Guidelines for updating dependencies
We use Dependabot to notify the team of any updates to dependencies. Once a week, the robot will scan our dependencies and raise a pull-request if a new version is found. If an existing open pull-request is found for a dependency, it will be closed and replaced with a new pull-request..
Internal dependencies
The following dependencies don't change the public API surface and are typically safe to merge and we could potentially configure mergify to automatically merge them if CI passes:
- BenchmarkDotNet
- FluentAssertions
- NUnit3TestAdapter
- NUnit.Runners
- Microsoft.AppCenter
- Microsoft.SourceLink.GitHub
- Microsoft.NET.Test.Sdk
- MSTest.TestAdapter
- MSTest.TestFramework
- Moq
The following dependencies require manual adjustments before merging:
- docfx.console
Microsoft.CodeAnalysis.*
. Those dependencies need to be aligned with the source generation task package, for which the dependency cannot be be explicitly provided.Xamarin.GooglePlayServices.*
. Those dependencies are added per TargetFramework (Android SDK version), not updated.
Public dependencies
Updating public dependencies will require consumers to upgrade their dependencies and as such need consideration on a case by case basis is required before merging.
additional care required
The following dependencies require care and human testing:
- Microsoft.CodeAnalysis.* children packages needs to be aligned with the other
Microsoft.CodeAnalysis
packages. - Microsoft.Build.* children packages needs to be aligned with the other
Microsoft.Build
packages. - Microsoft.Extensions.Logging.* child packages needs to be aligned with the other
Microsoft.Extensions.Logging
packages. Currently can't be upgraded because most recent versions are using thread, which are not supported on Wasm. - Microsoft.UI.Xaml: This dependency is needs to be aligned with the currently supported API set found in Uno.
- Microsoft.Extensions.Logging.Console: Compatibility of this dependency should be confirmed against WebAssembly.
chatops
You can trigger Dependabot actions by commenting on the pull-request:
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Please do not use any of the rebase|merge|squash and merge
chatops commands as they bypass our merging pull-request guidelines and ready-to-merge
workflow.