Guidelines for updating dependencies
We use Dependabot to notify the team of any updates to dependencies. Once a week the robot will scan our dependencies and raise a pull-request if a new version is found. If an existing open pull-request is found for a dependency it will be closed and replaced with a new pull-request. The behavior of the robot is controlled by this configuration file.
These dependencies don't change the public API surface and are typically safe to merge and we could potentially configure mergify to automatically merge them if CI passes:
These dependencies require manual adjustments before merging:
Microsoft.CodeAnalysis.*. Those dependencies need to be aligned with the source generation task package, for which the dependency cannot be be explicitly provided.
Xamarin.GooglePlayServices.*. Those dependencies are added per TargetFramework (Android SDK version), not updated.
Updating these dependencies will require consumers to upgrade their dependencies and as such need consideration on a case by case basis is required before merging:
- System.Reactive. Currently only used in the
WpfHostwhich eventually will be deprecated.
- Microsoft.TypeScript.* child packages needs to be aligned with the other
additional care required
These dependencies require care and human testing:
- CommonServiceLocator. This specific dependency needs to be removed from Uno.
cef.redist.x86needs to be kept in alignment with
- CefSharp.Wpf needs to be kept in alignment with
- Microsoft.CodeAnalysis.* children packages needs to be aligned with the other
- Microsoft.Build.* children packages needs to be aligned with the other
Microsoft.Buildpackages, and need to be aligned with
- Microsoft.Extensions.Logging.* child packages needs to be aligned with the other
Microsoft.Extensions.Loggingpackages. Currently can't be upgraded because most recent versions are using thread, which are not supported on Wasm.
- Microsoft.UI.Xaml: This dependency is needs to be aligned with the currently supported API set found in Uno.
These dependencies require care and human testing to confirm compatibility with WebAssembly:
These dependencies are updated manually as part of the release process:
You can trigger Dependabot actions by commenting on the pull-request:
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Please do not use any of the
rebase|merge|squash and merge chatops commands as they bypass our merging pull-request guidelines and