Skip to content

chore: Bump the all-dependencies group with 2 updates#227

Merged
FrankRay78 merged 5 commits into
mainfrom
dependabot/nuget/src/NetPace.Console.Tests/all-dependencies-d83092c1d4
Jul 15, 2026
Merged

chore: Bump the all-dependencies group with 2 updates#227
FrankRay78 merged 5 commits into
mainfrom
dependabot/nuget/src/NetPace.Console.Tests/all-dependencies-d83092c1d4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Updated Microsoft.NET.Test.Sdk from 18.5.1 to 18.7.0.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.7.0

What's Changed

New Contributors

Full Changelog: microsoft/vstest@v18.6.0...v18.7.0

18.6.0

What's Changed

Changes to tests and infra

Commits viewable in compare view.

Updated Verify from 31.12.5 to 31.20.0.

Release notes

Sourced from Verify's releases.

31.20.0

31.19.1

  • #​1746 Mark passthrough string Verify overloads as [StringSyntax("*")]

31.19.0

  • #​1743 UseSsimForPng override on VerifySettings and SettingsTask

31.18.0

  • #​1739 add BypassComparersForSubsequentOnDifference

31.17.0

31.16.3

No issues in this milestone yet.

31.16.2

  • #​1714 Unexpected empty.nupkg in output directory
  • #​1721 XUnit V3: Adds attachment with colon in filename - GitHub artifacts upload fails
  • #​1723 Strip solution dir prefix from XunitV3 attachment names

31.16.1

  • #​1718 Handle eof and missing ihdr in png decoder

31.16.0

  • #​1704 Add ScrubNumericIds
  • #​1707 Minor micro-optimizations for Verify project.
  • #​1708 Add Target comparer and avoid string allocations.
  • #​1709 ApplyForPropertyValue returns string instead of CharSpan
  • #​1710 In-place sort instead of LINQ OrderByDescending
  • #​1711 Remove unnecessary ToString() in VerifyJsonWriter
  • #​1716 add Png ssim comparer
  • #​1717 Throw on null assembly in TryGetType for bad plugin assembly

31.14.0

  • #​1700 [TUnit] infrastructure fixtures appear in verified filenames / add VerifierSettings.IgnoreParameters
  • #​1701 Support global IgnoreParameters setting
  • #​1702 add IgnoreClassArguments

31.13.4

31.13.3

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps Microsoft.NET.Test.Sdk from 18.5.1 to 18.7.0
Bumps Verify from 31.12.5 to 31.20.0

---
updated-dependencies:
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: Verify
  dependency-version: 31.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: Verify
  dependency-version: 31.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@FrankRay78

Copy link
Copy Markdown
Owner

@claude I believe we've seen this broken build before, here: #218 (comment)

Please investigate, and if so, how can we stop dependabot from opening this bump again?

Although that said we have just changed the config to semi-annually, so perhaps this one landed just before - please also investigate the timing.

@claude

claude Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Claude finished @FrankRay78's task in 5m 27s —— View job


Investigation complete

Note on scope: I don't have network/gh access in this session, so I couldn't pull up the specific linked comment on #218 to confirm it's word-for-word the same failure. But I can see this PR's own CI run is failing right now, and the failure signature is a well-known, very specific one — strong enough that I'm confident this is the same class of bug, even without reading #218 directly.

Yes, this build is broken — and here's why

CI on this PR (run 29399373537) fails at the Test step: 119 of 190 tests in NetPace.Console.Tests fail with:

System.MethodAccessException: Attempt by method 'VerifyXunit.Verifier.Verify(...)' 
to access method 'Guards.AgainstBadSourceFile(System.String)' failed.

(NetPace.Core.Tests passes clean — 426/426 — because it references Verify/Verify.Xunit but no test there actually calls Verifier.Verify(...).)

Root cause: this PR bumps Verify from 31.12.531.20.0 in both test projects, but leaves Verify.Xunit pinned at 31.12.5:

-    <PackageReference Include="Verify" Version="31.12.5" />
+    <PackageReference Include="Verify" Version="31.20.0" />
     <PackageReference Include="Verify.Xunit" Version="31.12.5" />   

Verify and Verify.Xunit ship from the same repo and are meant to move in lockstep — Verify.Xunit is a thin adapter that reaches into Verify internals. Skew the versions and you get exactly this: a method that existed/was accessible in 31.12.5 no longer matches what 31.20.0 exposes, so the CLR throws MethodAccessException at runtime. This is a real ABI break between an adapter package and its core package, not something dotnet build (schema/compile-time) would ever catch — only running the tests surfaces it, which is exactly what CI did here.

