{"id":54784,"date":"2024-12-05T08:00:00","date_gmt":"2024-12-05T16:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=54784"},"modified":"2024-12-13T13:58:37","modified_gmt":"2024-12-13T21:58:37","slug":"using-dependabot-to-manage-dotnet-sdk-updates","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/using-dependabot-to-manage-dotnet-sdk-updates\/","title":{"rendered":"Using Dependabot to Manage .NET SDK Updates"},"content":{"rendered":"<p>Keeping your .NET SDK version up to date is crucial for maintaining secure and efficient applications. And now that <a href=\"https:\/\/github.blog\/changelog\/2024-11-19-dependabot-can-now-perform-version-updates-for-the-net-sdk\/\">Dependabot can update .NET SDK versions in <code>global.json<\/code><\/a>, it is easier than ever to make sure you&#8217;re always running the latest security patches and improvements.<\/p>\n<p>Regular SDK updates are essential because they include:<\/p>\n<ul>\n<li>Security patches for known vulnerabilities (CVEs)<\/li>\n<li>Bug fixes and performance improvements<\/li>\n<li>Latest development tools and features<\/li>\n<\/ul>\n<h2>Using <code>global.json<\/code> to Manage SDK Versions<\/h2>\n<p>To manage your .NET SDK version, you typically use a <a href=\"https:\/\/learn.microsoft.com\/dotnet\/core\/tools\/global-json\"><code>global.json<\/code> file<\/a> in your project. This file specifies which version of the SDK your project should use. Here\u2019s an example of a simple <code>global.json<\/code> file:<\/p>\n<pre><code class=\"language-json\">{\r\n  \"sdk\": {\r\n    \"version\": \"9.0.100\"\r\n  }\r\n}<\/code><\/pre>\n<p>If you&#8217;re using GitHub Actions, and the <a href=\"https:\/\/github.com\/actions\/setup-dotnet\"><code>dotnet\/setup-dotnet<\/code><\/a> action, this file will ensure that the correct SDK version is used in your CI\/CD pipeline.<\/p>\n<h2>Configuring Dependabot for .NET SDK Updates<\/h2>\n<p>Add a <code>dependabot.yml<\/code> file to your repository at <code>.github\/dependabot.yml<\/code> in the default branch. If you always want to receive the latest updates, a minimal configuration will look like this:<\/p>\n<pre><code class=\"language-yaml\">version: 2\r\nupdates:\r\n  - package-ecosystem: \"dotnet-sdk\"\r\n    directory: \"\/\"<\/code><\/pre>\n<p>But .NET SDK updates are mostly released on &#8220;patch Tuesday&#8221; (the second Tuesday of each month), so you might want to adjust the update schedule to check for updates only once a week. You can do that by adding a <code>schedule<\/code> section:<\/p>\n<pre><code class=\"language-yaml\">version: 2\r\nupdates:\r\n  - package-ecosystem: \"dotnet-sdk\"\r\n    directory: \"\/\"\r\n    schedule:\r\n      interval: \"weekly\"\r\n      day: \"wednesday\"<\/code><\/pre>\n<p>Additionally, you can ignore major and minor version updates if you want to focus only on security patches. This can be done by adding an <code>ignore<\/code> section:<\/p>\n<pre><code class=\"language-yaml\">version: 2\r\nupdates:\r\n  - package-ecosystem: \"dotnet-sdk\"\r\n    directory: \"\/\"\r\n    schedule:\r\n      interval: \"weekly\"\r\n      day: \"wednesday\"\r\n    ignore:\r\n      - dependency-name: \"*\"\r\n        update-types: \r\n          - \"version-update:semver-major\"\r\n          - \"version-update:semver-minor\"<\/code><\/pre>\n<p>Dependabot will also respect the <a href=\"https:\/\/learn.microsoft.com\/dotnet\/core\/tools\/global-json#allowprerelease\"><code>allowPrerelease<\/code> setting in your <code>global.json<\/code><\/a> file. So if you want to include pre-release versions in your updates, make sure to set that option accordingly.<\/p>\n<p>Check out the <a href=\"https:\/\/docs.github.com\/en\/code-security\/dependabot\/dependabot-version-updates\/configuration-options-for-the-dependabot.yml-file\">Dependabot documentation<\/a> for more details on all the configuration options available.<\/p>\n<h2>Dependabot NuGet Package Updates<\/h2>\n<p>In addition to .NET SDK updates, you can also configure Dependabot to manage your NuGet package dependencies. <a href=\"https:\/\/github.blog\/changelog\/2023-11-28-improvements-to-nuget-support-for-dependabot\/\">We significantly improved the NuGet support in Dependabot last year<\/a> to manage more complex scenarios, so you can easily keep your packages up to date as well.<\/p>\n<h2>Feedback<\/h2>\n<p>You can share feedback with us by opening an issue in <a href=\"https:\/\/github.com\/dependabot\/dependabot-core\/\">the Dependabot repository<\/a>. You can also leave comments on this post if you have any questions or suggestions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to use Dependabot to keep your .NET SDK version up to date with the latest security patches and improvements.<\/p>\n","protected":false},"author":176226,"featured_media":54809,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[685],"tags":[4,7797,9],"class_list":["post-54784","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dotnet","tag-net","tag-dotnet-9","tag-net-core"],"acf":[],"blog_post_summary":"<p>Learn how to use Dependabot to keep your .NET SDK version up to date with the latest security patches and improvements.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/54784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/176226"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=54784"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/54784\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/54809"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=54784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=54784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=54784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}