Skip to content

chore(deps): dependency refresh + OpenTelemetry CVE-2026-40894 fix (0.9.37)#154

Merged
blehnen merged 1 commit into
masterfrom
dependency-refresh-0.9.37
May 28, 2026
Merged

chore(deps): dependency refresh + OpenTelemetry CVE-2026-40894 fix (0.9.37)#154
blehnen merged 1 commit into
masterfrom
dependency-refresh-0.9.37

Conversation

@blehnen
Copy link
Copy Markdown
Owner

@blehnen blehnen commented May 28, 2026
edited
Loading

Summary

  • Security fix: OpenTelemetry 1.15.2 → 1.15.3 clears the transitive OpenTelemetry.Api advisory CVE-2026-40894 / GHSA-g94r-2vxg-569j (NU1902, moderate — excessive memory allocation parsing OpenTelemetry propagation headers). With the advisory gone, the <WarningsNotAsErrors>NU1902</WarningsNotAsErrors> workaround added in 0.9.36 (ISSUE-032) is removed from Transport.SQLite.csproj.
  • Dependency refresh across Directory.Packages.props — see CHANGELOG for the full list. Shipping highlights: SqlClient 7.0.1, Npgsql 10.0.3, SimpleInjector 5.5.2, StackExchange.Redis 2.13.17, MudBlazor 9.5.0, Cronos 0.13.0, SourceLink 10.0.300, and the Microsoft.Extensions/System.* set → 10.0.8.
  • Test tooling: coverlet.collector 8.0.1 → 10.0.1 (2-major), MSTest 4.2.3, Test.Sdk 18.6.0, Retry 2.2.3, bunit 2.7.2, Playwright 1.60.0, TestHost(net10) 10.0.8.
  • Version 0.9.36 → 0.9.37.

Deliberately held back

  • FluentAssertions stays at 6.12.2 (last MIT-licensed release).
  • Microsoft.AspNetCore.TestHost net8 target stays on the 8.0.x line (only the net10 target bumped).

Local verification

  • dotnet restore (full solution): zero NU19xx warnings.
  • dotnet build DotNetWorkQueueNoTests.sln -c Release -p:CI=true: 0 warnings / 0 errors under TreatWarningsAsErrors — confirms SQLite builds clean without the NU1902 suppression.
  • DotNetWorkQueue.Tests: 905 passed / 0 failed.

Reviewer attention

  • MudBlazor 9.3.0 → 9.5.0 — Dashboard UI; covered by bUnit + Playwright stages.
  • Playwright 1.54.0 → 1.60.0 — the E2E agent may need playwright install for updated browser binaries.
  • Cronos 0.12.0 → 0.13.0 — core cron parsing; leans on the JobScheduler integration stage.

Test plan

  • Jenkins: 14 integration stages green (full transport matrix incl. JobScheduler, Dashboard UI E2E)
  • CodeRabbit review
  • After green: push v0.9.37 tag to trigger publish.yml

🤖 Generated with Claude Code

Summary by CodeRabbit

Release 0.9.37

  • Chores
    • Version updated to 0.9.37
    • Security patch applied to OpenTelemetry (1.15.2 → 1.15.3) addressing CVE-2026-40894
    • Refreshed dependencies across core libraries, tooling, and test infrastructure
    • Removed obsolete build configuration suppression
    • No API surface changes

Review Change Stack

@blehnen @claude
chore(deps): refresh dependencies + fix OpenTelemetry CVE-2026-40894
9353e02 
…(0.9.37)

Bump OpenTelemetry 1.15.2 -> 1.15.3 to clear the transitive OpenTelemetry.Api
advisory (CVE-2026-40894 / GHSA-g94r-2vxg-569j, NU1902 moderate: excessive
memory allocation parsing propagation headers), then remove the now-dead
<WarningsNotAsErrors>NU1902</WarningsNotAsErrors> from Transport.SQLite.csproj.

Broader dependency refresh across Directory.Packages.props: Microsoft.Data.SqlClient
7.0.1, Npgsql 10.0.3, SimpleInjector 5.5.2, StackExchange.Redis 2.13.17, MudBlazor
9.5.0, CronExpressionDescriptor 2.48.0, Cronos 0.13.0, SourceLink 10.0.300, the
Microsoft.Extensions/System.* set -> 10.0.8; test tooling coverlet 10.0.1, MSTest
4.2.3, Test.Sdk 18.6.0, Retry 2.2.3, bunit 2.7.2, Playwright 1.60.0, TestHost(net10)
10.0.8.

FluentAssertions held at 6.12.2 (last MIT release); Microsoft.AspNetCore.TestHost
net8 target held on the 8.0.x line. Bump version 0.9.36 -> 0.9.37 + CHANGELOG.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026
edited
Loading

📝 Walkthrough

Walkthrough

DotNetWorkQueue is released as version 0.9.37 with updated dependencies, a critical OpenTelemetry security patch (CVE-2026-40894), removal of an obsolete build warning suppression, and refreshed test/tooling packages. No API surface changes.

Changes

Version 0.9.37 Release

Layer / File(s) Summary
Version bump and NuGet dependency updates
Source/Directory.Build.props, Source/Directory.Packages.props		 Project version incremented to 0.9.37; OpenTelemetry patched to 1.15.3 (CVE-2026-40894), and core, dashboard, transport, and test-infrastructure dependencies refreshed. Microsoft.AspNetCore.TestHost updated for net10.0 target.
Build configuration cleanup
Source/DotNetWorkQueue.Transport.SQLite/DotNetWorkQueue.Transport.SQLite.csproj		 NU1902 NuGet warning suppression removed from both Release property groups (net8.0|AnyCPU and AnyCPU) as the underlying dependency issue is now resolved.
Release documentation
CHANGELOG.md		 Version 0.9.37 release entry documents OpenTelemetry CVE fix, NU1902 suppression removal, dependency refreshes, and confirms no API surface changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A patch hops through, security's sealed tight,
OpenTelemetry shines with CVE in flight,
Warnings dismissed, dependencies refreshed with care,
Version point-three-seven floats through the air!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the primary changes: a security fix for OpenTelemetry CVE-2026-40894 and a broad dependency refresh, with the version bump included for clarity.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026

Actionable comments posted: 0

@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.35%. Comparing base (33b19c6) to head (9353e02).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #154      +/-   ##
==========================================
- Coverage   89.80%   87.35%   -2.45%     
==========================================
  Files        1002     1005       +3     
  Lines       29703    32779    +3076     
  Branches     2405     2764     +359     
==========================================
+ Hits        26674    28635    +1961     
- Misses       2367     3295     +928     
- Partials      662      849     +187

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@blehnen blehnen merged commit 7bdc7e8 into master May 28, 2026
4 of 5 checks passed
@blehnen blehnen deleted the dependency-refresh-0.9.37 branch May 28, 2026 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blehnen