Skip to content

Bump the nuget group with 9 updates#4

Closed
dependabot[bot] wants to merge 298 commits into
mainfrom
dependabot/nuget/src/Dispatch.Data/nuget-630781b8b4
Closed

Bump the nuget group with 9 updates#4
dependabot[bot] wants to merge 298 commits into
mainfrom
dependabot/nuget/src/Dispatch.Data/nuget-630781b8b4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


Updated AWSSDK.SimpleEmailV2 from 4.0.14.5 to 4.0.100.3.

Release notes

Sourced from AWSSDK.SimpleEmailV2's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated coverlet.collector from 6.0.4 to 10.0.1.

Release notes

Sourced from coverlet.collector's releases.

10.0.1

Improvements

Fixed

  • Fix inconsistent paths in cobertura reports #​1723
  • Fix when using "is" with "and" in pattern matching, branch coverage is lower than normal #​1313
  • Fix Coverlet flagging a branch for an async functions finally block where none exists #​1337
  • Fix Coverlet Tracker Missing CompilerGeneratedAttribute #​1828

Maintenance

  • Add architecture docs and diagrams for all integrations #​1927
  • Update NuGet packages and .NET SDK versions #​1933

Diff between 10.0.0 and 10.0.1

10.0.0

Improvements

  • Unique Report Filenames (coverlet.MTP and AzDO) #​1866
  • Add --coverlet-file-prefix option for unique report files #​1869
  • Introduce .NET 10 support #​1823

Fixed

  • Fix [BUG] Wrong branch rate on IAsyncEnumerable for generic type #​1836
  • Fix [BUG] Missing Coverage after moving to MTP #​1843
  • Fix [BUG] No coverage reported when targeting .NET Framework with 8.0.1 #​1842
  • Fix [BUG] Behavior changes between MTP and Legacy (msbuild) #​1878
  • Fix [BUG] Coverlet.MTP - Unable to load coverlet.mtp.appsettings.json #​1880
  • Fix [BUG] Coverlet.Collector produces empty report when Mediator.SourceGenerator is referenced #​1718 by https://github.com/yusyd
  • Fix [BUG] Crash during instrumentation (Methods using LibraryImport/DllImport have no body) #​1762

Maintenance

  • Add comprehensive async method tests and documentation for issue #​1864
  • Replace Tmds.ExecFunction Package in coverlet.core.coverage.tests #​1833
  • Add net9.0 and net10.0 targets #​1822

Diff between 8.0.1 and 10.0.0

8.0.1

Fixed

  • Fix [BUG] TypeInitializationException when targeting .NET Framework #​1818
  • Fix [BUG] coverlet.MTP build fails with CS0400 due to developmentDependency=true #​1827

Improvements

  • Additional improvements needed for .NET Framework instrumentation type import #​1825

Diff between 8.0.0 and 8.0.1

8.0.0

Special Thanks: A huge thank you to @​Bertk for driving the majority of the work in this release! 🎉

Fixed

Improvements

  • Coverlet MTP extension feature #​1788
  • Generate SBOM for nuget packages #​1752
  • Use multi targets projects for coverlet.collector, coverlet.msbuild.tasks packages #​1742
  • Use .NET 8.0 target framework for coverlet.core and remove Newtonsoft.Json #​1733
  • Use latest System.CommandLine version #​1660
  • Upgraded minimum required .NET SDK and runtime to .NET 8.0 LTS (Long Term Support) (Breaking Change)
  • Use xunit.v3 for tests and example code

Diff between 6.0.4 and 8.0.0

Commits viewable in compare view.

Updated Microsoft.Data.SqlClient from 7.0.1 to 7.0.2.

Release notes

Sourced from Microsoft.Data.SqlClient's releases.

7.0.2

This update brings the following changes since the 7.0.1 release:

Important — package version alignment: Starting with 7.0.2, the Microsoft.Data.SqlClient driver and its companion packages share a single aligned version. The following packages now ship together as 7.0.2:

  • Microsoft.Data.SqlClient
  • Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider
  • Microsoft.Data.SqlClient.Extensions.Azure
  • Microsoft.Data.SqlClient.Extensions.Abstractions
  • Microsoft.Data.SqlClient.Internal.Logging

(Microsoft.SqlServer.Server continues to version independently and remains at 1.0.0.)

Applications must reference the same versions of Microsoft.Data.SqlClient and its extensions for best compatibility. In particular, applications that reference Microsoft.Data.SqlClient.Extensions.Azure must upgrade it to 7.0.2 when upgrading Microsoft.Data.SqlClient to 7.0.2.

