chore(deps): update nuget packages

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
AMQPNetLite.Core	2.5.1 → 2.5.2
AWSSDK.Core	3.7.500.80 → 3.7.501
AWSSDK.S3	3.7.510.6 → 3.7.511.7
AWSSDK.SQS	3.7.502.39 → 3.7.502.56
AWSSDK.SecurityToken	3.7.504.32 → 3.7.504.49
Destructurama.Attributed (source)	5.2.0 → 5.3.0
Google.Cloud.PubSub.V1	3.32.0 → 3.34.0
Grpc.AspNetCore.Web	2.76.0 → 2.80.0
Grpc.Core.Api	2.76.0 → 2.80.0
Grpc.HealthCheck	2.76.0 → 2.80.0
Grpc.Net.Client	2.76.0 → 2.80.0
Grpc.Net.Common	2.76.0 → 2.80.0
Microsoft.AspNetCore.TestHost (source)	8.0.24 → 8.0.27
Microsoft.Bcl.AsyncInterfaces (source)	10.0.3 → 10.0.8
Microsoft.Extensions.Caching.Memory (source)	10.0.3 → 10.0.8
Microsoft.Extensions.Configuration (source)	10.0.3 → 10.0.8
Microsoft.Extensions.Configuration.Binder (source)	10.0.3 → 10.0.8
Microsoft.Extensions.Configuration.CommandLine (source)	10.0.3 → 10.0.8
Microsoft.Extensions.Configuration.EnvironmentVariables (source)	10.0.3 → 10.0.8
Microsoft.Extensions.Configuration.Json (source)	10.0.3 → 10.0.8
Microsoft.Extensions.DependencyInjection (source)	10.0.3 → 10.0.8
Microsoft.Extensions.DependencyInjection.Abstractions (source)	10.0.3 → 10.0.8
Microsoft.Extensions.Diagnostics.HealthChecks (source)	8.0.24 → 8.0.27
Microsoft.Extensions.Logging.Abstractions (source)	10.0.3 → 10.0.8
Microsoft.NET.Test.Sdk	18.0.1 → 18.5.1
NATS.Client.JetStream	2.7.2 → 2.8.0
NATS.Net	2.7.2 → 2.8.0
NUnit (source)	4.4.0 → 4.6.0
NUnit.Analyzers	4.11.2 → 4.13.0
NUnit3TestAdapter (source)	6.1.0 → 6.2.0
StackExchange.Redis (source)	2.11.0 → 2.13.1
coverlet.collector	8.0.0 → 8.0.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

Azure/amqpnetlite (AMQPNetLite.Core)

v2.5.2: Release 2.5.2

Fixes and improvements:

• [#​630] Add OnLinkStateProperties callback for flow link-state properties
• [#​634] Handle ObjectDisposedException in WebSocket close

aws/aws-sdk-net (AWSSDK.S3)

v3.7.511

destructurama/attributed (Destructurama.Attributed)

v5.3.0

Compare Source

New features

• Add UsingAttributes overload used by serilog-settings-configuration by @​sungam3r in #​230

Changes for CI and tests

• Bump Microsoft.Extensions.Telemetry.Abstractions from 10.1.0 to 10.2.0 by @​dependabot[bot] in #​218
• Bump DotNetProjectFile.Analyzers from 1.8.2 to 1.8.3 by @​dependabot[bot] in #​219
• Bump DotNetProjectFile.Analyzers from 1.8.3 to 1.9.0 by @​dependabot[bot] in #​221
• Bump Microsoft.NET.Test.Sdk from 18.0.1 to 18.3.0 by @​dependabot[bot] in #​227
• Bump actions/upload-artifact from 6 to 7 by @​dependabot[bot] in #​228
• Bump Microsoft.Extensions.Telemetry.Abstractions from 10.2.0 to 10.3.0 by @​dependabot[bot] in #​223
• Bump MarkdownSnippets.MsBuild from 27.0.2 to 28.0.0 by @​dependabot[bot] in #​222

