Skip to content

Bump the nuget-minor-patch group with 9 updates#43

Merged
andregoepel merged 2 commits into
mainfrom
dependabot/nuget/nuget-minor-patch-939a2505bf
Jul 17, 2026
Merged

Bump the nuget-minor-patch group with 9 updates#43
andregoepel merged 2 commits into
mainfrom
dependabot/nuget/nuget-minor-patch-939a2505bf

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Updated Marten from 9.14.1 to 9.15.4.

Release notes

Sourced from Marten's releases.

9.15.4

What's Changed

New Contributors

Full Changelog: JasperFx/marten@v9.15.3...v9.15.4

9.15.3

This addresses a potential vulnerability from SQL injection via non-string constant in a LINQ Select projection

Not a common usage, but still.

What's Changed

Full Changelog: JasperFx/marten@9.15.2...v9.15.3

9.15.2

Marten 9.15.2

A patch release. Both fixes come out of the same 512-tenant-database production deployment, reported by @​erdtsieck, and both turned out to be worse than the reports described.

Bulk event insert ran a full schema apply on every batch

#​4946fixed in #​4949

The batch BulkInsertEventsAsync overloads opened with Storage.ApplyAllConfiguredChangesToDatabaseAsync() on every call.

That is not a cheap check. It calls Tenancy.BuildDatabases() and runs a full schema delta — partition introspection plus information_schema sweeps — across every database in the store. So a sharded store paid one apply per database, per batch. On the reporting deployment, each ~1,000-event batch was triggering 512 schema applies.

The measured effect: import throughput collapsed to ~17 events/s, against >3,000/s for the streaming overload. A 686k-event tenant projected to roughly 11 hours. The connection pool filled with ~370 backends whose last statement was Weasel's partition-introspection query, which fed directly into the server-wide connection pressure that deployment was already fighting.

That the streaming overload BulkInsertEventStreamAsync has no such call and is fine is the tell: the schema apply was never part of the contract. It was a leftover.

The apply is now:

  • skipped entirely when the effective AutoCreate is None — it is a no-op there by contract, so all that remained was the introspection cost; and
  • otherwise run at most once per database the import actually touches, memoized on IMartenDatabase.Identifier.

One subtlety worth recording, because it is the kind of thing that bites later: the memoized apply deliberately does not take a caller's CancellationToken. The first caller to arrive owns the single in-flight task that every concurrent caller for that database awaits — so binding that shared task to one caller's token would let a single cancelled batch fail sibling batches that were never cancelled. Each caller applies its own token at the await site instead. A schema apply is short and idempotent, so letting it run to completion is the cheaper trade.

Under AutoCreate.None, the event storage must already exist before import. That is the documented contract and it matches the streaming overload — but if you were previously relying on the per-call apply to create it for you under a non-None store, note the change.

The document bulk-insert path (BulkInsertAsync / BulkInsertDocumentsAsync) is unaffected. It routes through the ordinary per-feature EnsureStorageExistsAsync that Weasel already memoizes, not a full-store delta.

Tenant provisioning silently under-provisioned partitions

#​4944fixed in #​4950

AddPartitionToAllTables, and the tenant-provisioning paths built on it, walked the calling store's StoreOptions to decide which tables needed a list partition for a new tenant.

So any tool or host that provisions tenants from a store which doesn't register every document type silently under-provisioned. Document types unknown to the caller never got their partitions — and the tenant then failed with a Postgres 23514 check-constraint violation on first write to the missing partition. Nothing failed at provisioning time; the damage surfaced later, somewhere else.

The workaround was "the provisioning tool must register all document types," which re-creates schema knowledge in a second place and drifts as document types are added.

The sweep is now database-driven: it enumerates tenant list-partitioned tables from the Postgres catalog, so a partially-registered store still provisions every partitioned table it finds.

Scoping is enforced inside the catalog query rather than filtered in memory afterward:

  • Schema — the store's own AllSchemaNames() only. Foreign partitioned tables in a shared database are never touched.
  • Partition shape — LIST strategy, exactly one key column, and that column named tenant_id. This is the filter that matters most, and it is what keeps the sweep off Marten's own non-tenant list partitioning: UseArchivedStreamPartitioning keys mt_events on is_archived, and ByList() keys on its own field. Without it, a "helpful" sweep would start adding tenant partitions to tables partitioned on something else entirely.
  • External management — tables marked ByExternallyManagedListPartitions() are subtracted.

Opt out with SweepPartitionedTablesFromDatabase (default on). No Weasel change was required.

Known limitation, and it is a real one: a document type registered into a schema the calling store has never heard of stays invisible to the schema filter — a store cannot own a schema it does not know exists. Single-schema stores (the default, and the reporting deployment's shape) are fully covered. Closing this properly would need a persisted table list alongside mt_tenant_partitions.


... (truncated)

9.15.1

Patch release for a silent data-correctness regression. If you use ForTenant() on an identity-mapped or dirty-tracked session, upgrade.

