Guidelines for updating dependencies

We use Dependabot to notify the team of any updates to dependencies. Once a week, the robot will scan our dependencies and raise a pull-request if a new version is found. If an existing open pull-request is found for a dependency, it will be closed and replaced with a new pull-request..

Internal dependencies

The following dependencies don't change the public API surface and are typically safe to merge and we could potentially configure mergify to automatically merge them if CI passes:

The following dependencies require manual adjustments before merging:

  • docfx.console
  • Microsoft.CodeAnalysis.*. Those dependencies need to be aligned with the source generation task package, for which the dependency cannot be be explicitly provided.
  • Xamarin.GooglePlayServices.*. Those dependencies are added per TargetFramework (Android SDK version), not updated.

Public dependencies

Updating public dependencies will require consumers to upgrade their dependencies and as such need consideration on a case by case basis is required before merging.

additional care required

The following dependencies require care and human testing:

  • Microsoft.CodeAnalysis.* children packages needs to be aligned with the other Microsoft.CodeAnalysis packages.
  • Microsoft.Build.* children packages needs to be aligned with the other Microsoft.Build packages.
  • Microsoft.Extensions.Logging.* child packages needs to be aligned with the other Microsoft.Extensions.Logging packages. Currently can't be upgraded because most recent versions are using thread, which are not supported on Wasm.
  • Microsoft.UI.Xaml: This dependency is needs to be aligned with the currently supported API set found in Uno.
  • Microsoft.Extensions.Logging.Console: Compatibility of this dependency should be confirmed against WebAssembly.

chatops

You can trigger Dependabot actions by commenting on the pull-request:

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Please do not use any of the rebase|merge|squash and merge chatops commands as they bypass our merging pull-request guidelines and ready-to-merge workflow.