Full Changelog: destructurama/attributed@5.2.0...5.3.0

googleapis/google-cloud-dotnet (Google.Cloud.PubSub.V1)

v3.34.0: Google.Cloud.PubSub.V1 version 3.34.0

Compare Source

Bug fixes

• Increase streaming pull timeout

Documentation improvements

• Fix documentation URL AIInference MessageTransform service_account_email field

v3.33.0: Google.Cloud.PubSub.V1 version 3.33.0

Compare Source

New features

• Add BigtableConfig type

grpc/grpc-dotnet (Grpc.AspNetCore.Web)

v2.80.0

What's Changed

• Update .NET 10, System.CommandLine 2.0.0, fix warnings by @​JamesNK in #​2677
• Fix System.CommandLine 2.0.0 Uri parsing in GrpcClient benchmark app by @​ilonatommy in #​2695
• Implement GrpcServiceEndpointConventionBuilder.Finally by @​halter73 in #​2693
• Bump axios from 1.11.0 to 1.12.2 in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2669
• Bump webpack from 5.101.0 to 5.105.0 in /examples/Browser/Server/wwwroot by @​dependabot[bot] in #​2689
• Bump lodash from 4.17.21 to 4.17.23 in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2687
• Bump glob from 10.4.5 to 10.5.0 in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2679
• Bump basic-ftp from 5.0.5 to 5.2.0 in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2698
• Bump serialize-javascript and terser-webpack-plugin in /examples/Browser/Server/wwwroot by @​dependabot[bot] in #​2699
• Bump minimatch in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2700
• Bump axios from 1.12.2 to 1.13.6 in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2701
• Bump js-yaml in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2702
• Handle Trailers-Only OK responses in streaming calls without exception handling by @​michaelmccord in #​2697
• Bump picomatch in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2703
• Implement v1 reflection service and clean up integration by @​JamesNK in #​2704
• Bump brace-expansion in /testassets/InteropTestsGrpcWebWebsite/Tests by @​dependabot[bot] in #​2706
• Fix flaky PickAsync_UpdateAddressesWhileRequestingConnection_DoesNotDeadlock test by @​JamesNK in #​2705
• Bump Tools Version prep for release v2.80.0 by @​asheshvidyut in #​2707
• [Release v2.80.x] Fix the version number - Step 3 by @​asheshvidyut in #​2711
• Rel (v1.80.0) Prep for stable release by @​asheshvidyut in #​2723

New Contributors

• @​ilonatommy made their first contribution in #​2695
• @​halter73 made their first contribution in #​2693
• @​michaelmccord made their first contribution in #​2697

Full Changelog: grpc/grpc-dotnet@v2.76.0...v2.80.0

dotnet/dotnet (Microsoft.Bcl.AsyncInterfaces)

v10.0.8

v10.0.7

v10.0.6

v10.0.5

v10.0.4

microsoft/vstest (Microsoft.NET.Test.Sdk)

v18.5.1

What's Changed

• Fix System.Collections.Immutable binding mismatch in Common.dll (rel/18.5) by @​nohwnd in #​15720
• Port verify-binding-redirects.ps1 to rel/18.5 by @​nohwnd in #​15719
• Bump to 18.5.1 by @​nohwnd in #​15721

Full Changelog: microsoft/vstest@v18.5.0...v18.5.1

v18.5.0

⚠️ Unlisted on Nuget, because of #​15718

What's Changed

• Add runtime configs by @​nohwnd in #​15377
• Add net8.0 target for TranslationLayer by @​nohwnd in #​15375
• Determine architecture of remote process on windows by @​nohwnd in #​15396
• Updating System.Collections.Immutable package reference to version 9.0.0 by @​MSLukeWest in #​15392
• Dump via netcore tool on windows by @​nohwnd in #​15397
• Fix answer file splitting by @​nohwnd in #​15381
• Run tests against vsix runner by @​nohwnd in #​15419

