Skip to content

Bump nerdbank deps#8096

Merged
Evangelink merged 1 commit into
mainfrom
dev/amauryleve/nerdbank
May 11, 2026
Merged

Bump nerdbank deps#8096
Evangelink merged 1 commit into
mainfrom
dev/amauryleve/nerdbank

Conversation

@Evangelink
Copy link
Copy Markdown
Member

@Evangelink Evangelink commented May 11, 2026

No description provided.

Copilot AI review requested due to automatic review settings May 11, 2026 09:28
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins Nerdbank.MessagePack (a transitive dependency of StreamJsonRpc) to a newer version intended to address a security vulnerability, and makes the dependency explicit in the affected integration test projects.

Changes:

  • Add a centralized package version entry for Nerdbank.MessagePack in Directory.Packages.props.
  • Add explicit PackageReference entries for Nerdbank.MessagePack in two integration test .csproj files so the pinned version is actually used.
Show a summary per file
File Description
test/IntegrationTests/MSTest.Acceptance.IntegrationTests/MSTest.Acceptance.IntegrationTests.csproj Adds explicit Nerdbank.MessagePack reference alongside StreamJsonRpc.
test/IntegrationTests/Microsoft.Testing.Platform.Acceptance.IntegrationTests/Microsoft.Testing.Platform.Acceptance.IntegrationTests.csproj Adds explicit Nerdbank.MessagePack reference alongside StreamJsonRpc.
Directory.Packages.props Introduces centralized version for Nerdbank.MessagePack with a security-focused comment.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Comment thread Directory.Packages.props
Evangelink
Evangelink commented May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member Author

@Evangelink Evangelink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

Workflow: Expert Code Reviewer
Date: 2026-05-11
Repository: microsoft/testfx

Key Findings

No issues found. This PR is a targeted security fix:

  • Directory.Packages.props — Adds an explicit Nerdbank.MessagePack v1.1.62 version pin. Without this, Central Package Management (CPM) would resolve the version transitively from StreamJsonRpc, potentially picking up a vulnerable version.
  • Two integration test .csproj files — Add explicit PackageReference entries so the pinned version propagates into those projects. This is the standard CPM pattern: a PackageVersion in Directory.Packages.props only governs versions; the package must also appear in a PackageReference in each project that needs the override to take effect.

Correctness ✅

The CPM override pattern used here is correct. The PackageVersion pin in Directory.Packages.props sets the ceiling version, and the two PackageReference additions in the test projects ensure the resolved graph picks 1.1.62 rather than whatever older version StreamJsonRpc would otherwise pull in.

Recommendations

None — the approach is idiomatic and minimal.

Generated by Expert Code Reviewer 🧠

🧠 Reviewed by Expert Code Reviewer 🧠

Evangelink
Evangelink commented May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member Author

@Evangelink Evangelink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

Workflow: PR Nitpick Reviewer 🔍
Date: 2026-05-11
Repository: microsoft/testfx

Key Findings

No nitpicks found — this is a clean, minimal security-fix PR.

  • The explanatory comments clearly communicate why Nerdbank.MessagePack is being explicitly listed (transitive dep of StreamJsonRpc, security vulnerability fix).
  • Package reference ordering in both .csproj files is alphabetically correct (MSBuild.StructuredLoggerNerdbank.MessagePackStreamJsonRpc).
  • The comment in Directory.Packages.props intentionally groups the entry near StreamJsonRpc for context, which is a reasonable trade-off over strict alphabetical order given the clear accompanying note.
  • Comment phrasing is consistent and informative across all three files.

Recommendations

No changes needed. The approach of placing the pinned transitive dependency immediately after its parent in Directory.Packages.props (with an explanatory comment) is a good practice for making dependency intent explicit.

🔍 Meticulously inspected by PR Nitpick Reviewer

🔍 Meticulously inspected by PR Nitpick Reviewer 🔍

@Evangelink Evangelink enabled auto-merge (squash) May 11, 2026 10:13
@Evangelink Evangelink disabled auto-merge May 11, 2026 11:29
@Evangelink Evangelink merged commit 0769121 into main May 11, 2026
41 of 43 checks passed
@Evangelink Evangelink deleted the dev/amauryleve/nerdbank branch May 11, 2026 11:29
Evangelink added a commit that referenced this pull request May 12, 2026
@Evangelink
Bump nerdbank deps (#8096)
f7f6f85 
Co-authored-by: GitHub Copilot <copilot@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Evangelink