Breaking change (.NET Framework only): As part of this alignment, the AssemblyVersion of Microsoft.Data.SqlClient.Extensions.Azure, Microsoft.Data.SqlClient.Extensions.Abstractions, and Microsoft.Data.SqlClient.Internal.Logging changed from 1.0.0.0 to 7.0.0.0 (the Microsoft.Data.SqlClient and Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider assembly versions are unchanged). On .NET Framework, AssemblyVersion is part of the strong-name identity, so applications that drop these assemblies into an existing deployment without rebuilding must rebuild against the 7.0.2 packages (or add binding redirects). Applications on .NET / .NET Core are not affected.

Companion package release notes

The following companion packages ship aligned as 7.0.2. See their individual release notes for package-specific changes (including the Microsoft.Data.SqlClient.Extensions.Azure WAM broker support):

Fixed

  • Fixed a NullReferenceException in SqlCommand.Cancel(). The diagnostic message built during cancellation dereferenced the active connection directly; it now uses a null-conditional access so cancellation no longer throws when the connection has already been torn down.
    (#​4372,#​4373)

  • Fixed a NullReferenceException in SqlDataReader when calling GetBytes/GetChars with a null destination buffer. The argument-validation path that constructs the InvalidDestinationBufferIndex exception now guards against the null buffer so the correct ArgumentException is surfaced instead of an NRE.
    (#​4159,#​4206)

  • Fixed Always Encrypted column master key signature verification incorrectly reusing cached results. The SignatureVerificationCache lookup logic was corrected so signature verification outcomes are cached and retrieved against the correct key, preventing stale or mismatched verification results.
    (#​4339,#​4343)

Changed

Hardened TDS token parsing with data-length bounds checks

What Changed:

  • Added bounds checking when parsing TDS token and feature-extension-acknowledgment data lengths. The parser now validates the declared length of incoming token data against the available buffer before reading, rejecting malformed or out-of-range length values instead of reading past the intended boundary.
    (#​4340,#​4358)

Who Benefits:

  • All consumers benefit from improved resilience against malformed or hostile TDS responses. A server (or man-in-the-middle) sending an invalid token length can no longer drive the parser to read beyond the declared payload.

Impact:
... (truncated)

Commits viewable in compare view.

Updated Microsoft.Extensions.Hosting.Systemd from 10.0.0 to 10.0.9.

Release notes

Sourced from Microsoft.Extensions.Hosting.Systemd's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Hosting.WindowsServices from 10.0.0 to 10.0.9.

Release notes

Sourced from Microsoft.Extensions.Hosting.WindowsServices's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 17.14.1 to 18.7.0.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.7.0

What's Changed

New Contributors

Full Changelog: microsoft/vstest@v18.6.0...v18.7.0

18.6.0

What's Changed

Changes to tests and infra

18.5.1

What's Changed

Full Changelog: microsoft/vstest@v18.5.0...v18.5.1

18.5.0

⚠️ Unlisted on Nuget, because of #​15718

What's Changed

Full Changelog: microsoft/vstest@v18.4.0...v18.5.0

18.4.0

What's Changed

New Contributors

Full Changelog: microsoft/vstest@v18.3.0...v18.4.0

18.3.0

What's Changed

Internal fixes and updates

New Contributors

18.0.1

What's Changed

Fixing an issue with loading covrun64.dll on systems that have .NET 10 SDK installed: https://learn.microsoft.com/en-us/dotnet/core/compatibility/sdk/10.0/code-coverage-dynamic-native-instrumentation

Internal changes

Full Changelog: microsoft/vstest@v18.0.0...v18.0.1

18.0.0

What's Changed

Internal fixes and updates

Commits viewable in compare view.

Updated Serilog.AspNetCore from 9.0.0 to 10.0.0.

Release notes

Sourced from Serilog.AspNetCore's releases.

10.0.0

What's Changed

New Contributors

Full Changelog: serilog/serilog-aspnetcore@v9.0.0...v10.0.0

Commits viewable in compare view.

Updated System.Security.Cryptography.ProtectedData from 9.0.13 to 10.0.9.

Release notes

Sourced from System.Security.Cryptography.ProtectedData's releases.