Full Changelog: microsoft/vstest@v18.4.0...v18.5.0

v18.4.0

What's Changed

• Add LoongArch64 support by @​stdmnpkg in #​15359

• Refactor Condition evaluation by @​Youssef1313 in #​15357

• Adding info on extensions points part 1 by @​nohwnd in #​15360

• Add option to ask for uploading code QL before the standard window ends by @​nohwnd in #​15373

• Update runtime versions by @​nohwnd in #​15372

• Fix .NET 10 regression for traits by @​Youssef1313 in #​15370

• Update target frameworks to net10.0 and net11.0 by @​dotnet-maestro[bot] in #​15349

• Fix names in pipeline matrix so we don't have to align them by @​nohwnd in #​15365

• Update SECURITY.md by @​Youssef1313 in #​15342

New Contributors

• @​stdmnpkg made their first contribution in #​15359

Full Changelog: microsoft/vstest@v18.3.0...v18.4.0

v18.3.0

What's Changed

• Fix answer file splitting by @​nohwnd in #​15306

Internal fixes and updates

• Bump branding to 18.1 by @​nohwnd in #​15286
• Remove stale copy of S.ComponentModel.Composition from testplatform packages by @​ViktorHofer in #​15287
• Update codeflow metadata to fix backflow by @​premun in #​15291
• [main] Update dependencies from devdiv/DevDiv/vs-code-coverage by @​dotnet-maestro[bot] in #​15283
• Update Microsoft.Build.Utilities.Core by @​Youssef1313 in #​15300
• Disable DynamicNative instrumentation by default by @​nohwnd in #​15299
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in #​15293
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in #​15302
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in #​15314
• Delete sha1 custom implementation we are not using for a long time by @​nohwnd in #​15313
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in #​15315
• Update branding to 18.3.0 by @​nohwnd in #​15321
• [main] Update dependencies from devdiv/DevDiv/vs-code-coverage by @​dotnet-maestro[bot] in #​15325
• [main] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in #​15264
• Revert adding dotnet_host_path workaround by @​nohwnd in #​15328
• [main] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in #​15338
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in #​15322
• [main] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in #​15343
• Change PreReleaseVersionLabel from 'preview' to 'release' by @​nohwnd in #​15352
• [rel/18.3] Update dependencies from devdiv/DevDiv/vs-code-coverage by @​dotnet-maestro[bot] in #​15354
• [rel/18.3] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in #​15389
• [rel/18.3] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in #​15400
• Update build tools to 17.11.48 to be source buildable by @​nohwnd in #​15310
• Disable publishing on RTM by @​nohwnd in #​15296
• Don't access nuget.org for package feeds by @​nohwnd in #​15316
• No nuget access fix tests by @​nohwnd in #​15317
• Disable Dependabot updates in dependabot.yml by @​mmitche in #​15324

New Contributors

• @​premun made their first contribution in #​15291

nats-io/nats.net (NATS.Client.JetStream)

v2.8.0: NATS .NET v2.8.0

Happy to announce the NATS .NET 2.8.0 stable release of the 2.8 line. It picks up the NATS Server v2.14 client surface (consumer reset, $JS.FC.* flow-control replies, Consumer field on stream source/mirror, AllowBatchPublish on stream config), ships two breaking changes that landed in the preview cycle, and fixes in-flight message loss on consumer/connection dispose behind an opt-in drain.

A big thank you to all NATS contributors and community members who helped make this release possible. <3

NATS Server v2.14 Features

• ResetConsumerAsync on INatsJSContext and INatsJSConsumer (ADR-60), to reset a pinned consumer's state (#​1126).
• $JS.FC.* flow-control replies are parsed by the JS metadata layer, for streams that publish with the js_ack_fc_v2 flag (#​1127).
• Consumer field on StreamSource and stream mirror config, for pre-created mirror/source consumers (#​1128).
• AllowBatchPublish on StreamConfig (JSON allow_batched), required by streams that opt into fast-ingest batch publishing per ADR-50 (#​1120). The fast-ingest publisher itself lives in orbit.net alongside the existing atomic batch publisher.

Breaking Changes

Subject Validation On By Default (#​1093)

Subjects containing whitespace (space, tab, CR, LF) now throw NatsException. This closes a class of CRLF injection issues from malformed subjects.

