[auto-sec] ci: add NuGet ecosystem to Dependabot configuration#1364
[auto-sec] ci: add NuGet ecosystem to Dependabot configuration#1364IEvangelist wants to merge 4 commits into
Conversation
The repo has a .NET solution (Aspire.Dev.slnx) with NuGet packages across AppHost, StaticHost, tools, and test projects. Two NuGet security advisories (OpenTelemetry.Exporter.OpenTelemetryProtocol CVE-2026-40891 / CVE-2026-40182) were fixed manually but no automated NuGet scanning was configured. This adds weekly NuGet scanning via Dependabot so future vulnerabilities in NuGet packages are caught automatically. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds Dependabot coverage for NuGet dependencies in this repo (in addition to existing npm coverage) so future NuGet security advisories can be surfaced via automated PRs.
Changes:
- Adds a new
nugetDependabot update configuration scanning from the repo root and grouping updates undernuget-all. - Keeps existing npm configuration (multi-directory) and adds a brief comment describing the NuGet scope.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
The reason why we didn't have this was intentional, as we used dependency flow for package updates for .NET System.* and Microsoft.* packages and we had a skill to update 3rd party dependencies. I think it may be okay to have this update the 3rd party dependencies but we should add some constraints here and don't apply for all packages, so it shouldn't update packages under System.* and Microsoft.*, as well as some other ones like FluentUI Blazor which require specific testing before we can take those. I'd suggest to adapt this according to the skill we have for 3rd party dependencies so the configuration matches the ones we update there. |
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
[auto-sec] Add NuGet to Dependabot configuration
Problem
The
.github/dependabot.ymlonly covered the npm ecosystem. The repo has a full .NET solution (Aspire.Dev.slnx) with NuGet packages across:src/apphost/Aspire.Dev.AppHostAspire.AppHost.Sdk 13.3.0,Aspire.Hosting.Azure.*src/statichost/StaticHostOpenTelemetry.Exporter.OpenTelemetryProtocol 1.15.3,Azure.Monitor.OpenTelemetry.AspNetCore 1.4.0src/tools/PackageJsonGeneratortests/*Two NuGet security advisories were previously filed and fixed manually:
OpenTelemetry.Exporter.OpenTelemetryProtocolCVE-2026-40891 (patched → 1.15.3)OpenTelemetry.Exporter.OpenTelemetryProtocolCVE-2026-40182 (patched → 1.15.2)Without a NuGet Dependabot entry, future NuGet vulnerabilities will not trigger automated PRs.
Change
Adds a NuGet entry to
.github/dependabot.ymlscanning from the repo root (which covers all projects inAspire.Dev.slnx), grouped asnuget-allon a weekly schedule.Verification
No runtime changes — configuration file only. No build artifacts affected.
Alerts superseded: alert #70, alert #69 (already fixed; this prevents future recurrence).
Part of the automated security dependency consolidation workflow.