10.0.0-preview.6.25358.103

You can build .NET 10.0 Preview 6 from the repository by cloning the release tag v10.0.0-preview.6.25358.103 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.5.25277.114

You can build .NET 10.0 Preview 5 from the repository by cloning the release tag v10.0.0-preview.5.25277.114 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.4.25258.110

You can build .NET 10.0 Preview 4 from the repository by cloning the release tag v10.0.0-preview.4.25258.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.3.25171.5

You can build .NET 10.0 Preview 3 from the repository by cloning the release tag v10.0.0-preview.3.25171.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.2.25163.2

You can build .NET 10.0 Preview 2 from the repository by cloning the release tag v10.0.0-preview.2.25163.2 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.1.25080.5

You can build .NET 10.0 Preview 1 from the repository by cloning the release tag v10.0.0-preview.1.25080.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.118

You can build .NET 9.0 from the repository by cloning the release tag v9.0.118 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached is a PGP signature for the GitHub generated tarball. You can find the public key at https://dot.net/release-key-2023

9.0.117

You can build .NET 9.0 from the repository by cloning the release tag v9.0.117 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.116

You can build .NET 9.0 from the repository by cloning the release tag v9.0.116 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.115

You can build .NET 9.0 from the repository by cloning the release tag v9.0.115 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.114

You can build .NET 9.0 from the repository by cloning the release tag v9.0.114 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached is the PGP signature for the GitHub generated tarball. You can find the public key at https://dot.net/release-key-2023

9.0.113

You can build .NET 9.0 from the repository by cloning the release tag v9.0.113 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.112

You can build .NET 9.0 from the repository by cloning the release tag v9.0.112 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.111

You can build .NET 9.0 from the repository by cloning the release tag v9.0.111 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.110

You can build .NET 9.0 from the repository by cloning the release tag v9.0.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.109

You can build .NET 9.0 from the repository by cloning the release tag v9.0.109 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.101

You can build .NET 9.0 from the repository by cloning the release tag v9.0.101 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

Commits viewable in compare view.

Updated xunit.runner.visualstudio from 3.1.4 to 3.1.5.

Release notes

Sourced from xunit.runner.visualstudio's releases.

3.1.5

Release notes: https://xunit.net/releases/visualstudio/3.1.5

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Chris Muench and others added 30 commits June 13, 2026 08:35
- Build: ubuntu-latest with a mcr.microsoft.com/mssql/server:2022 service container (the Data test
  fixture's 90s readiness wait covers startup); release job on ubuntu-latest too.
- Installers: windows-latest builds the MSI + bundle; ubuntu-latest lints install.sh.
GitHub-hosted runners are free for public repos and always available, unlike the offline self-hosted runner.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…l name for Bal); opt actions into Node 24

- WiX v6 ships the Bal/bundle extension dll as WixToolset.BootstrapperApplications.wixext, so the bundle
  build must reference that name, not WixToolset.Bal.wixext (which failed with WIX0144 'could not be found').
- Set FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 to clear the Node.js 20 deprecation warning on the actions/* @v4.
…orts Ubuntu 24.04; Windows fwlink already 2025)

- Linux install.sh: mssql-server-2025 repo (Ubuntu 24.04 supported), key at /usr/share/keyrings to match
  the 2025 list's signed-by. Reverts the ubuntu-22.04 CI pin back to ubuntu-latest.
- Windows: the SSEI fwlink already resolves to SQL 2025 Express; noted in the bootstrap.
…MTP presets; fix Linux installer spool layout

Providers (spec §8): native Amazon SES (AWS SDK, raw MIME), Postmark/Resend/SMTP2GO (HTTP JSON), SparkPost
(raw MIME via email_rfc822). Enum + RelayProviderSchema + factory wiring + UI fields; SMTP-preset dropdown
in the relay editor fills host/port/TLS for ~10 common providers (SES/Brevo/Gmail/M365/Postmark/Resend/
SendGrid/SMTP2GO/SparkPost/Mailjet) so any of them works via the generic SMTP provider. Factory tests cover
all five new types.

Installer fixes (found via the full-install CI smoke):
- Resolve a relative spool dir against the content root, not the process CWD (Windows services run in
  system32; the systemd unit's CWD was a read-only /etc) — fixes 'Access to ./.dispatch-spool denied'.
- Linux: single data dir (/var/lib/dispatch) holds appsettings + spool (mirrors Windows ProgramData);
  systemd WorkingDirectory + ReadWritePaths updated.