Opt out if you rely on legacy subjects that contain whitespace:

var opts = NatsOpts.Default with { SkipSubjectValidation = true };

NKeyPair Removed From NATS.Client.Core (#​1101)

NATS.Client.Core.NKeys and NKeyPair are removed. Signing now goes through the NATS.NKeys package, which lets the nkey/Ed25519 code be versioned independently of the client.

For typical users this is transparent: keep using NatsAuthOpts.NKeyFile, CredsFile, Jwt + Seed, or AuthCredCallback and the client wires up the new signer automatically.

Only direct callers of NATS.Client.Core.NKeyPair need to switch:

// Before
using NATS.Client.Core;
var kp = NKeyPair.FromSeed(seed);
var sig = kp.Sign(nonce);

// After
using NATS.NKeys;
var kp = KeyPair.FromSeed(seed);
var sig = kp.Sign(nonce);

Other Notable Changes

• Server error event (#​745): a new event on NatsConnection surfaces server-side errors to client code.
• Message loss on consumer dispose (#​1085): opt-in drain keeps in-flight messages from being dropped when a consumer or connection is disposed. Enable with:

  var opts = NatsOpts.Default with
  {
      DrainSubscriptionsOnDispose = true,
      ConsumerDrainOnDisposeTimeout = TimeSpan.FromSeconds(10),
  };

• Auth signs the server nonce regardless of auth_required advertisement (#​1109), so NKey/credential clients respond to the challenge even when the server doesn't advertise auth_required.
• Connection state resets cleanly on credential loading failure (#​1107).
• Duplicate status headers no longer leak an incorrect Pin ID (#​1116); other Pin ID handling improvements (#​1099).
• KV watcher cancellation behavior fix (#​1084).
• Protocol size checks: 64MB incoming payload cap, matching nats.js (#​1095).
• Range attribute fix on MaxBytes (#​1096).
• ArrayPool buffers are cleared before return to pool (#​1097).

What's Changed

Since 2.8.0-preview.3:

• Add server error event (#​745)
• Add Client and Orbit section to README (#​1133)
• Add Example Docs (#​1119)
• Migrate solution to slnx format (#​1131)

2.8.0-preview.3:

• Fix message loss on consumer dispose (#​1085)
• Add consumer reset API (#​1126) [server 2.14]
• Add consumer field on stream source/mirror (#​1128) [server 2.14]
• Add $JS.FC support to JS metadata parser (#​1127) [server 2.14]

2.8.0-preview.2:

• Add AllowBatchPublish stream config field (#​1120) [server 2.14]
• Bump OpenTelemetry and OpenTelemetry.Exporter.OpenTelemetryProtocol (#​1121)
• Fix setting wrong pin id from status header (#​1116) (thanks @​colprog)
• Fix slow-consumer test first-ping RTT flap (#​1115)
• Fix net481 TLS test flakes (#​1111)
• Rewrite README intro (#​1114)

2.8.0-preview.1:

• auth: sign nonce regardless of auth_required (#​1109) (thanks @​Lionel-Zieminski)
• auth: use NATS.NKeys package for nkey signing (#​1101) [breaking]
• conn: reset state on credential loading failure (#​1107) (thanks @​Prochy)
• Improve package metadata and README (#​1103)
• tests: fix TlsPreferTest flap on net481 (#​1108)
• Fix release workflow (#​1106)
• Fix test flaps (#​1083)
• ci: add contents and actions read permissions to Claude workflow (#​1102)
• tls: document Prefer mode plaintext behavior (#​1094)
• tests: increase NuidTests thread join timeouts (#​1100)
• Improve Pin ID handling (#​1099) (thanks @​colprog)
• Fix KV watcher cancellation behavior (#​1084)
• Clear ArrayPool buffers before returning to pool (#​1097)
• Enable subject validation by default (#​1093) [breaking]
• Add protocol size checks (#​1095)
• Fix Range attribute for MaxBytes property (#​1096) (thanks @​partnerRuiSilva)
• Add CC reviews (#​1092)

Full Changelog: nats-io/nats.net@v2.7.3...v2.8.0

Download from NuGet at https://www.nuget.org/packages/NATS.Net/2.8.0

v2.7.3: NATS .NET v2.7.3

Announcing a new version of NATS .NET client library covering various fixes and a security update on one dependency for NETStandard targets (#​1089) even though the vulnerable API is not used by our library.

