Skip to content

[auto-sec] ci: add NuGet ecosystem to Dependabot configuration#1364

Open
IEvangelist wants to merge 4 commits into
mainfrom
dapine/security-deps/aspire-dev-nuget-dependabot
Open

[auto-sec] ci: add NuGet ecosystem to Dependabot configuration#1364
IEvangelist wants to merge 4 commits into
mainfrom
dapine/security-deps/aspire-dev-nuget-dependabot

Conversation

@IEvangelist

Copy link
Copy Markdown
Member

[auto-sec] Add NuGet to Dependabot configuration

Problem

The .github/dependabot.yml only covered the npm ecosystem. The repo has a full .NET solution (Aspire.Dev.slnx) with NuGet packages across:

Project Key Packages
src/apphost/Aspire.Dev.AppHost Aspire.AppHost.Sdk 13.3.0, Aspire.Hosting.Azure.*
src/statichost/StaticHost OpenTelemetry.Exporter.OpenTelemetryProtocol 1.15.3, Azure.Monitor.OpenTelemetry.AspNetCore 1.4.0
src/tools/PackageJsonGenerator tooling packages
tests/* test packages

Two NuGet security advisories were previously filed and fixed manually:

Without a NuGet Dependabot entry, future NuGet vulnerabilities will not trigger automated PRs.

Change

Adds a NuGet entry to .github/dependabot.yml scanning from the repo root (which covers all projects in Aspire.Dev.slnx), grouped as nuget-all on a weekly schedule.

Verification

No runtime changes — configuration file only. No build artifacts affected.

Alerts superseded: alert #70, alert #69 (already fixed; this prevents future recurrence).

Part of the automated security dependency consolidation workflow.

The repo has a .NET solution (Aspire.Dev.slnx) with NuGet packages
across AppHost, StaticHost, tools, and test projects. Two NuGet
security advisories (OpenTelemetry.Exporter.OpenTelemetryProtocol
CVE-2026-40891 / CVE-2026-40182) were fixed manually but no automated
NuGet scanning was configured.

This adds weekly NuGet scanning via Dependabot so future vulnerabilities
in NuGet packages are caught automatically.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 15, 2026 13:34
@IEvangelist IEvangelist added the automated-security Automated security dependency management PRs label Jul 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Dependabot coverage for NuGet dependencies in this repo (in addition to existing npm coverage) so future NuGet security advisories can be surfaced via automated PRs.

Changes:

  • Adds a new nuget Dependabot update configuration scanning from the repo root and grouping updates under nuget-all.
  • Keeps existing npm configuration (multi-directory) and adds a brief comment describing the NuGet scope.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/dependabot.yml Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@joperezr

Copy link
Copy Markdown
Member

The reason why we didn't have this was intentional, as we used dependency flow for package updates for .NET System.* and Microsoft.* packages and we had a skill to update 3rd party dependencies. I think it may be okay to have this update the 3rd party dependencies but we should add some constraints here and don't apply for all packages, so it shouldn't update packages under System.* and Microsoft.*, as well as some other ones like FluentUI Blazor which require specific testing before we can take those. I'd suggest to adapt this according to the skill we have for 3rd party dependencies so the configuration matches the ones we update there.

IEvangelist and others added 2 commits July 17, 2026 08:05
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated-security Automated security dependency management PRs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants