNetCliToolReference -->
     <DotNetXunitVersion>2.3.0</DotNetXunitVersion>
   </PropertyGroup>
-
   <ItemGroup>
     <PackageVersion Include="AngleSharp" Version="1.1.2" />
-    <PackageVersion Include="AWSSDK.S3" Version="3.7.403.5" />
+    <PackageVersion Include="AWSSDK.S3" Version="3.7.404.1" />
     <PackageVersion Include="AWSSDK.Extensions.NETCore.Setup" Version="3.7.301" />
     <PackageVersion Include="Azure.Communication.Email" Version="1.0.1" />
     <PackageVersion Include="Azure.Communication.Sms" Version="1.0.1" />
@@ -41,11 +38,9 @@
     <PackageVersion Include="Lucene.Net.Spatial" Version="4.8.0-beta00016" />
     <PackageVersion Include="MailKit" Version="4.8.0" />
     <PackageVersion Include="Markdig" Version="0.37.0" />
-    <PackageVersion Include="MessagePack" Version="2.2.60" />
     <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.7.5" />
     <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="8.9.1" />
     <PackageVersion Include="Microsoft.Identity.Web" Version="3.2.0" />
-
     <!--
       Important: the version of the Microsoft.IdentityModel.Protocols.OpenIdConnect package MUST
       match the IdentityModel version transitively referenced by OpenIddict to ensure we don't
@@ -53,7 +48,6 @@
  
       See https://github.com/OrchardCMS/OrchardCore/pull/16057 for more information.
     -->
-
     <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.1.0" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
     <PackageVersion Include="MimeKit" Version="4.8.0" />
@@ -91,15 +85,13 @@
     <PackageVersion Include="YesSql.Filters.Query" Version="5.1.1" />
     <PackageVersion Include="ZString" Version="2.6.0" />
   </ItemGroup>
-
   <ItemGroup>
     <GlobalPackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
-    <GlobalPackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeStyle" Version="4.11.0"/>
+    <GlobalPackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeStyle" Version="4.11.0" />
   </ItemGroup>
-
-  <!-- These versions are used for tansitive dependency forced upgrades only. For instance when a package reference a vulnerable version. -->
-  <!-- To list all vulnerable direct references run 'dotnet list package -vulnerable' -->
-  <!-- To list all vulnerable transitive references run 'dotnet list package -vulnerable -include-transitive' -->
+  <!-- These versions are used for tansitive dependency forced upgrades only. E.g. when a package references a vulnerable version. -->
+  <!-- To list all vulnerable direct references run 'dotnet list package -vulnerable' (use double dash, just XML comments can't contain it) -->
+  <!-- To list all vulnerable transitive references run 'dotnet list package -vulnerable -include-transitive' (use double dash, just XML comments can't contain it) -->
   <!-- The dependency graphs are generated using 'dotnet nuget why <.sln> <package id>' -->
   <ItemGroup>
     <!--
@@ -110,7 +102,6 @@
                  └─ System.Text.RegularExpressions (v4.3.0)
     -->
     <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
-
     <!--
       Azure.Extensions.AspNetCore.DataProtection.Blobs (v1.3.4)
       └─ Microsoft.AspNetCore.DataProtection (v3.1.32)
@@ -119,8 +110,8 @@
                └─ System.Windows.Extensions (v4.7.0)
                   └─ System.Drawing.Common (v4.7.0)
     -->
+    <!-- When removing this, remove the corresponding ignore in dependabot.yml too. -->
     <PackageVersion Include="System.Drawing.Common" Version="4.7.2" />
-
     <!--
       Microsoft.AspNetCore.DataProtection.StackExchangeRedis (v8.0.8)
       └─ Microsoft.AspNetCore.DataProtection (v8.0.8)
@@ -130,21 +121,18 @@
     -->
     <PackageVersion Include="System.Formats.Asn1" Version="8.0.1" />
   </ItemGroup>
-
   <!-- These versions are used for the NuGet packages that are dependent on the current TFM -->
   <!-- Versions are preset for the default TFM (there may be no TFM in an evaluation phase) -->
   <PropertyGroup>
     <AspNetCorePackagesVersion>8.0.8</AspNetCorePackagesVersion>
     <MicrosoftExtensionsPackagesVersion>8.0.8</MicrosoftExtensionsPackagesVersion>
   </PropertyGroup>
-
   <!-- When dual-targeting frameworks, add both of them to CommonTargetFrameworks above, when add PropertyGroups like
   below. -->
   <!--<PropertyGroup Condition="$(TargetFramework) == 'net7.0'">
     <AspNetCorePackagesVersion>7.0.14</AspNetCorePackagesVersion>
     <MicrosoftExtensionsPackagesVersion>7.0.14</MicrosoftExtensionsPackagesVersion>
   </PropertyGroup>-->
-
   <!-- 'Microsoft.AspNetCore' packages that are not included in the ASP.NET Core shared framework -->
   <ItemGroup>
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.Facebook" Version="$(AspNetCorePackagesVersion)" />
@@ -157,11 +145,9 @@
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="$(AspNetCorePackagesVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.Owin" Version="$(AspNetCorePackagesVersion)" />
   </ItemGroup>
-
   <!-- 'Microsoft.Extensions' packages that are not included in the ASP.NET Core shared framework -->
   <ItemGroup>
     <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="$(MicrosoftExtensionsPackagesVersion)" />
     <!-- Microsoft.Extensions.Http.Resilience is not here because it diverged from the common Microsoft.Extensions versioning. -->
   </ItemGroup>
-
-</Project>
+</Project>
\ No newline at end of file
diff --git a/src/docs/resources/libraries/README.md b/src/docs/resources/libraries/README.md
index 16d5464705b..e677f9e6aa6 100644
--- a/src/docs/resources/libraries/README.md
+++ b/src/docs/resources/libraries/README.md
@@ -26,7 +26,6 @@ The below table lists the different .NET libraries used in Orchard Core:
 | [Lucene.Net](https://github.com/apache/lucenenet) | .NET full-text search engine. | [Apache-2.0](https://github.com/apache/lucenenet/blob/master/LICENSE.txt) |
 | [MailKit](https://github.com/jstedfast/MailKit) | A cross-platform .NET library for IMAP, POP3, and SMTP. | [MIT](https://github.com/jstedfast/MailKit/blob/master/LICENSE) |
 | [Markdig](https://github.com/lunet-io/markdig) | .NET Markdown engine. | [BSD-2-Clause](https://github.com/lunet-io/markdig/blob/master/license.txt) |
-| [MessagePack](https://github.com/neuecc/MessagePack-CSharp) | Extremely Fast MessagePack Serializer for C# | [MIT](https://github.com/neuecc/MessagePack-CSharp/blob/master/LICENSE) |
 | [Microsoft.Extensions.Http.Resilience](https://github.com/dotnet/extensions/tree/main/src/Libraries/Microsoft.Extensions.Http.Resilience) | Resilience mechanisms for HttpClient built on the Polly framework. | [MIT](https://github.com/dotnet/extensions/blob/main/LICENSE) |
 | [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) | Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C. | [MIT](https://github.com/AzureAD/microsoft-identity-web/blob/master/LICENSE) |
 | [Microsoft.SourceLink.GitHub](https://github.com/dotnet/sourcelink) | Source Link enables a great source debugging experience. | [MIT](https://github.com/dotnet/sourcelink/blob/main/License.txt) |