Fixed

  • #​4947ForTenant() on an identity session stopped returning tenancy-neutral documents (reported by @​dervagabund, with a repro — thank you). A ForTenant() view of an identity- or dirty-tracked session no longer saw global (tenancy-neutral) documents tracked by the parent session. Since a global document has exactly one row per id for the whole database, LoadAsync through the ForTenant view missed the identity map, went to the database, and returned null for a document that is there. A silent wrong answer, not an error.

    Affected: 9.13.0, 9.14.x, 9.15.0. Introduced by the fix for #​4801, which tenant-scoped the identity map and version tracker for ForTenant sessions. That was correct for conjoined documents — where the same id means a different document per tenant — but it was applied per session rather than per document type, so it also isolated document types that are tenancy-neutral and must be shared.

    Sharing is now decided per document type. A nested ForTenant session shares the parent's identity-map and version-tracker entry for a type only when the storage is identity-mapped, the type is not Conjoined, and the nested session's database is the same instance as the parent's (under database-per-tenant, the same id in another tenant's database is a different document even for a tenancy-neutral type). The isolation introduced by #​4801 is preserved exactly — the Bug_4801 suite still passes, and the new tests include guard rails asserting conjoined documents stay isolated.

Full changelog: JasperFx/marten@9.15.0...9.15.1

9.15.0

Closed issues

  • #​4942 — sharded tenancy: auto-assign never repaired half-provisioned tenants (PR #​4945). findOrAssignTenantDatabaseAsync returned early on an existing assignment row, skipping createPartitionsForTenant + per-tenant event-sequence provisioning — so a tenant whose provisioning was interrupted (assignment committed, partitions missing) failed every write with 23514 forever. Both early-return paths (including a second race-window hole under the advisory lock) now run the same idempotent repair the explicit AddTenantToShardAsync(tenantId, databaseId) overload always ran, guarded to once per process per tenant via the resolution cache.
  • #​4941 — two-day silent projection outage (closed with full mapping). Root cause was #​4942; the invisibility was JasperFx/jasperfx#​506/#​507, fixed in JasperFx 2.27.0 which this release consumes.

Also in this release

  • Bundles the fixed JasperFx.Events.SourceGenerator analyzer (JasperFx/jasperfx#​505) — CS1061 compile break for no-parameterless-ctor aggregates with instance Apply returning the aggregate.
  • Follow-up enhancement filed as #​4944 (database-driven partition sweep via pg_inherits) for the #​4943 provisioning-tool scenario.

Verified against Wolverine (full solution + CoreTests/MartenTests/distribution/Http suites, zero failures) and CritterWatch before publishing. Thanks to @​erdtsieck for the dump-verified root-cause analysis.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.DataProtection.Abstractions from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.AspNetCore.DataProtection.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.DependencyInjection.Abstractions from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.Extensions.DependencyInjection.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Http from 10.0.9 to 10.0.10.

Release notes

Sourced from Microsoft.Extensions.Http's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Http.Resilience from 10.7.0 to 10.8.0.

Release notes

Sourced from Microsoft.Extensions.Http.Resilience's releases.

10.8.0

This release adds new experimental APIs to Microsoft.Extensions.AI.Abstractions and updates the OpenAI dependency to 2.12.0, alongside documentation, test, and repository maintenance.

Experimental API Changes

New Experimental APIs

  • New experimental API: AIFunctionNameAttribute and AIParameterNameAttribute #​7610 by @​jozkee (co-authored by @​jeffhandley @​Copilot)
  • New experimental API: ToolApprovalRequestContent.RequiresConfirmation (MEAI001) #​7549 by @​javiercn (co-authored by @​Copilot)

What's Changed

AI

  • Upgrade OpenAI dependency to 2.12.0 #​7608 by @​jozkee (co-authored by @​Copilot)
  • Auto-detect audio format in OpenAISpeechToTextClient #​7575 by @​jozkee (co-authored by @​Copilot)
  • Fix ImageGeneratingChatClient duplicating preceding content and dropping following content #​7624 by @​jozkee (co-authored by @​Copilot)

Vector Data

  • Make all test methods virtual in VectorData.ConformanceTests #​7606 by @​adamsitnik (co-authored by @​Copilot)

Documentation Updates

  • Remove links to ai-samples repo #​7574 by @​gewarren
  • Fix up docs with Copilot (MEVD) #​7597 by @​gewarren
  • Fix up docs with Copilot (M.E.ServiceDiscovery) #​7598 by @​gewarren (co-authored by @​Copilot)
  • Fix up docs with Copilot (MEAI) #​7600 by @​gewarren
  • Fix up docs with Copilot #​7601 by @​gewarren

