Skip to content

Make bundled SDK feature package versions discoverable by Dependabot#9365

Merged
Evangelink merged 7 commits into
microsoft:mainfrom
Evangelink:fix-dependabot-playwright
Jun 23, 2026
Merged

Make bundled SDK feature package versions discoverable by Dependabot#9365
Evangelink merged 7 commits into
microsoft:mainfrom
Evangelink:fix-dependabot-playwright

Conversation

@Evangelink

@Evangelink Evangelink commented Jun 23, 2026

Copy link
Copy Markdown
Member

Problem

Some packages bundled by the MSTest SDK fell behind because Dependabot wasn't proposing updates for them (the cause behind #9362 leaving Playwright stuck at 1.58.0). The same applies to Aspire.Hosting.Testing.

Both Microsoft.Playwright.MSTest.v4 and Aspire.Hosting.Testing are bundled via Sdk/Features/*.targets and versioned through MSBuild properties (MicrosoftPlaywrightVersion, AspireHostingTestingVersion) that flow into the SDK template. Dependabot does not update a Central Package Management PackageVersion that is both:

  • versioned via an MSBuild property interpolation, and
  • has no direct PackageReference anywhere in the repo.

So:

  • Playwright was declared in the not used directly group with Version="$(MicrosoftPlaywrightVersion)" — property-interpolated, so invisible to Dependabot.
  • Aspire was worse: no literal PackageVersion existed for it at all (only the AspireHostingTestingVersion property and property-interpolated usages), so Dependabot had nothing to discover.

See dependabot/dependabot-core#5812 and dependabot/dependabot-core#7183.

Fix

For each bundled package:

  • Declare a literal PackageVersion in the not used directly group so Dependabot can discover and bump it.
  • Keep the matching *Version MSBuild property (MicrosoftPlaywrightVersion, AspireHostingTestingVersion) as a literal that flows into the MSTest.Sdk template (MSTest.Sdk.csproj -> Sdk.props).
  • Add a _ValidateBundledSdkFeatureVersions target that fails the MSTest.Sdk build if the property and the literal PackageVersion ever drift apart (e.g. after Dependabot bumps only the PackageVersion), so the two values can never ship out of sync.

Why duplicate + validate instead of deriving the property from the PackageVersion?
Deriving the property directly (e.g. <MicrosoftPlaywrightVersion>@(PackageVersion->WithMetadataValue('Identity','Microsoft.Playwright.MSTest.v4')->'%(Version)')</MicrosoftPlaywrightVersion>) was attempted first, but the item transform expands incorrectly when the resulting property is later string-concatenated into the SDK template and breaks evaluation with MSB4012. The drift guard gives the same "single value can never ship out of sync" guarantee without that failure: Dependabot updates the literal PackageVersion, and CI then tells you to update the one matching property. This rationale is captured in the comment above the target in Directory.Packages.props.

Versions are unchanged by this PR (Playwright 1.60.0, Aspire 13.2.1); Dependabot can take it from here.

Verification

  • With the property and PackageVersion in sync (Playwright 1.60.0, Aspire 13.2.1), the MSTest.Sdk build passes and the same versions flow into the SDK template (MSTest.Sdk.csproj's _TemplateProperties).
  • Bumping only a PackageVersion (simulating a Dependabot PR) trips the _ValidateBundledSdkFeatureVersions <Error>, which names the property to update — so drift fails fast in CI instead of silently shipping.

Related to #9362.

Dependabot does not update a Central Package Management PackageVersion whose
Version is an MSBuild property interpolation ($(MicrosoftPlaywrightVersion)) when
the package has no direct PackageReference. That is exactly the case for the
Microsoft.Playwright.MSTest.v4 entry declared in the "not used directly" group, so
the bundled Playwright version silently stopped receiving updates.

Give the PackageVersion a literal version (which Dependabot can discover and bump)
and derive the MicrosoftPlaywrightVersion property from it via an item-metadata
transform, keeping a single source of truth that still flows into the MSTest.Sdk
template.

See dependabot-core microsoft#5812 / microsoft#7183. Related to microsoft#9362.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 23, 2026 07:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates how the MSTest SDK’s bundled Playwright-for-.NET version is declared so Dependabot can detect and propose updates for it, while still keeping MicrosoftPlaywrightVersion as the single source of truth used by the SDK templates.

Changes:

  • Replace the MicrosoftPlaywrightVersion property constant with a literal PackageVersion for Microsoft.Playwright.MSTest.v4 (Dependabot-discoverable).
  • Derive MicrosoftPlaywrightVersion from the PackageVersion item via an item-metadata transform so the SDK template continues to consume the resolved version.
Show a summary per file
File Description
Directory.Packages.props Makes the Playwright bundle version Dependabot-discoverable via a literal PackageVersion, and derives MicrosoftPlaywrightVersion from it for template consumption.

Copilot's findings

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread Directory.Packages.props Outdated
@Evangelink Evangelink added the state/needs-review Awaiting review from the team. label Jun 23, 2026
@Evangelink Evangelink enabled auto-merge (squash) June 23, 2026 08:06
Aspire.Hosting.Testing has the same problem as Playwright: AspireHostingTestingVersion
was a literal property flowing into the MSTest.Sdk template, but no literal PackageVersion
existed for the package, so Dependabot could not discover or bump it.

Apply the same pattern: declare a literal Aspire.Hosting.Testing PackageVersion in the
'not used directly' group and derive AspireHostingTestingVersion from it via an
item-metadata transform.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 23, 2026 08:08
@Evangelink Evangelink changed the title Make bundled Playwright version discoverable by Dependabot Make bundled SDK feature package versions discoverable by Dependabot Jun 23, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Evangelink and others added 2 commits June 23, 2026 10:41
Storing an @(PackageVersion->...) item transform in a <PropertyGroup>
leaves the property unexpanded; when concatenated with strings in a
task (e.g. the Copy in MSTest.Acceptance.IntegrationTests) it fails with
MSB4012. Keep the consumed *Version properties as plain scalar literals,
keep the literal PackageVersion items for Dependabot, and add the
_ValidateBundledSdkFeatureVersions target so the two cannot drift.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
# Conflicts:
#	Directory.Packages.props
Copilot AI review requested due to automatic review settings June 23, 2026 08:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 1/1 changed files
  • Comments generated: 2

Comment thread Directory.Packages.props
Comment thread Directory.Packages.props
@Evangelink Evangelink merged commit 7afc762 into microsoft:main Jun 23, 2026
39 checks passed
@Evangelink Evangelink deleted the fix-dependabot-playwright branch June 23, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state/needs-review Awaiting review from the team.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants