December 5th, 2024

Using Dependabot to Manage .NET SDK Updates

Jamie Magee
Senior Software Engineer

Keeping your .NET SDK version up to date is crucial for maintaining secure and efficient applications. And now that Dependabot can update .NET SDK versions in global.json, it is easier than ever to make sure you’re always running the latest security patches and improvements.

Regular SDK updates are essential because they include:

  • Security patches for known vulnerabilities (CVEs)
  • Bug fixes and performance improvements
  • Latest development tools and features

Using global.json to Manage SDK Versions

To manage your .NET SDK version, you typically use a global.json file in your project. This file specifies which version of the SDK your project should use. Here’s an example of a simple global.json file:

{
  "sdk": {
    "version": "9.0.100"
  }
}

If you’re using GitHub Actions, and the dotnet/setup-dotnet action, this file will ensure that the correct SDK version is used in your CI/CD pipeline.

Configuring Dependabot for .NET SDK Updates

Add a dependabot.yml file to your repository at .github/dependabot.yml in the default branch. If you always want to receive the latest updates, a minimal configuration will look like this:

version: 2
updates:
  - package-ecosystem: "dotnet-sdk"
    directory: "/"

But .NET SDK updates are mostly released on “patch Tuesday” (the second Tuesday of each month), so you might want to adjust the update schedule to check for updates only once a week. You can do that by adding a schedule section:

version: 2
updates:
  - package-ecosystem: "dotnet-sdk"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "wednesday"

Additionally, you can ignore major and minor version updates if you want to focus only on security patches. This can be done by adding an ignore section:

version: 2
updates:
  - package-ecosystem: "dotnet-sdk"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "wednesday"
    ignore:
      - dependency-name: "*"
        update-types: 
          - "version-update:semver-major"
          - "version-update:semver-minor"

Dependabot will also respect the allowPrerelease setting in your global.json file. So if you want to include pre-release versions in your updates, make sure to set that option accordingly.

Check out the Dependabot documentation for more details on all the configuration options available.

Dependabot NuGet Package Updates

In addition to .NET SDK updates, you can also configure Dependabot to manage your NuGet package dependencies. We significantly improved the NuGet support in Dependabot last year to manage more complex scenarios, so you can easily keep your packages up to date as well.

Feedback

You can share feedback with us by opening an issue in the Dependabot repository. You can also leave comments on this post if you have any questions or suggestions.

Author

Jamie Magee
Senior Software Engineer

6 comments

  • Stian Fagereng

    Does this apply only to github?

    if so could it be more stated in the title or top of the article?

  • Recep SELLÄ°

    Is there a way to do the same thing in Azure devops?

    • Laura JiangMicrosoft employee · Edited

      Hi there! Via GitHub Advanced Security for Azure DevOps, we are planning on bringing Dependabot to Azure DevOps. Dependabot is currently on our roadmap, and we do not have an estimated delivery date for this feature but we are actively working to this initiative.

      Read more
      • Stuart Ballard

        What about if you don’t use either of those platforms? Can it be run locally, or installed on a non-Microsoft CI system?

        (General rant, sorry) – It’s frustrating that so many of the features advertised as “git tooling support” in new versions of VS are actually “github and Azure DevOps tooling support” and useless if you use a different git host or are working with a purely local git repo.