A big thank you to all NATS contributors and community members who helped make this release possible ❤️

Breaking Changes

NakAsync Signature Change (#​1081)

The TimeSpan delay parameter has been removed from INatsJSMsg<T>.NakAsync(). The delay must now be passed via AckOpts.NakDelay.

Before (v2.7.2):

await msg.NakAsync(delay: TimeSpan.FromSeconds(5));
await msg.NakAsync(opts, TimeSpan.FromSeconds(5));

After (v2.7.3):

// Option 1: Use the new extension method
await msg.NakAsync(TimeSpan.FromSeconds(5));

// Option 2: Use AckOpts with NakDelay
await msg.NakAsync(new AckOpts { NakDelay = TimeSpan.FromSeconds(5) });

Note: because we also have an extension method, recompiling your project is enough.

AckTerminateAsync TermWithReason (#​1048, #​1081)

AckTerminateAsync now supports an optional termination reason. A new overload and a new TerminateReason property on AckOpts have been added to INatsJSMsg<T>. Implementors of this interface must add the new method.

// New overload
await msg.AckTerminateAsync("processing failed permanently");

// Or via AckOpts
await msg.AckTerminateAsync(new AckOpts { TerminateReason = "processing failed permanently" });

// Extension method shorthand
await msg.AckTerminateAsync("reason", cancellationToken);

Requires NATS Server 2.10.4+.

PinnedClient Validation (#​1063)

Calling NextAsync(), FetchAsync(), or FetchNoWaitAsync() on a consumer with PriorityPolicy.PinnedClient now throws NatsJSException. Use ConsumeAsync() instead.

// This now throws NatsJSException:
var msg = await consumer.NextAsync<string>();

// Use ConsumeAsync instead:
await foreach (var msg in consumer.ConsumeAsync<string>())
{
    // process message
}

Consumer Cancellation Handling (#​1068)

Consumer methods (ConsumeAsync, FetchAsync, NextAsync) now call cancellationToken.ThrowIfCancellationRequested() immediately at method entry. Previously cancelled tokens were checked later in the async pipeline.

var cts = new CancellationTokenSource();
cts.Cancel();

// v2.7.2: exception thrown sometime during async operation
// v2.7.3: OperationCanceledException thrown immediately
await consumer.FetchAsync<string>(cancellationToken: cts.Token);

StreamSnapshotRequest ChunkSize Type Change (#​1088)

StreamSnapshotRequest.ChunkSize changed from long to int? with a narrower validation range (1KB–1MB). WindowSize (int?) was added as a new optional property.

// Before (v2.7.2)
var req = new StreamSnapshotRequest { ChunkSize = 1024L };

// After (v2.7.3)
var req = new StreamSnapshotRequest
{
    ChunkSize = 1024,          // int? now, valid range: 1024–1048576
    WindowSize = 8388608,      // new optional, valid range: 1024–33554432
};

WindowSize requires NATS Server 2.12.5+.

OpenTelemetry Tag Change (#​1078)

The telemetry tag network.protocol.version (value: protocol version number) has been replaced with network.transport (value: "tcp") to align with OpenTelemetry semantic conventions. Update any dashboards or alerting rules that filter on the old tag name.

Default Parameter Values Changed from default to null (#​1081)

All optional parameters on INatsJSMsg<T> methods (AckAsync, NakAsync, AckProgressAsync, AckTerminateAsync, ReplyAsync) changed from = default to = null. This is source-compatible but binary-breaking — existing compiled assemblies must be recompiled against v2.7.3.