150 tests green; UI builds.
…iness to the service manager

The Windows MSI install failed (1603): the service started but never signalled 'running' to the SCM, so
the MSI's ServiceControl start timed out and rolled back (app log showed 'Hosting environment: Production'
logged repeatedly as SCM retried). .NET hosts must call UseWindowsService() for SCM integration; added
UseSystemd() too and set the unit to Type=notify (also closes the §16.3 drift). Both are no-ops when run
interactively. Linux full-install already passed; this fixes the Windows end-to-end.
…s installer

Signs Dispatch.msi + the DispatchSetup.exe Burn bundle via SignPath Foundation
(free for OSS). Skipped until repo vars SIGNPATH_ORGANIZATION_ID/PROJECT_SLUG/
POLICY_SLUG + secret SIGNPATH_API_TOKEN are set, so the unsigned artifact stands
in the meantime.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add release.yml: on a v* tag, build the version-stamped Windows installer
(DispatchSetup.exe + Dispatch.msi) and a self-contained linux-x64 tarball, then
publish a GitHub Release with SHA256SUMS and auto-generated notes. Windows
artifacts are Authenticode-signed via Azure Artifact Signing when the repo is
provisioned (AZURE_SIGNING_* vars/secrets); the Burn bundle engine is detached,
signed, reattached, then the bundle is signed. Skipped (unsigned) until then.

- installer wxs: Version is now overridable via -d Version=<tag> (defaults 1.0.0)
- install.sh: --prebuilt <dir> installs the self-contained tarball without the
  .NET SDK/Node; systemd unit resolved next to the script for tarball layout
- installers.yml: drop the dormant SignPath step (CI installer builds stay
  unsigned; signing happens only at release time)
- build.yml: remove the partial tag release job (superseded by release.yml)
- docs/RELEASING.md: how to cut a release + provision Azure signing

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds a linux-tarball job that publishes the self-contained linux-x64 build and
uploads it as a downloadable artifact on every push — no tag/release needed to
grab a tarball for testing install.sh --prebuilt.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…DR defaults

Add a multi-stage Dockerfile (multi-arch amd64/arm64) and a docker-compose.yml
that runs Dispatch + Azure SQL Edge together (arm64-native on Apple Silicon):
`docker compose up --build` → dashboard on :8420, API :8421, SMTP :2525.

Fix the seeded source-IP allow-list defaults, which were loopback-only and made
the dashboard unreachable on every real deployment shape (headless servers have
no local browser; containers NAT every request to the bridge gateway):
- webui.allowed_cidrs / api.allowed_cidrs -> empty (allow all); these are gated
  by the dashboard password and API keys, with CIDR as optional hardening
- listener.allowed_cidrs -> loopback + RFC1918 + IPv6 ULA, so same-host/LAN/
  Docker apps can submit mail without shipping an open internet relay

Verified end-to-end on Apple Silicon: /health 200, SQL connected, SMTP intake
250 OK + spooled. Core 55 + Web 53 tests green. Spec §1.1 deltas updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…st coverage

The deeper cause of the unreachable-dashboard bug: ListenerOptions/ApiOptions
EffectiveAllowedCidrs silently rewrote an empty list back to loopback-only, so
the seeded allow-all defaults (and any operator who cleared the list) were
overridden — the ingestion API was loopback-only too. Both middlewares already
treat empty as allow-all, so make EffectiveAllowedCidrs a pass-through and
default the ConfigCache keys to empty; the safe baseline now lives solely in the
seeded ConfigDefaults (listener = loopback + private ranges).

Add the test coverage that would have caught this:
- CidrMailboxFilter: private/loopback allowed, public denied, empty = allow-all
- WebAuthMiddleware: outside-list 403, inside allowed, empty-list regression guard
- ConfigDefaults: seed-defaults guard (webui/api allow-all, listener private-only)

Also add a container HEALTHCHECK (curl /health) to the Dockerfile.

Verified in the running container: /health 200, ingestion API 401 (not 403),
HEALTHCHECK healthy. Core 65 + Web 57 tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kstart

release.yml: add a docker job that builds + pushes a multi-arch (amd64+arm64)
image to ghcr.io/<owner>/dispatch-smtp-relay on a v* tag (semver + latest tags,
buildx + QEMU, GHA layer cache); skipped on dry-run dispatch. Grants packages:write.