Test Improvements

  • Fix flaky StampedeTests and harden related test waits #​7572 by @​jeffhandley (co-authored by @​Copilot)
  • Fix SQLitePCLRaw.lib.e_sqlite3 vulnerability by replacing SemanticKernel connectors with CommunityToolkit #​7579 by @​adamsitnik (co-authored by @​Copilot)
  • Removing SemanticKernel Connectors dependency and replacing it #​7584 by @​adamsitnik (co-authored by @​Copilot)
  • Migrate to xUnit v3 #​7607 by @​adamsitnik (co-authored by @​shyamnamboodiripad @​Copilot)

Repository Infrastructure Updates

  • Update OTel GenAI conventions skill for standalone semconv-genai repo #​7519 by @​jeffhandley (co-authored by @​Copilot)
  • Bump dotnet-coverage from 18.7.0 to 18.8.0 #​7552
  • [main] Update dependencies from dotnet/arcade #​7559
  • Fix transitive MessagePack vulnerability in AI template AppHost projects #​7561 by @​adamsitnik (co-authored by @​Copilot)
  • Bump esbuild, @​vitejs/plugin-react and vite in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7564
  • Bump tmp from 0.2.6 to 0.2.7 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7569
  • Bump js-yaml from 4.1.1 to 4.2.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7570
  • Bump PowerShell from 7.6.2 to 7.6.3 #​7576
  • Remove duplicate 'WebAPI' classification from template #​7577 by @​danroth27
  • [main] Update dependencies from dotnet/arcade #​7590
  • Eliminate redundant Correctness CI stage by merging into Build #​7594 by @​adamsitnik (co-authored by @​Copilot)
  • Update Agent Framework to 1.13.0 #​7613 by @​jeffhandley (co-authored by @​Copilot)
    ... (truncated)

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 18.7.0 to 18.8.1.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.8.1

What's Changed

Full Changelog: microsoft/vstest@v18.8.0...v18.8.1

18.8.0

What's Changed

Full Changelog: microsoft/vstest@v18.7.0...v18.8.0

Commits viewable in compare view.

Updated Microsoft.Playwright from 1.49.0 to 1.61.0.

Release notes

Sourced from Microsoft.Playwright's releases.

1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via BrowserContext.Credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

var context = await browser.NewContextAsync();

// Seed a passkey your backend provisioned for a test user.
await context.Credentials.CreateAsync("example.com", new()
{
    Id = credentialId,
    UserHandle = userHandle,
    PrivateKey = privateKey,
    PublicKey = publicKey,
});
await context.Credentials.InstallAsync();

var page = await context.NewPageAsync();
await page.GotoAsync("https://example.com/login");
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with Credentials.GetAsync(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via Page.LocalStorage and Page.SessionStorage, reads and writes the page's storage for the current origin:

await page.LocalStorage.SetItemAsync("token", "abc");
var token = await page.LocalStorage.GetItemAsync("token");
var items = await page.SessionStorage.ItemsAsync();

New APIs

🛠️ Other improvements

  • Playwright now supports Ubuntu 26.04.
  • HAR and trace recordings now include WebSocket requests.

Browser Versions

  • Chromium 149.0.7827.55
  • Mozilla Firefox 151.0
  • WebKit 26.5

This version was also tested against the following stable channels:
... (truncated)

1.60.0

💬 Custom assertion messages

Expect() overloads now accept a custom message that is prepended to any failure, giving extra context in test reports:

await Expect(page.Locator("#status"), "Should be logged in").ToBeVisibleAsync();

When the assertion fails, the message is prefixed:

Should be logged in
Locator expected to be visible

🌐 HAR recording on Tracing

Tracing.StartHarAsync() / Tracing.StopHarAsync() expose HAR recording as a first-class tracing API, with the same Content, Mode and UrlFilter options as RecordHar:

await context.Tracing.StartHarAsync("trace.har");
var page = await context.NewPageAsync();
await page.GotoAsync("https://playwright.dev");
await context.Tracing.StopHarAsync();

🪝 Drop API

New Locator.DropAsync() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.Locator("#dropzone").DropAsync(new() {
    Files = new FilePayload() {
        Name = "note.txt",
        MimeType = "text/plain",
        Buffer = Encoding.UTF8.GetBytes("hello"),
    },
});

await page.Locator("#dropzone").DropAsync(new() {
    Data = new Dictionary<string, string> {
        ["text/plain"] = "hello world",
        ["text/uri-list"] = "https://example.com",
    },
});

🎯 Aria snapshots

1.59.0

🎬 Screencast

New Page.Screencast API provides a unified interface for capturing page content with:

  • Screencast recordings
  • Action annotations
  • Visual overlays
  • Real-time frame capture
  • Agentic video receipts
Demo

Screencast recording — record video with precise start/stop control, as an alternative to the recordVideoDir option:

await page.Screencast.StartAsync(new() { Path = "video.webm" });
// ... perform actions ...
await page.Screencast.StopAsync();

Action annotations — enable built-in visual annotations that highlight interacted elements and display action titles during recording:

await page.Screencast.ShowActionsAsync(new() { Position = "top-right" });

ShowActionsAsync accepts Position ("top-left", "top", "top-right", "bottom-left", "bottom", "bottom-right"), Duration (ms per annotation), and FontSize (px). Returns a disposable to stop showing actions.

Visual overlays — add chapter titles and custom HTML overlays on top of the page for richer narration:

await page.Screencast.ShowChapterAsync("Adding TODOs", new() {
    Description = "Type and press enter for each TODO",
    Duration = 1000,
});

await page.Screencast.ShowOverlayAsync("<div style=\"color: red\">Recording</div>");

Real-time frame capture — stream JPEG-encoded frames for custom processing like thumbnails, live previews, AI vision, and more:

await page.Screencast.StartAsync(new() {
    OnFrame = frame => SendToVisionModel(frame.Data),
});

... (truncated)

1.58.0

Trace Viewer Improvements

  • New 'system' theme option follows your OS dark/light mode preference
  • Search functionality (Cmd/Ctrl+F) is now available in code editors
  • Network details panel has been reorganized for better usability
  • JSON responses are now automatically formatted for readability

Thanks to @​cpAdm for contributing these improvements!

Miscellaneous

BrowserType.ConnectOverCDPAsync() now accepts an IsLocal option. When set to true, it tells Playwright that it runs on the same host as the CDP server, enabling file system optimizations.

Breaking Changes ⚠️

  • Removed _react and _vue selectors. See locators guide for alternatives.
  • Removed :light selector engine suffix. Use standard CSS selectors instead.
  • Option Devtools from BrowserType.LaunchAsync() has been removed. Use Args = new[] { "--auto-open-devtools-for-tabs" } instead.
  • Removed macOS 13 support for WebKit.

Browser Versions

  • Chromium 145.0.7632.6
  • Mozilla Firefox 146.0.1
  • WebKit 26.0

1.57.0

Chrome for Testing

Starting with this release, Playwright switches from Chromium, to using Chrome for Testing builds. Both headed and headless browsers are subject to this. Your tests should still be passing after upgrading to Playwright 1.57.

We're expecting no functional changes to come from this switch. The biggest change is the new icon and title in your toolbar.

new and old logo

If you still see an unexpected behaviour change, please file an issue.

On Arm64 Linux, Playwright continues to use Chromium.

Breaking Change

After 3 years of being deprecated, we removed Page.Accessibility from our API. Please use other libraries such as Axe if you need to test page accessibility. See our Node.js guide for integration with Axe.

New APIs

Browser Versions

  • Chromium 143.0.7499.4
  • Mozilla Firefox 144.0.2
  • WebKit 26.0

1.56.0

New APIs

Breaking Changes

Miscellaneous

  • Aria snapshots render and compare input placeholder

Browser Versions

  • Chromium 141.0.7390.37
  • Mozilla Firefox 142.0.1
  • WebKit 26.0

1.55.0

Codegen

  • Automatic ToBeVisibleAsync() assertions: Codegen can now generate automatic ToBeVisibleAsync() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

  • ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

Browser Versions

  • Chromium 140.0.7339.16
  • Mozilla Firefox 141.0
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 139
  • Microsoft Edge 139

1.54.0

Highlights

  • New cookie property PartitionKey in browserContext.cookies() and browserContext.addCookies(). This property allows to save and restore partitioned cookies. See CHIPS MDN article for more information. Note that browsers have different support and defaults for cookie partitioning.

  • New option --user-data-dir in multiple commands. You can specify the same user data dir to reuse browsing state, like authentication, between sessions.

    pwsh bin/Debug/netX/playwright.ps1 codegen --user-data-dir=./user-data
  • pwsh bin/Debug/netX/playwright.ps1 open does not open the test recorder anymore. Use pwsh bin/Debug/netX/playwright.ps1 codegen instead.

Browser Versions

  • Chromium 139.0.7258.5
  • Mozilla Firefox 140.0.2
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 140
  • Microsoft Edge 140

1.53.0

Miscellaneous

  • New Steps in Trace Viewer:
    New Trace Viewer Steps

  • New method Locator.Describe() to describe a locator. Used for trace viewer.

    var button = Page.GetByTestId("btn-sub").Describe("Subscribe button");
    await button.ClickAsync();
  • pwsh bin/Debug/netX/playwright.ps1 install --list will now list all installed browsers, versions and locations.

Browser Versions

  • Chromium 138.0.7204.4
  • Mozilla Firefox 139.0
  • WebKit 18.5

This version was also tested against the following stable channels:

  • Google Chrome 137
  • Microsoft Edge 137

1.52.0

Highlights

  • New method Expect(locator).ToContainClassAsync() to ergonomically assert individual class names on the element.

      await Expect(Page.GetByRole(AriaRole.Listitem, new() { Name = "Ship v1.52" })).ToContainClassAsync("done");
  • Aria Snapshots got two new properties: /children for strict matching and /url for links.

    await Expect(locator).ToMatchAriaSnapshotAsync(@"
      - list
        - /children: equal
        - listitem: Feature A
        - listitem:
          - link ""Feature B"":
            - /url: ""https://playwright.dev""
    ");

Miscellaneous

Breaking Changes

  • Method route.ContinueAsync() does not allow to override the Cookie header anymore. If a Cookie header is provided, it will be ignored, and the cookie will be loaded from the browser's cookie store. To set custom cookies, use browserContext.AddCookiesAsync().
  • macOS 13 is now deprecated and will no longer receive WebKit updates. Please upgrade to a more recent macOS version to continue benefiting from the latest WebKit improvements.

Browser Versions

  • Chromium 136.0.7103.25
  • Mozilla Firefox 137.0
  • WebKit 18.4

This version was also tested against the following stable channels:

  • Google Chrome 135
  • Microsoft Edge 135

1.51.0

Highlights

  • New option IndexedDB for BrowserContext.StorageStateAsync() allows to save and restore IndexedDB contents. Useful when your application uses IndexedDB API to store authentication tokens, like Firebase Authentication.

    Here is an example following the authentication guide:

    // Save storage state into the file. Make sure to include IndexedDB.
    await context.StorageStateAsync(new()
    {
        Path = "../../../playwright/.auth/state.json",
        IndexedDB = true
    });
    
    // Create a new context with the saved storage state.
    var context = await browser.NewContextAsync(new()
    {
        StorageStatePath = "../../../playwright/.auth/state.json"
    });
  • New option Visible for locator.filter() allows matching only visible elements.

    // Ignore invisible todo items.
    var todoItems = Page.GetByTestId("todo-item").Filter(new() { Visible = true });
    // Check there are exactly 3 visible ones.
    await Expect(todoItems).ToHaveCountAsync(3);
  • New option Contrast for methods page.emulateMedia() and Browser.NewContextAsync() allows to emulate the prefers-contrast media feature.

  • New option FailOnStatusCode makes all fetch requests made through the APIRequestContext throw on response codes other than 2xx and 3xx.

Browser Versions

  • Chromium 134.0.6998.35
  • Mozilla Firefox 135.0
  • WebKit 18.4

This version was also tested against the following stable channels:

  • Google Chrome 133
  • Microsoft Edge 133

1.50.0

Support for Xunit

Miscellaneous

UI updates

  • New button in Codegen for picking elements to produce aria snapshots.
  • Additional details (such as keys pressed) are now displayed alongside action API calls in traces.
  • Display of canvas content in traces is error-prone. Display is now disabled by default, and can be enabled via the Display canvas content UI setting.
  • Call and Network panels now display additional time information.

Breaking

Browser Versions

  • Chromium 133.0.6943.16
  • Mozilla Firefox 134.0
  • WebKit 18.2

This version was also tested against the following stable channels:

  • Google Chrome 132
  • Microsoft Edge 132

Commits viewable in compare view.

Updated Radzen.Blazor from 11.1.3 to 11.1.5.

Release notes

Sourced from Radzen.Blazor's releases.

11.1.5

11.1.5 - 2026-07-15

Improvements

  • RadzenScheduler view titles - new TitleFormat and TitleFormatter parameters on the scheduler views give full control over each view's title: a format string, or a formatter function for complete customization.

Fixes

  • RadzenSpreadsheet - reading an XLSX file with more than 100 rows or columns no longer throws "Row index is out of range". Each sheet is now sized from its actual used range instead of a fixed 100x100 grid.
  • RadzenColorPicker - no longer stuck in color-picking mode when a native browser drag interrupts dragging. Fixes #​2610.
  • JS interop - component create functions now return a no-op disposable instead of null when the element reference has already been released (component disposed, or navigation before OnAfterRenderAsync interop completes), avoiding "Cannot create a JSObjectReference from the value 'null'".

11.1.4

11.1.4 - 2026-07-13

Improvements

  • RadzenPivotDataGrid group limits — new MaxGroups and OthersLabel properties on RadzenPivotRow and RadzenPivotColumn limit the number of row or column groups displayed at each level. The most significant groups (ranked by the sorted aggregate or the first aggregate) are kept and the remaining items are combined into a single localizable "Others" group. Fixes #​2470.
  • RadzenChartRangeNavigator and RadzenRangeNavigator handle label formatting — new HandleLabelFormatter property accepts a formatter function (receiving a DateTime for date ranges or a double for numeric ranges) for full control over the handle labels, taking precedence over HandleLabelFormatString. Fixes #​2617.
  • RadzenDropDown, RadzenListBox and RadzenDropDownDataGrid loading stateIsLoading and LoadingTemplate are now available on DropDown and ListBox, and DropDownDataGrid forwards its LoadingTemplate to the inner DataGrid. Thanks to @​artnim!

Fixes

  • RadzenChart: fixed an infinite loop in the chart tooltip disposal that could permanently pin a CPU core when a chart tooltip was opened during prerendering (e.g. a sparkline with a data point near the top-left corner of the plot). Chart tooltips now open only in response to actual mouse interaction over the chart.
  • RadzenSplitter: the collapse and expand buttons no longer start a drag resize on pointer down. Fixes #​2616.

Commits viewable in compare view.

Updated WolverineFx.Marten from 6.17.1 to 6.19.0.

Release notes

Sourced from WolverineFx.Marten's releases.

6.19.0

CosmosDB

  • Add optimistic concurrency (ETag compare-and-swap) to saga persistence (GH-3414) @​mysticmind
  • CosmosDbConfiguration.PartitionSagasById(): opt-in, saga id becomes the document partition key (GH-3415) @​mysticmind
  • Refuse a CosmosClient whose serializer would drop a saga's id at host start; document the camelCase requirement (GH-3416) @​mysticmind

HTTP / OpenAPI

  • Describe the whole route table on a pre-start ApiExplorer read; minimal API and MVC endpoints were silently omitted (GH-3421) @​mysticmind
  • Type a Marten/Polecat aggregate-id route parameter as uuid instead of falling back to string (GH-3420) @​mysticmind

Durability / persistence

  • Dead letter recovered envelopes whose transport can't be resolved, instead of losing the rest of the batch and rethrowing forever (GH-3413) @​mysticmind
  • Measure and surface per-server database connection budgets: OTel gauges + IWolverineObserver.ConnectionBudget (GH-3397) @​jeremydmiller

Test infrastructure only

  • Stop IntegrationContext from disposing a class fixture it doesn't own; pin ApplicationAssembly in the CoreTests harness (GH-3423) @​jeremydmiller
  • Give the modular monolith fixture its own message storage schema (GH-3413) @​mysticmind
  • Stop using_dynamic_multi_tenancy from poisoning its own next run @​mysticmind

Milestone: https://github.com/JasperFx/wolverine/issues?q=is%3Aissue%20state%3Aclosed%20milestone%3A6.19.0
Full Changelog: JasperFx/wolverine@V6.18.0...V6.19.0

6.18.0

Wolverine 6.18.0

A security-relevant serialization fix, a startup-fatal codegen fix, a silently-dead-listener fix in RabbitMQ, the first F# saga codegen support of any persistence provider, and the CI split that makes "merge when green" mean something again.

If you use MassTransit interop over a durable listener, take this release. See the first section.

⚠️ Security-relevant: reserved envelope headers could be spoofed through the durable inbox

#​3408fixed in #​3411

EnvelopeSerializer wrote the typed envelope properties to the wire format and then appended every Envelope.Headers entry verbatim, with no reserved-key filter — and the appended entries came last. Because the reader parses reserved keys straight back into typed properties, a Headers entry under a reserved key silently overwrote the real property on the next read.

A value in envelope.Headers["tenant-id"] is inert while the envelope is in memory. It stops being inert the moment the envelope crosses the serializer — any durable listener, the inbox/outbox, or the scheduled-message store:

  1. Something puts tenant-id into envelope.Headers.
  2. The durable inbox persists the envelope; the header is appended after the (null) typed property.
  3. On read back, env.TenantId is set from it.

saga-id reaches another saga's state, and id rewrites Envelope.Id — the inbox's dedupe identity.

This was live, not theoretical. MassTransitEnvelope.TransferData already copies every incoming MassTransit header into envelope.Headers unfiltered (and by assignment, not TryAdd). Any Wolverine app doing MassTransit interop over a durable listener has had this path open. If that describes you, this release is the one to take.

The fix filters reserved keys on the write side, so the typed property stays authoritative and a reserved key sitting in Headers becomes a no-op. causation-id is deliberately not filtered — DeliveryOptions intentionally carries it as a loose header for Wolverine.Marten's OutboxedSessionFactory, and it is never promoted by the reader.

Startup-fatal codegen fix

#​3399fixed in #​3406 — invalid generated class name for batched (array) message types. This one prevents the application from starting.

Fixes

  • #​3388 (#​3400) — refuse a competing Marten daemon under Wolverine-managed event subscription distribution. A DaemonMode.Solo/HotCold daemon alongside managed distribution is now an actionable startup exception instead of two schedulers quietly fighting over the same shards.
  • CritterWatch #​698 (#​3396) — IAgentRuntime.ApplyRestrictionsAsync persisted the restriction and then never dispatched the commands it computed, so pausing an agent had no immediate effect. Reported by @​erdtsieck against a live cluster.
  • #​3385 (#​3403) — a header-identified saga invoked over a gRPC hop failed with an opaque Internal status. It now returns an actionable diagnostic telling you to put the saga identity on the request DTO.
  • #​3398 (#​3404) — [AsParameters] now rejects unparseable values in collection query parameters, closing the gap left by the scalar fix in #​3372.
  • #​3365 (#​3412) — the Polecat primary IEventStore bridge registered twice, so GetServices<IEventStore>() returned the same store instance two times and anything iterating it double-counted. Polecat's own AddPolecat() had started registering IEventStore and Wolverine was still bridging it as well.
  • #​3391 (#​3419) — RabbitMQ: a successful eager channel restart never re-consumed. A callback-exception restart could leave an open channel with zero consumers while reporting State = Connected — a silently dead listener. The listener now defers to ReconnectedAsync(), which re-declares and re-consumes. Also pins the ConnectionMonitor tracking invariant that #​3370 fixed but nothing guarded.

OpenAPI

#​3380 (#​3418) — OpenAPI parameters are now derived from the full binding chain rather than the handler signature alone. Two real defects closed:

  • Query/header values bound only by an After/Finally postprocessor were omitted from the operation entirely.
  • Route parameter types were read off resolved binding variables, so they degraded to the route constraint (or string) whenever the description was assembled before those frames resolved — which is exactly the build-time OpenAPI / openapi CLI path, because ASP.NET caches the first ApiExplorer read.

More importantly, this ships the OpenAPI shape-test harness that was missing. Adding a shape assertion is now one endpoint plus one [Fact], which is why this class of omission kept shipping unnoticed.

New: Azure Service Bus emulator support

#​3366 (#​3409) — the docs told you to call UseAzureServiceBusTesting(), which only ever existed in Wolverine's own test suite. It is now a real, shipping API:

... (truncated)

6.17.3

Bug-fix and scale release, following the 6.17.2 community sweep. Every item below came from a community report or a review finding — thank you all.

Closed issues

  • #​3375 — durability metrics polling pinned a connection per database per node (PR #​3384 by @​erdtsieck). Each durability agent ran its own in-phase PeriodicTimer, so at high database counts the metrics polling itself became significant connection pressure. Agents now register their store with a node-wide sequential sweeper that walks the node's databases one at a time across the UpdateMetricsPeriod window — at most one metrics connection in flight per node, regardless of database count. The registration set is re-read every pass, so databases join and leave the sweep as agents start and stop without a restart.
  • #​3332 — CIAWS was disabled by a broken SNS per-tenant LocalStack setup (PR #​3364 by @​Steve-XYZ). Test-only; re-enables the AWS CI job. Partially addresses #​3350 (the CIPolecat half remains open).
  • RabbitMQ listeners ghosted after a broker restart on a channel callback exception (PR #​3370 by @​kconfesor). The agent stayed latched after a channel-only shutdown and was never rebuilt, so a listener came back "connected" but dead. Reviewed specifically against the #​3171/#​3187 channel-only-shutdown work to confirm it does not reintroduce the latched-Disconnected state that #​3187 fixed. Two follow-ups are tracked in #​3391.
  • ProductSupport#​33 — CritterWatch telemetry was caught by tracked-session waits (PR #​3390, reported by @​uniquelau). A monitored host publishes telemetry that a TrackedSession would pick up and then sit waiting on messages the test never sent. The default ignore rule now covers all of INotToBeRouted (agent commands and framework telemetry), with a deliberate carve-out for Acknowledgement / FailureAcknowledgement, which the session's own acknowledgement APIs depend on. If you are on an older version, IgnoreMessagesMatchingType(t => t.CanBeCastTo<INotToBeRouted>()) is the workaround.

Fixes from review

  • Metrics sweeper: unregistration race and a hot-spin guard (PR #​3393, follow-ups from the #​3384 post-merge review). The sweeper removed a registration by URI alone, so when an agent for a database stopped after a replacement agent for the same database had registered — exactly what agent redistribution does — the stopping agent evicted the live registration, and that database silently stopped being polled until the node restarted. Unregistration now removes only the exact registration instance it created. Separately, UpdateMetricsPeriod = TimeSpan.Zero would hot-spin the sweep loop (the pre-#​3384 PeriodicTimer threw); it is now rejected at configuration time, with DurabilityMetricsEnabled = false as the way to turn polling off.

Marten test-helper: PauseThenCatchUpOnMartenDaemonActivity

  • #​3388 — cold first catch-up appeared to stall (PR #​3394, reported by @​uniquelau). Investigated in depth. The reported mechanism — that coordinator.ResumeAsync() does not start never-started shards — does not hold: under Wolverine-managed distribution the coordinator is WolverineProjectionCoordinator, whose ResumeAsync builds the daemon lazily and starts every shard, bypassing agent assignment entirely. The cold path works, and there are now four tests proving it (including with a second subscription-agent consumer sharing the agent family).

    The real defect was a timeout mismatch, and it explains the reported symptom exactly. The stage runs inside a child TrackedSession whose token cancels at TrackedSession.Timeout5 seconds by default — while the catch-up ignored that token and waited on an internal 60-second budget. The session gave up first and left the catch-up envelope started-but-never-finished, which reads as a hang. This is a genuine 6.16 → 6.17 behavior change: the old active ForceAll finished inside 5 seconds; resume-and-wait on a cold daemon or a busy machine does not. The catch-up now honors the session's token and raises an actionable TimeoutException naming the store and pointing at TrackActivity().Timeout(...).