What's Changed

• Add more tests for JetStream consumer behavior by @​mtmk in #​1055
• Fix error logs URI rewritten by OnConnectingAsync by @​mtmk in #​1067
• Add slow consumer docs by @​mtmk in #​1073
• Add Synadia.Orbit.Testing.NatsServerProcessManager by @​mtmk in #​1065
• Add see-also references to Orbit packages by @​mtmk in #​1077
• Add validation for unsupported PinnedClient calls by @​mtmk in #​1063
• Add cancelled token handling for consumers by @​mtmk in #​1068
• Fix code analyzer warning by @​mtmk in #​1076
• Add TermWithReason support to AckTerminateAsync by @​mtmk in #​1048
• Add consumer info usage warnings by @​mtmk in #​1079
• Fix OTel network telemetry tags by @​mtmk in #​1078
• Rework TermWithReason by @​rickdotnet in #​1081
• Fix PingCommand cancellation by @​mtmk in #​1086
• Bump Microsoft.Bcl.Memory from 9.0.0 to 9.0.14 by @​dependabot[bot] in #​1089
• Add optional window_size parameter to StreamSnapshotRequest by @​darkwatchuk in #​1088
• Release 2.7.3 by @​mtmk in #​1090

Full Changelog: nats-io/nats.net@v2.7.2...v2.7.3

CVE Update

Microsoft.Bcl.Memory is a transitive dependency for netstandard2.0 targets any app pulling in NATS.Client.Core gets it. Even though this library doesn't call the vulnerable Base64Url.Decode API, the consuming application (or another dependency in its graph) might. A CVSSv3 7.5 DoS from a malformed network input is not something you want sitting in your dependency tree. (Microsoft CVE )

If you are not upgrading to this new version of NATS .NET AND targeting NETStandard2.0, applications should add an explicit package reference to force the patched version:

  <PackageReference Include="Microsoft.Bcl.Memory" Version="9.0.14" />

You don't need to upgrade NATS.NET itself to get the fix if you need time. NuGet will happily resolve the newer patch version of Microsoft.Bcl.Memory since it's within the same major.minor range.

Here is a report generated by AI:

NAT .NET library implementation is not affected by the same bug. Different vulnerability, different code.

The CVE is about an out-of-bounds read in System.Buffers.Text.Base64Url's decode path when processing malformed
input — that's a SIMD-optimized native implementation with pointer arithmetic that can overrun its buffer.

Your custom Base64UrlEncoder (borrowed from Azure AD IdentityModel):

• Decode path: Converts Base64Url chars back to standard Base64 chars (- → +, _ → /), pads with =, then delegates to
  Convert.FromBase64String(). The actual decoding is done by the framework's well-tested Convert.FromBase64String,
  which will throw FormatException on malformed input rather than reading out of bounds.
• Validates input length: Rejects length % 4 == 1 upfront (line 164), which is always invalid.
• Bounded loops: The unsafe code in UnsafeDecode only iterates up to str.Length and decodedLength (which is at most
  str.Length + 3), and the output string is allocated to exactly decodedLength.

The implementation is sound. It's not pretty (mutating "immutable" strings via fixed pointers is a hack), but it's
not vulnerable to the same class of bug.

Download from NuGet at https://www.nuget.org/packages/NATS.Net/2.7.3

nunit/nunit (NUnit)

v4.6.0: NUnit 4.6.0

Compare Source

See release notes for details.

v4.5.1: V 4.5.1

Compare Source

See release notes for details.

v4.5.0: V 4.5.0

Compare Source

See release notes for details.

nunit/nunit.analyzers (NUnit.Analyzers)

v4.13.0: NUnit Analyzers 4.13 - May 2, 2026

Compare Source

NUnit Analyzers 4.13 - May 2, 2026

This release of the NUnit Analyzers updates analyzer handling for the NUnit 4.6 API change that replaces
ActualValueDelegate<> with Func<> - see nunit/nunit#4824 for more information.
Analyzers now also consider the return type of Func<> in assertions. The release also includes one bug fix and
some dependency updates.