README: add a Docker section (docker compose for local testing; docker run from
GHCR with env config) covering the multi-arch image and the container-aware
allow-list defaults.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- release.yml: version the Windows assets (DispatchSetup-<ver>-x64.exe,
  Dispatch-<ver>-x64.msi) so each release's downloads are distinguishable
- README install docs corrected to match reality:
  - Windows: real bundle behavior (DISPATCHSQL instance, skipped if present),
    DispatchLog DB (was "DispatchQueue"), silent install via /quiet, existing-SQL
    via the MSI + SQLCONN (dropped fabricated --silent/--server/--auth flags)
  - Linux: install from the self-contained tarball with --prebuilt (dropped the
    nonexistent `curl | bash install.sh` asset); note arm64 -> external SQL/Docker
  - Quick Start: default dashboard is http://localhost:8420 (https only with a
    cert), default SMTP port 2525 (not 25/587)
  - appsettings holds connection string + Web UI TLS cert (not "only the
    connection string")
- RELEASING.md: versioned asset names + GHCR image row

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reconcile remaining drift found by auditing claims against the code:
- Providers: add Amazon SES, Postmark, Resend, SparkPost, SMTP2GO everywhere
  (features, relay table with real required fields, supported-providers, structure)
- Remove the "CSV export" claim (feature was dropped, spec §1.1)
- SMTP listener defaults: ports 2525 (not 25/587), allow-list = loopback+private
  ranges (not 127.0.0.1/32), max message size 0/no-limit (not 25 MB)
- Security: dashboard is HTTPS-when-cert-configured (not "HTTPS-only" with auto
  self-signed); API keys + admin password are bcrypt-hashed, provider/SMTP
  secrets AES-256-GCM (Linux/macOS) or DPAPI (Windows)
- Upgrading: in-place MSI MajorUpgrade + additive migrations + manual drain
  endpoint (the old auto version-detect/drain/rollback flow isn't implemented)
- Requirements: SQL Server 2025 Express bundled; arm64 -> Docker/external SQL
- Project structure: WiX MSI + Burn bundle (not "WiX v5"), Dockerfile added
- Hero line: SMTP default 2525 (25/587 for production)

Verified against code via audit: all referenced files/links exist; routing
rules + /api/routing/simulate and the drain endpoint do exist; provider field
names match RelaySettings schema.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Fix the settings location: the UI sections are "Retention" + "Storage
  maintenance" (not "Storage & Retention")
- Don't overstate configurability: the 6-hour purge schedule and the
  retrying/test-message retention are fixed defaults; the rest are editable
- Add the facts the section omitted: 6h schedule, captured (Local) 7-day
  retention, on-demand purge (POST /api/purge/run), size target 9.0 GB, and the
  separate disk-pressure protection (throttle -> 4xx refuse -> recover)

Audited licence-faq.md and CONTRIBUTING.md against the code — both accurate
(MailgunProviderTests / RelayProviderFactory / RelayProviderSchema all exist),
left unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Inline factual fixes:
- WiX Toolset v5 -> v6 (build pins 6.0.2)
- DispatchQueue -> DispatchLog everywhere except the rename note
- Linux install examples: SQL Server 2025 / Ubuntu 24.04 (were 2022/22.04)
- Solution structure: real test projects (no Dispatch.Integration.Tests)

New §1.1 deltas (authoritative) for structural drift found by auditing §3-18:
- Full provider set (adds Amazon SES, Postmark, Resend, SparkPost, SMTP2GO;
  Appendix A "future" ones are shipped; default relay provider is Unconfigured)
- Windows install is a WiX Burn bundle chain (InstallSqlExpress launcher + MSI),
  not a WinForms wizard; cert generation is Linux-only
- Ingestion API is HTTP-only (no api.tls_* keys); webui TLS keys live in
  appsettings not the config table; no webui.require_auth; config table also has
  listener.server_name + purge.captured_retention_days
- §10.7/§11.5 pseudocode signatures are illustrative (actual signatures differ)
- SMTP source-IP denial occurs at MAIL FROM, not the greeting banner
- Documents two not-yet-implemented items vs spec: SMTP AUTH brute-force lockout
  (§17.10) and instant API-key revocation (§17.4 — honored up to the 30s cache TTL)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ckout

Close the two gaps the spec audit surfaced (§17.4, §17.10):

- ApiKeyCache.Invalidate(keyId): the DELETE /api/keys/{id} revoke endpoint now
  evicts the key from the verification cache, so it stops working immediately
  instead of lingering for up to the 30s TTL.
- SmtpAuthThrottle: per-source-IP SMTP AUTH lockout (5 failures -> 60s), refusing
  AUTH without hitting the credential store while locked; mirrors LoginThrottle.
  Wired into ConfiguredUserAuthenticator (records success/failure by source IP).