Timing

Confirmed from git history — this wasn't the semiannual cron firing early:

GitHub Dependabot triggers an immediate re-check whenever .github/dependabot.yml itself changes, independent of the cron schedule. That's what happened: merging #226 pushed a change to dependabot.yml, which immediately kicked off a check under the new config — hence the PR title says "all-dependencies group" (the grouping didn't exist under the old monthly config). So this PR is the one-time "config change" trigger, not the semiannual schedule proper; the next scheduled run under the new cadence will be 2027-01-01.

Can dependabot be stopped from doing this again?

Not really, and I don't think it should be — the underlying problem is that Dependabot has no concept that Verify and Verify.Xunit are semantically coupled and must share a version. It treats them as two independent NuGet packages, groups them into the same PR (correct), but doesn't guarantee they land on matching versions if their eligible-version-post-cooldown timing differs slightly. No dependabot.yml setting enforces "these two packages must be version-equal."

The actual safety net is already in place and did its job: nothing auto-merges, and CI failed loudly instead of silently shipping a broken test suite. That's the human-gated design documented in docs/change-intent-records/2026-07-13-dependency-supply-chain-hardening.md.

What I'd suggest instead of trying to prevent the PR:

  1. Fix this PR forward — bump Verify.Xunit to match Verify (31.20.0) in both csproj files to restore version parity, then confirm tests go green. I haven't pushed this — happy to if you'd like, since this branch is dependabot-owned and it explicitly says it won't touch the branch further if it's edited manually.
  2. Leave a breadcrumb for next time this pairing skews (a one-line comment above the Verify/Verify.Xunit package refs, or a short note in the dependency CIR) so whoever reviews the next grouped bump immediately recognizes "these two must match" instead of re-diagnosing a MethodAccessException from scratch.

Let me know if you'd like me to push the Verify.Xunit fix to this branch.
· branch

@FrankRay78

Copy link
Copy Markdown
Owner

@claude Lets push the Verify.Xunit fix to this branch - do no other changes please. A CIR is not necessary, although understood why you suggested it.

@claude

claude Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Claude finished @FrankRay78's task in 1m 27s —— View job


Pushing the Verify.Xunit fix

  • Gather context (trigger comment, prior investigation)
  • Bump Verify.Xunit to 31.20.0 in both test csproj files
  • Build & test — couldn't run locally, dotnet build/dotnet test are outside this session's allowed tools (same limitation as the earlier investigation, no network/build access here); CI on this push will verify
  • Commit and push
  • Final update

Done

Pushed commit 9c1a37c bumping Verify.Xunit from 31.12.531.20.0 in:

  • src/NetPace.Console.Tests/NetPace.Console.Tests.csproj
  • src/NetPace.Core.Tests/NetPace.Core.Tests.csproj

This restores version parity with Verify (already at 31.20.0), which should resolve the MethodAccessException on Verifier.Verify(...) seen in the earlier CI run. No other changes made, and no CIR added per your instructions.

I couldn't run dotnet build/dotnet test locally in this session (no build tooling access), so please keep an eye on the CI run for this push to confirm green.

branch

github-actions Bot and others added 2 commits July 15, 2026 08:51
Verify.Xunit was left at 31.12.5 while Verify was bumped to 31.20.0,
breaking Verifier.Verify(...) at runtime with a MethodAccessException
(the two packages ship from the same repo and must move in lockstep).

Co-authored-by: Frank Ray <52075808+FrankRay78@users.noreply.github.com>
@FrankRay78

Copy link
Copy Markdown
Owner

@claude The build is still broken. Unless there is a trivial reason, I propose closing this PR and waiting for the semi-annual dependabot bump. There is a good chance this will no longer be happening then. Advise.