The release contains contributions from the following users (in alphabetical order):

• @​manfred-brands
• @​mikkelbu
• @​RenderMichael

Issues Resolved

Features and Enhancements

• #​982 Recognized Func<T> return values

Bugs

• #​968 Whitespace issue in Does.Contain fixer when assert spans multiple lines

Tooling, Process, and Documentation

• #​985 chore: Bump year to 2026 in copyrights
• #​978 Bump cake.tool from 6.0.0 to 6.1.0
• #​976 chore: Correct documentation
• #​975 chore: bump version
• #​956 Bump cake.tool from 4.0.0 to 6.0.0

v4.12.0: NUnit Analyzers 4.12 - March 3, 2026

Compare Source

NUnit Analyzers 4.12 - March 3, 2026

This release of the NUnit Analyzers improves NUnit1029 to account for TestCaseSource
support for params and optional arguments. It also introduces a new analyzer for incorrect
usage of Is.Not.Null.Or.Empty, fixes regressions in NUnit2005 and NUnit2055, and updates
NUnit package dependencies.

The release contains contributions from the following users (in alphabetical order):

• @​Dreamescaper
• @​manfred-brands
• @​mikkelbu
• @​nowsprinting
• @​philipp-naused
• @​stevenaw

Issues Resolved

Features and Enhancements

• #​957 Relax NUnit1029 for TestCaseSource where method accepts a single "params" array
• #​189 Warning when Is.Not.Null.Or.Empty used

Bugs

• #​953 Code fix for NUnit2055 can generate invalid code for classic asserts
• #​952 Code fix for NUnit2005 tries to use Is.Empty constraint on incompatible types.

Tooling, Process, and Documentation

• #​973 chore: Bump NUnit version
• #​970 chore: Bump NUnit to version 4.5.0
• #​967 Fix note about works with Unity Test Framework
• #​937 chore: bump version

nunit/nunit3-vs-adapter (NUnit3TestAdapter)

v6.2.0: V 6.2.0

See release notes

StackExchange/StackExchange.Redis (StackExchange.Redis)

v2.13.1

Compare Source

IMPORTANT: This release changes the default protocol from RESP2 to RESP3 for Azure Managed Redis endpoints (only); this
has scalability and feature advantages, but if you are using modules or ad-hoc commands, please see the RESP3 notes, which includes:

• the purpose of RESP3
• scenarios where RESP2 vs RESP3 may be visible
• how to explicitly choose to remain on RESP2
• notes on additional libraries such as NRedisStack

What's Changed

• Prefer RESP3 for Azure Managed Redis endpoints (#​3067 by @​mgravell)

Full Changelog: StackExchange/StackExchange.Redis@2.12.27...2.13.1

v2.12.14

Compare Source

What's Changed

Impact: "high" if using cluster and high-integrity-mode together (resolves an issue that can mis-report -MOVED responses as integrity failures)

• Resolve critical failure in high-integrity-mode with -MOVED response by @​mgravell in #​3049
• Allow heartbeat to restart the pipe thread with only sync commands by @​frobion in #​2965
• GitHubActions logger; exclude passed/skipped by @​mgravell in #​3045

NuGet link

New Contributors

• @​frobion made their first contribution in #​2965

Full Changelog: StackExchange/StackExchange.Redis@2.12.8...2.12.14

v2.12.8

Compare Source

What's Changed

• Filter out 'temporary place

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🔍 Vulnerabilities of dockerhubaneo/armonik_core_stream_test_client:0.38.3-renovatenuget.1.sha.3478a052

📦 Image Reference dockerhubaneo/armonik_core_stream_test_client:0.38.3-renovatenuget.1.sha.3478a052

digest	sha256:457076377a096137d7ff14e98bff9dd6bb07fcdcfbca01d1c4132eb98ae7e172
vulnerabilities
platform	linux/amd64
size	337 MB
packages	1126