From 940eb1304825d9a2cd809599ed92e83477579538 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= <zoltan.lehoczky@lombiq.com>
Date: Fri, 4 Oct 2024 01:36:52 +0200
Subject: [PATCH 3/4] Newline

---
 Directory.Packages.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 1c7fcc1f572..ac8cb9f37bb 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -150,4 +150,4 @@
     <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="$(MicrosoftExtensionsPackagesVersion)" />
     <!-- Microsoft.Extensions.Http.Resilience is not here because it diverged from the common Microsoft.Extensions versioning. -->
   </ItemGroup>
-</Project>
\ No newline at end of file
+</Project>

From 87451a974024bc1b223564625e22f15dbe209951 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= <zoltan.lehoczky@lombiq.com>
Date: Fri, 4 Oct 2024 13:14:19 +0200
Subject: [PATCH 4/4] Update libphonenumber-csharp to v8.13.47

---
 Directory.Packages.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index ac8cb9f37bb..bcb5e861f32 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -30,7 +30,7 @@
     <PackageVersion Include="JsonPath.Net" Version="1.1.6" />
     <PackageVersion Include="HtmlSanitizer" Version="8.2.871-beta" />
     <PackageVersion Include="Irony" Version="1.5.3" />
-    <PackageVersion Include="libphonenumber-csharp" Version="8.13.46" />
+    <PackageVersion Include="libphonenumber-csharp" Version="8.13.47" />
     <PackageVersion Include="Lorem.Universal.NET" Version="4.0.80" />
     <PackageVersion Include="Lucene.Net" Version="4.8.0-beta00016" />
     <PackageVersion Include="Lucene.Net.Analysis.Common" Version="4.8.0-beta00016" />
@@ -150,4 +150,4 @@
     <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="$(MicrosoftExtensionsPackagesVersion)" />
     <!-- Microsoft.Extensions.Http.Resilience is not here because it diverged from the common Microsoft.Extensions versioning. -->
   </ItemGroup>
-</Project>
+</Project>
\ No newline at end of file