chore(deps): dependency refresh + OpenTelemetry CVE-2026-40894 fix (0.9.37)

[blehnen]

Summary

• Security fix: OpenTelemetry 1.15.2 → 1.15.3 clears the transitive OpenTelemetry.Api advisory CVE-2026-40894 / GHSA-g94r-2vxg-569j (NU1902, moderate — excessive memory allocation parsing OpenTelemetry propagation headers). With the advisory gone, the <WarningsNotAsErrors>NU1902</WarningsNotAsErrors> workaround added in 0.9.36 (ISSUE-032) is removed from Transport.SQLite.csproj.
• Dependency refresh across Directory.Packages.props — see CHANGELOG for the full list. Shipping highlights: SqlClient 7.0.1, Npgsql 10.0.3, SimpleInjector 5.5.2, StackExchange.Redis 2.13.17, MudBlazor 9.5.0, Cronos 0.13.0, SourceLink 10.0.300, and the Microsoft.Extensions/System.* set → 10.0.8.
• Test tooling: coverlet.collector 8.0.1 → 10.0.1 (2-major), MSTest 4.2.3, Test.Sdk 18.6.0, Retry 2.2.3, bunit 2.7.2, Playwright 1.60.0, TestHost(net10) 10.0.8.
• Version 0.9.36 → 0.9.37.

Deliberately held back

• FluentAssertions stays at 6.12.2 (last MIT-licensed release).
• Microsoft.AspNetCore.TestHost net8 target stays on the 8.0.x line (only the net10 target bumped).

Local verification

• dotnet restore (full solution): zero NU19xx warnings.
• dotnet build DotNetWorkQueueNoTests.sln -c Release -p:CI=true: 0 warnings / 0 errors under TreatWarningsAsErrors — confirms SQLite builds clean without the NU1902 suppression.
• DotNetWorkQueue.Tests: 905 passed / 0 failed.

Reviewer attention

• MudBlazor 9.3.0 → 9.5.0 — Dashboard UI; covered by bUnit + Playwright stages.
• Playwright 1.54.0 → 1.60.0 — the E2E agent may need playwright install for updated browser binaries.
• Cronos 0.12.0 → 0.13.0 — core cron parsing; leans on the JobScheduler integration stage.

Test plan

• Jenkins: 14 integration stages green (full transport matrix incl. JobScheduler, Dashboard UI E2E)
• CodeRabbit review
• After green: push v0.9.37 tag to trigger publish.yml

🤖 Generated with Claude Code

Summary by CodeRabbit

Release 0.9.37

• Chores
  • Version updated to 0.9.37
  • Security patch applied to OpenTelemetry (1.15.2 → 1.15.3) addressing CVE-2026-40894
  • Refreshed dependencies across core libraries, tooling, and test infrastructure
  • Removed obsolete build configuration suppression
  • No API surface changes

[coderabbitai]

📝 Walkthrough

Walkthrough

DotNetWorkQueue is released as version 0.9.37 with updated dependencies, a critical OpenTelemetry security patch (CVE-2026-40894), removal of an obsolete build warning suppression, and refreshed test/tooling packages. No API surface changes.

Changes

Version 0.9.37 Release

Layer / File(s)	Summary
Version bump and NuGet dependency updates Source/Directory.Build.props, Source/Directory.Packages.props	Project version incremented to 0.9.37; OpenTelemetry patched to 1.15.3 (CVE-2026-40894), and core, dashboard, transport, and test-infrastructure dependencies refreshed. Microsoft.AspNetCore.TestHost updated for net10.0 target.
Build configuration cleanup Source/DotNetWorkQueue.Transport.SQLite/DotNetWorkQueue.Transport.SQLite.csproj	NU1902 NuGet warning suppression removed from both Release property groups (net8.0|AnyCPU and AnyCPU) as the underlying dependency issue is now resolved.
Release documentation CHANGELOG.md	Version 0.9.37 release entry documents OpenTelemetry CVE fix, NU1902 suppression removal, dependency refreshes, and confirms no API surface changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A patch hops through, security's sealed tight,
OpenTelemetry shines with CVE in flight,
Warnings dismissed, dependencies refreshed with care,
Version point-three-seven floats through the air!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary changes: a security fix for OpenTelemetry CVE-2026-40894 and a broad dependency refresh, with the version bump included for clarity.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.35%. Comparing base (33b19c6) to head (9353e02).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #154      +/-   ##
==========================================
- Coverage   89.80%   87.35%   -2.45%     
==========================================
  Files        1002     1005       +3     
  Lines       29703    32779    +3076     
  Branches     2405     2764     +359     
==========================================
+ Hits        26674    28635    +1961     
- Misses       2367     3295     +928     
- Partials      662      849     +187     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.