@claude

claude Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Claude finished @FrankRay78's task in 1m 52s —— View job


Investigation complete

  • Read trigger comment and prior investigation context
  • Check current CI status on this PR
  • Diagnose why the build is still broken (or confirm trivial fix)
  • Advise on close-and-wait-for-semiannual vs. fix-forward

The build is broken for a different reason than before — and yes, there's a trivial explanation

CI on this PR (run 29402614171) now fails at dotnet restore, before any test even runs:

error NU1102: Unable to find package Verify.Xunit with version (>= 31.20.0)
error NU1102:   - Found 796 version(s) in nuget.org [ Nearest version: 31.12.5 ]

Root cause: Verify.Xunit has never actually published a 31.20.0 release. NuGet's own package index confirms 31.12.5 is still the newest version available for that adapter package. My earlier fix (commit 9c1a37c, pushed at your request) bumped Verify.Xunit's version string to 31.20.0 to match Verify — but that version doesn't exist to restore, so the build now fails immediately instead of failing at test-time with MethodAccessException.

This overturns the assumption from the first investigation: Verify and Verify.Xunit are not currently shipping in lockstep. Verify (the core package) has continued releasing through 31.13.031.20.0 (mostly TUnit/Expecto-focused changes per the release notes), while the xunit adapter has stalled at 31.12.5.

Is there a trivial fix?

Yes — the correct fix is the opposite direction from what I pushed. Since 31.12.5 is the newest mutually-compatible version actually available for both packages, pinning Verify back down to 31.12.5 (undoing just that half of the bump, keeping the unrelated Microsoft.NET.Test.Sdk18.7.0 upgrade) would restore parity with something that actually exists on nuget.org and should get CI green again.

My recommendation

Given you asked me to advise rather than act:

  1. Trivial fix exists — I'd suggest fixing forward once more: pin Verify back to 31.12.5 in both csproj files (undoing my 9c1a37c change to Verify, but keeping Verify.Xunit at 31.12.5 and the Microsoft.NET.Test.Sdk bump). That's a real, mechanical fix, not a guess.
  2. On closing and waiting for semiannual: I wouldn't count on that alone solving this class of problem. The issue isn't the bump cadence — it's that Dependabot has no concept that Verify/Verify.Xunit must stay version-matched, and will propose the same mismatched pairing again whenever Verify core has released further than Verify.Xunit has. Whether the semiannual run in ~6 months hits a clean pairing depends entirely on whether the xunit adapter has caught up by then — something we can't verify from here.

Let me know if you'd like me to push the Verify31.12.5 revert (with a comment/breadcrumb, or without, your call), or if you'd rather close this PR now regardless.

branch ·

@FrankRay78

Copy link
Copy Markdown
Owner

@claude Please attempt the trivial fix, thank you.

@claude

claude Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Claude finished @FrankRay78's task in 1m 35s —— View job


Trivial fix pushed

  • Gather context (prior investigation, current csproj state)
  • Confirm actual latest published Verify.Xunit version on NuGet — CI's NU1102 error confirms it: Found 796 version(s) in nuget.org [ Nearest version: 31.12.5 ]. 31.20.0 has never been published for Verify.Xunit.
  • Pin Verify back to 31.12.5 in both csproj files, keep Verify.Xunit at 31.12.5 and the Microsoft.NET.Test.Sdk18.7.0 bump
  • Commit and push

Done

Pushed commit de733d7, reverting Verify from 31.20.031.12.5 in:

  • src/NetPace.Console.Tests/NetPace.Console.Tests.csproj
  • src/NetPace.Core.Tests/NetPace.Core.Tests.csproj

This matches Verify back up with Verify.Xunit, which is confirmed (via the CI restore failure's NU1102 "Nearest version" output) to have never published beyond 31.12.5. The Microsoft.NET.Test.Sdk 18.7.0 bump is untouched — this PR now nets out to just that upgrade.

I couldn't run dotnet build/dotnet test locally in this session (no build/network tooling access), so please keep an eye on the CI run for this push to confirm green.

branch ·

…shed version

Verify.Xunit has never published 31.20.0 (confirmed via CI NU1102: nearest
available version is 31.12.5), so bumping Verify alone broke restore.

Co-authored-by: Frank Ray <52075808+FrankRay78@users.noreply.github.com>
@FrankRay78
FrankRay78 merged commit 51b8f3a into main Jul 15, 2026
3 checks passed
@FrankRay78
FrankRay78 deleted the dependabot/nuget/src/NetPace.Console.Tests/all-dependencies-d83092c1d4 branch July 15, 2026 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant