chore(deps): consolidated Dependabot updates + MediatR 14 (community license) by flydyk · Pull Request #36 · flydyk-family/family-tree

flydyk · 2026-06-04T23:11:17Z

Consolidates the open Dependabot PRs into one reviewable change, plus the
MediatR 14 upgrade (now that a Lucky Penny community license was obtained).
Each bump was applied, breakages fixed, and the suite verified locally.

Backend (NuGet — `Directory.Packages.props`)

Package	From → To	PR
MediatR	12.5.0 → 14.1.0	#33
FluentValidation (+ DI ext)	11.11 → 12.1.1	#31
Mapster	7.4 → 10.0.7	#32
AwesomeAssertions	8.0 → 9.4.0	#28
Microsoft.NET.Test.Sdk	17.12 → 18.6.0	#34
xunit.runner.visualstudio	2.8.2 → 3.1.5	#35
coverlet.collector	6.0.2 → 10.0.1	#29
xunit + Microsoft.* runtime	2.9.3 / 10.0.8	#27

Fixes: AwesomeAssertions 9 dropped the FluentAssertions namespace → updated GlobalUsings.cs.

Frontend (npm — `src/frontend`)

Package	From → To	PR
vite	5 → 8.0.16 (rolldown)	#25
vitest	1 → 4.1.8	#22
@vitejs/plugin-vue	5 → 6.0.7	#23
vue-tsc	2 → 3.3.3	#20
typescript	5.5 → 6.0.3	#18
vue-router	4 → 5.1.0	#21
pinia	2 → 3.0.4	#24
@vue/test-utils	2.4.6 → 2.4.11	#17
jsdom	24 → 29.1.1	#19

Fixes: added src/vite-env.d.ts (CSS/SCSS ambient types); OakTree.vue <svg> via stable function ref; Vitest pool pinned to threads; lockfile regenerated under Node 22 so platform-native rolldown bindings (incl. Linux for CI) resolve.

MediatR #33 — upgraded under a community license

v13+ is commercially licensed; a Lucky Penny Software community license was obtained, so MediatR moves to 14.1.0:

AddApplication registers AddLogging() (v14's license check resolves ILoggerFactory, needed on bare ServiceCollections in unit tests) and applies the key when supplied.
The key is read from config (MediatR:LicenseKey) — set via user-secrets / MediatR__LicenseKey env var, never committed. Without it MediatR still runs (unlicensed warning), so CI needs no secret.
Added Microsoft.Extensions.Logging 10.0.8. Docs (runbook, design spec, CLAUDE.md) updated.

CI / config

codeql-action v3 → v4 (chore(deps): bump github/codeql-action from 3 to 4 in the actions-all group #16).
ci.yml — dropped --omit=dev from npm audit (Vite 8 / Vitest 4 cleared the old dev-toolchain advisories; full tree is clean).

Verification (local, Node 22.22.3)

Backend: dotnet test -c Release → 31 + 5 pass; dotnet list package --vulnerable → none.
Frontend: npm run build OK; npm test → 21 files / 132 tests pass; npm audit --audit-level=high → 0 vulnerabilities.

Supersedes / closes

Backend #27 #28 #29 #31 #32 #33 #34 #35 · Frontend #17 #18 #19 #20 #21 #22 #23 #24 #25 · Actions #16