📦 Base Image ubuntu:24.04

also known as	84bda043709f9066841484e9b8e440aa0d6d04ab49d09e367ef0fb68ace864cf latest noble noble-20260410
digest	sha256:cdb5fd928fced577cfecf12c8966e830fcdf42ee481fb0b91904eeddc2fe5eff
vulnerabilities

libc6 2.39-0ubuntu8.7 (deb) pkg:deb/ubuntu/libc6@2.39-0ubuntu8.7?arch=amd64&distro=ubuntu-24.04&upstream=glibc # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed EPSS Score 0.045% EPSS Percentile 14th percentile Description Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. Affected range >=0 Fixed version Not Fixed EPSS Score 0.068% EPSS Percentile 21st percentile Description Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. Affected range >=0 Fixed version Not Fixed EPSS Score 0.065% EPSS Percentile 20th percentile Description The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

tar 1.35+dfsg-3build1 (deb) pkg:deb/ubuntu/tar@1.35%2Bdfsg-3build1?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed CVSS Score 5.5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 0.032% EPSS Percentile 10th percentile Description A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection. Affected range >=0 Fixed version Not Fixed EPSS Score 0.130% EPSS Percentile 32nd percentile Description GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

libcap2 1:2.66-5ubuntu2.2 (deb) pkg:deb/ubuntu/libcap2@1%3A2.66-5ubuntu2.2?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range <1:2.66-5ubuntu2.4 Fixed version 1:2.66-5ubuntu2.4 CVSS Score 7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.010% EPSS Percentile 1st percentile Description A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

dpkg 1.22.6ubuntu6.5 (deb) pkg:deb/ubuntu/dpkg@1.22.6ubuntu6.5?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 5th percentile Description It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

util-linux 2.39.3-9ubuntu6.5 (deb) pkg:deb/ubuntu/util-linux@2.39.3-9ubuntu6.5?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed EPSS Score 0.017% EPSS Percentile 4th percentile Description util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

git 1:2.43.0-1ubuntu7.3 (deb) pkg:deb/ubuntu/git@1%3A2.43.0-1ubuntu7.3?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.384% EPSS Percentile 60th percentile Description Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

libexpat1 2.6.1-2ubuntu0.4 (deb) pkg:deb/ubuntu/libexpat1@2.6.1-2ubuntu0.4?arch=amd64&distro=ubuntu-24.04&upstream=expat # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed CVSS Score 5.5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H EPSS Score 0.008% EPSS Percentile 1st percentile Description In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

wget 1.21.4-1ubuntu4.1 (deb) pkg:deb/ubuntu/wget@1.21.4-1ubuntu4.1?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 0.154% EPSS Percentile 36th percentile Description GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

sed 4.9-2build1 (deb) pkg:deb/ubuntu/sed@4.9-2build1?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range <4.9-2ubuntu0.24.04.1 Fixed version 4.9-2ubuntu0.24.04.1 EPSS Score 0.005% EPSS Percentile 0th percentile Description When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.

libgcrypt20 1.10.3-2build1 (deb) pkg:deb/ubuntu/libgcrypt20@1.10.3-2build1?arch=amd64&distro=ubuntu-24.04 # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed EPSS Score 0.666% EPSS Percentile 71st percentile Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

libicu74 74.2-1ubuntu3.1 (deb) pkg:deb/ubuntu/libicu74@74.2-1ubuntu3.1?arch=amd64&distro=ubuntu-24.04&upstream=icu # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed EPSS Score 0.033% EPSS Percentile 10th percentile Description A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.

passwd 1:4.13+dfsg1-4ubuntu3.2 (deb) pkg:deb/ubuntu/passwd@1%3A4.13%2Bdfsg1-4ubuntu3.2?arch=amd64&distro=ubuntu-24.04&upstream=shadow # Dockerfile (3:10) FROM mcr.microsoft.com/dotnet/sdk:10.0 AS base-linux USER $APP_UID ENTRYPOINT [ "dotnet" ] FROM mcr.microsoft.com/dotnet/sdk:10.0-nanoserver-ltsc2022 AS base-windows ENTRYPOINT ["C:\\Program Files\\dotnet\\dotnet.exe"] FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build-linux Affected range >=0 Fixed version Not Fixed EPSS Score 4.509% EPSS Percentile 89th percentile Description shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud