Keeping your .NET SDK version up to date is crucial for maintaining secure and efficient applications. And now that Dependabot can update .NET SDK versions in global.json
, it is easier than ever to make sure you’re always running the latest security patches and improvements.
Regular SDK updates are essential because they include:
- Security patches for known vulnerabilities (CVEs)
- Bug fixes and performance improvements
- Latest development tools and features
Using global.json
to Manage SDK Versions
To manage your .NET SDK version, you typically use a global.json
file in your project. This file specifies which version of the SDK your project should use. Here’s an example of a simple global.json
file:
{
"sdk": {
"version": "9.0.100"
}
}
If you’re using GitHub Actions, and the dotnet/setup-dotnet
action, this file will ensure that the correct SDK version is used in your CI/CD pipeline.
Configuring Dependabot for .NET SDK Updates
Add a dependabot.yml
file to your repository at .github/dependabot.yml
in the default branch. If you always want to receive the latest updates, a minimal configuration will look like this:
version: 2
updates:
- package-ecosystem: "dotnet-sdk"
directory: "/"
But .NET SDK updates are mostly released on “patch Tuesday” (the second Tuesday of each month), so you might want to adjust the update schedule to check for updates only once a week. You can do that by adding a schedule
section:
version: 2
updates:
- package-ecosystem: "dotnet-sdk"
directory: "/"
schedule:
interval: "weekly"
day: "wednesday"
Additionally, you can ignore major and minor version updates if you want to focus only on security patches. This can be done by adding an ignore
section:
version: 2
updates:
- package-ecosystem: "dotnet-sdk"
directory: "/"
schedule:
interval: "weekly"
day: "wednesday"
ignore:
- dependency-name: "*"
update-types:
- "version-update:semver-major"
- "version-update:semver-minor"
Dependabot will also respect the allowPrerelease
setting in your global.json
file. So if you want to include pre-release versions in your updates, make sure to set that option accordingly.
Check out the Dependabot documentation for more details on all the configuration options available.
Dependabot NuGet Package Updates
In addition to .NET SDK updates, you can also configure Dependabot to manage your NuGet package dependencies. We significantly improved the NuGet support in Dependabot last year to manage more complex scenarios, so you can easily keep your packages up to date as well.
Feedback
You can share feedback with us by opening an issue in the Dependabot repository. You can also leave comments on this post if you have any questions or suggestions.
Does this apply only to github?
if so could it be more stated in the title or top of the article?
Please make it work for FSharp.Core : https://github.com/dependabot/dependabot-core/issues/10883
Is there a way to do the same thing in Azure devops?
Yes you can use this Extension in Azure DevOps to run Dependabot, we are using it successfully across a multitude of repositories https://github.com/tinglesoftware/dependabot-azure-devops
Hi there! Via GitHub Advanced Security for Azure DevOps, we are planning on bringing Dependabot to Azure DevOps. Dependabot is currently on our roadmap, and we do not have an estimated delivery date for this feature but we are actively working to this initiative.
What about if you don’t use either of those platforms? Can it be run locally, or installed on a non-Microsoft CI system?
(General rant, sorry) – It’s frustrating that so many of the features advertised as “git tooling support” in new versions of VS are actually “github and Azure DevOps tooling support” and useless if you use a different git host or are working with a purely local git repo.