🤖 Generated with Claude Code

Consolidates Dependabot backend PRs: - FluentValidation + DI ext 11.11 -> 12.1.1 (#31) - Mapster 7.4 -> 10.0.7 (#32) - AwesomeAssertions 8.0 -> 9.4.0 (#28) — namespace moved FluentAssertions -> AwesomeAssertions; updated GlobalUsings - Microsoft.NET.Test.Sdk 17.12 -> 18.6.0 (#34) - xunit.runner.visualstudio 2.8.2 -> 3.1.5 (#35) - coverlet.collector 6.0.2 -> 10.0.1 (#29) - xunit 2.9.2 -> 2.9.3, Microsoft.* runtime 10.0.0 -> 10.0.8 (#27) MediatR deliberately NOT bumped: v13+ is commercially licensed; the project pins 12.x to stay OSS-free (see dependabot.yml ignore rule). Verified: dotnet test -c Release -> 31 + 5 pass; no vulnerable packages. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Consolidates Dependabot frontend PRs: - vite 5 -> 8.0.16 (#25, now bundles via rolldown) - vitest 1 -> 4.1.8 (#22) - @vitejs/plugin-vue 5 -> 6.0.7 (#23) - vue-tsc 2 -> 3.3.3 (#20) - typescript 5.5 -> 6.0.3 (#18) - vue-router 4 -> 5.1.0 (#21) - pinia 2 -> 3.0.4 (#24) - @vue/test-utils 2.4.6 -> 2.4.11 (#17) - jsdom 24 -> 29.1.1 (#19) Code fixes required by the toolchain majors: - Add src/vite-env.d.ts (/// <reference types="vite/client" />): vue-tsc 3 / TS 6 now type-check side-effect CSS/SCSS imports in main.ts. - OakTree.vue: wire the <svg> through a stable function ref. vue-tsc 3 no longer counts a string ref="svgRef" (composable-owned) as a read, and a dynamic :ref auto-unwraps to the element; the function form is correct. - vite.config.ts: pin Vitest's worker pool to 'threads' (its Vitest-1 default); Vitest 4 changed it to 'forks', which times out spawning many child processes. Lockfile regenerated under Node 22 / npm 10 so platform-native rolldown bindings (incl. linux-x64-gnu/musl for CI) resolve. MediatR-equivalent licensing concern N/A here. Verified on Node 22.22.3: npm run build OK; vitest 21 files / 132 tests pass; npm audit -> 0 vulnerabilities. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

- codeql.yml: github/codeql-action init+analyze v3 -> v4 (#16) - dependabot.yml: ignore MediatR semver-major bumps (v13+ is commercially licensed); 12.x minor/patch still flow. Closes the loop on #33. - ci.yml: drop `--omit=dev` from the npm audit gate now that the Vite 8 / Vitest 4 upgrade cleared the dev-toolchain advisories (full tree is clean). - docs/ci-cd/pr-quality-gates.md: document the full-tree audit + MediatR pin. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

A Lucky Penny Software community license was obtained, so MediatR is no longer held at the OSS 12.x line. - Directory.Packages.props: MediatR 14.1.0; add Microsoft.Extensions.Logging 10.0.8 (v14's license check resolves ILoggerFactory). - AddApplication: register AddLogging() so MediatR's license check works on a bare ServiceCollection (unit tests), and apply the license key when supplied. - Program.cs: pass MediatR:LicenseKey from configuration. - appsettings.json: document the MediatR:LicenseKey slot (blank; real key via user-secrets or MediatR__LicenseKey env var — never committed). - dependabot.yml: drop the MediatR semver-major ignore (now licensed). - Docs (runbook, design spec, CLAUDE.md): reflect MediatR 14.x + licensing. Verified: dotnet test -c Release -> 31 + 5 pass; no vulnerable packages. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Enables `dotnet user-secrets set "MediatR:LicenseKey" "<key>"` so the Lucky Penny community license key is supplied locally without committing it. The id is not a secret. (Also tidies the csproj formatting that `user-secrets init` collapsed.) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

flydyk and others added 3 commits June 5, 2026 02:48

flydyk changed the title ~~chore(deps): consolidated Dependabot updates (backend + frontend + CI)~~ chore(deps): consolidated Dependabot updates + MediatR 14 (community license) Jun 5, 2026

flydyk merged commit 807fa8c into main Jun 5, 2026
5 checks passed

flydyk deleted the deps/dependabot-consolidation branch June 5, 2026 00:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): consolidated Dependabot updates + MediatR 14 (community license)#36

chore(deps): consolidated Dependabot updates + MediatR 14 (community license)#36
flydyk merged 5 commits into
mainfrom
deps/dependabot-consolidation

flydyk commented Jun 4, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

flydyk commented Jun 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Backend (NuGet — Directory.Packages.props)

Frontend (npm — src/frontend)

MediatR #33 — upgraded under a community license

CI / config

Verification (local, Node 22.22.3)

Supersedes / closes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

flydyk commented Jun 4, 2026 •

edited

Loading

Backend (NuGet — `Directory.Packages.props`)

Frontend (npm — `src/frontend`)