    If you hit this on 6.17.0–6.17.2, raising the tracked-session timeout is the fix.

Docs

  • New page: gRPC + Sagas (PR #​3389, following @​erikshafer's coverage in PR #​3386). gRPC services can start and continue sagas with no gRPC-specific code — the saga identity must be on the message body, because a gRPC method is a thin shim in front of IMessageBus.InvokeAsync<T> and the chain that runs is the handler's. The header-identified gap is tracked as #​3385, with a clear diagnostic planned.
  • Testing guide (PR #​3395): tracked sessions ignore framework telemetry by default as of this release, and — the trap behind #​3388 — Timeout() bounds the whole session including its stages, so a slow stage like PauseThenCatchUpOnMartenDaemonActivity() is capped by the session's 5-second default, not by any budget internal to the stage.

Full changelog: JasperFx/wolverine@V6.17.2...V6.17.3

6.17.2

Community-issue sweep release. Every fix below shipped same-day from issues filed by the community — thank you all.

Closed issues

  • #​3371 — any ApiExplorer read before server start permanently emptied every OpenAPI document (PR #​3373 by @​uniquelau). WolverineApiDescriptionProvider now enumerates the HttpGraph (complete when MapWolverineEndpoints() returns) instead of the start-time EndpointDataSource, so ASP.NET's version-keyed cache can never freeze an empty first read. If you monitor Wolverine hosts with CritterWatch and expose OpenAPI, upgrade to this release (see JasperFx/CritterWatch#​689).
  • #​3374 — [AsParameters] + compound-handler LoadAsync binding the same route variable generated uncompilable code (CS0136/CS0841, host failed at startup) (PR #​3381). Binding frames are now emitted once per chain and re-homed so any second consumer reuses them; both the [FromRoute] and [AsParameters]-parameter variants are covered. The related OpenAPI gap (route params bound only by LoadAsync missing from the operation) is tracked as #​3380.
  • #​3372 — [AsParameters] query binder silently ignored unparseable values (PR #​3379). New opt-in WolverineHttpOptions.RejectUnparseableQueryValues: a present-but-unparseable query value short-circuits with a 400 ProblemDetails naming the parameter, matching ASP.NET minimal APIs; missing values keep their initializer in both modes. The default flips to strict in Wolverine 7.0.
  • #​3368 — gRPC server-side tenant-id detection (PRs #​3369 by @​erikshafer + #​3382). The server now reads back what the client interceptor stamps: envelope propagation onto the scoped IMessageContext, plus a full ITenantDetectionPolicies-style mirror (opts.TenantId.IsRequestHeaderValue(...), IsClaimTypeNamed(...), DetectWith<T>()) that sets the codegen tenant variable Marten/Polecat session frames consume — with a zero-config default when the client stamps tenant-id. New docs page: gRPC multi-tenancy.
  • #​3375 (docs half) — documented DurabilityMetricsEnabled = false and raising UpdateMetricsPeriod as mitigations for metrics-polling connection load at high tenant-database counts (PR #​3378). The per-node sweeper implementation is in progress on the issue.

Dependency bumps

  • Marten 9.15.0 (sharded-tenancy provisioning repair, marten#​4942) and JasperFx 2.27.0 (daemon block observability, jasperfx#​506/#​507) — the fixes from the marten#​4941 silent-outage incident (PR #​3383).

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps Marten from 9.14.1 to 9.15.4
Bumps Microsoft.AspNetCore.DataProtection.Abstractions from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.DependencyInjection.Abstractions from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.Http from 10.0.9 to 10.0.10
Bumps Microsoft.Extensions.Http.Resilience from 10.7.0 to 10.8.0
Bumps Microsoft.NET.Test.Sdk from 18.7.0 to 18.8.1
Bumps Microsoft.Playwright from 1.49.0 to 1.61.0
Bumps Radzen.Blazor from 11.1.3 to 11.1.5
Bumps WolverineFx.Marten from 6.17.1 to 6.19.0

---
updated-dependencies:
- dependency-name: Marten
  dependency-version: 9.15.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.AspNetCore.DataProtection.Abstractions
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.Extensions.Http
  dependency-version: 10.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.Extensions.Http.Resilience
  dependency-version: 10.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.8.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Microsoft.Playwright
  dependency-version: 1.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
- dependency-name: Radzen.Blazor
  dependency-version: 11.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-minor-patch
- dependency-name: WolverineFx.Marten
  dependency-version: 6.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jul 17, 2026
@andregoepel
andregoepel merged commit 0f7809b into main Jul 17, 2026
4 checks passed
@dependabot
dependabot Bot deleted the dependabot/nuget/nuget-minor-patch-939a2505bf branch July 17, 2026 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant