Summary
Add dependency and security checks to the CI pipeline for ModularityKit.Mutator.
Goal
Catch vulnerable, stale, or suspicious dependencies earlier by making security and package health checks part of the repository's normal validation flow.
Problem
The repository has multiple projects and package references across runtime, governance, Redis, examples, and tests. As that dependency surface grows, it becomes harder to notice when package is vulnerable, outdated, or out of policy unless someone remembers to run checks manually.
CI should provide consistent baseline signal for dependency health so the repo does not rely on ad hoc review alone. That also makes it easier to keep release artifacts and examples aligned with the same dependency expectations.
Scope
Design Expectations
- Checks should be straightforward to interpret when they fail.
- The workflow should favor direct tooling and existing .NET commands over custom scripts where possible.
- The checks should cover the repository's package references without becoming full security platform.
- Local contributors should be able to run the same checks before opening PR.
- The workflow should avoid false confidence by making sure warnings are visible and not buried.
Suggested Checks
dotnet list package --vulnerable
dotnet list package --outdated
- optional package restore audit or equivalent .NET native dependency validation
- optional CI job annotations that point to the affected project
Acceptance Criteria
Non-Goals
- This issue does not design full software supply chain platform
- This issue does not change runtime behavior
- This issue does not automatically upgrade dependencies
- This issue does not bundle package signing or provenance generation into the same task
Notes
This issue is intended to make dependency hygiene normal part of repository maintenance rather than periodic manual audit.
Summary
Add dependency and security checks to the CI pipeline for
ModularityKit.Mutator.Goal
Catch vulnerable, stale, or suspicious dependencies earlier by making security and package health checks part of the repository's normal validation flow.
Problem
The repository has multiple projects and package references across runtime, governance, Redis, examples, and tests. As that dependency surface grows, it becomes harder to notice when package is vulnerable, outdated, or out of policy unless someone remembers to run checks manually.
CI should provide consistent baseline signal for dependency health so the repo does not rely on ad hoc review alone. That also makes it easier to keep release artifacts and examples aligned with the same dependency expectations.
Scope
Design Expectations
Suggested Checks
dotnet list package --vulnerabledotnet list package --outdatedAcceptance Criteria
Non-Goals
Notes
This issue is intended to make dependency hygiene normal part of repository maintenance rather than periodic manual audit.