Tests: ApiKeyCache invalidation (evicts only the matching id), SmtpAuthThrottle
(lockout after 5, success resets, per-IP), and ConfiguredUserAuthenticator (a
locked IP is refused without a store call). Core 70 + Web 59 green.

Updates the §1.1 deltas: both are now implemented (were documented as gaps).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- SECURITY.md: private disclosure via GitHub Security Advisories, what to
  include, scope (open-relay/allow-list bypass, credential/spool exposure, auth
  bypass, etc.), and a map of where security controls live for reviewers.
- RELEASING.md: a one-time "first release" step to flip the GHCR package to
  public (packages are private by default) so anonymous docker pull works.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…g key

Live end-to-end testing showed the single-message status endpoint resolved a
message by spool id for ANY valid key, leaking another key's status/provider/
timing if the (random) id was known. Only the list endpoint was key-scoped.

Now scoped per key (spec §7.4): the spool fast-path checks the .meta's ApiKeyId,
and GetBySpoolIdAsync filters relay_log by api_key_id. A non-owning key gets 404.
A null key id keeps the unscoped lookup for internal callers.

Test: GetBySpoolId_is_scoped_to_the_calling_key (Data, live SQL). Validated live
in the container: owner 200, other key 404. Data 25 + Web 59 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Close the coverage gap surfaced by the audit — previously only "the factory
builds them" was tested. Add request-building + error-mapping tests (stubbed
HttpMessageHandler, no live calls):

- Postmark: endpoint + X-Postmark-Server-Token, default MessageStream, and the
  important non-zero-ErrorCode-on-HTTP-200 -> permanent failure path
- Resend: Bearer auth, id parse, 429 transient, 401 permanent
- SparkPost: raw-MIME (email_rfc822) to US/EU endpoints, api-key header, 5xx transient
- SMTP2GO: api_key in body, email_id parse, 5xx transient, missing key permanent
- Amazon SES: required-setting validation (can't wire the AWS SDK client in a unit test)

Shared StubHttpHandler + message helper in ProviderTestSupport. Providers 34 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…fety

Edge-case coverage from the adversarial pass:
- Ingestion multipart with TWO attachments (csv + binary png): asserts both are
  preserved in the spooled .eml with filenames + exact bytes intact, alongside
  the text body.
- Malformed 'from' address -> 400 (not 500): pins the handler's parse-exception
  guard so bad envelope input can't 500.
- MessageLog_all_filter_fields_are_injection_safe: complements the existing
  FromDomain [Theory] by exercising ToDomain/RelayName/IngestSource and the
  LIKE-based Subject/Tag filters with DROP/DELETE payloads — literal, no match,
  table intact.

Note: spool crash-recovery (RecoverOrphans) and corrupt-.meta quarantine are
already covered in SpoolWorkerPoolTests, so not duplicated. Web 61 + Data 26 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Chris Muench and others added 22 commits July 1, 2026 10:11
When the service restarts to a new version mid-upgrade, the version-
stamped session cookie is invalidated, so polling starts returning 401.
Previously the dashboard sat on "reconnecting..." until a manual refresh.
Add a global 401 handler (registered by AuthGate) so any unauthenticated
API response drops straight to the login screen. Guarded to only fire
while signed in, and auth-flow calls use fetch directly, so no loop.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Root Linux applier (installer/linux/dispatch-update.sh):
- Take the version from the SIGNED manifest, not the unsigned apply.request.
- Constrain stagedDir to strictly under <updates>/staged/ (realpath prefix
  check) so a compromised service account can't aim the root applier
  elsewhere (traversal/symlink escape).
- Validate the version token before it lands in fs paths / rm -rf / T-SQL.
- Read JSON via python ARGV/env instead of interpolating untrusted paths
  into `python3 -c "..."` (removes a root code-injection primitive); also
  for the connection-string parse. Validate the db name token.
- Harden tar extraction (--no-same-owner --no-overwrite-dir).

Downgrade protection (UpdateService.HandleUploadAsync):
- Refuse a package older than the installed version with a friendly
  message (rollback attack / reintroducing fixed vulns). Same version is
  allowed (repair); unparseable pairs pass (signature already vouches).
- Add CompareVersions that normalizes a 3-part release tag ("0.2.1")
  against the 4-part assembly version ("0.2.1.0") so an identical release
  isn't misread as a downgrade. Tests added (downgrade + comparison).

Addresses audit findings #1, #2, #3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
#4: Pin all third-party GitHub Actions in release.yml (the job that holds
DISPATCH_UPDATE_SIGNING_KEY + Azure OIDC + the release token) to full
commit SHAs with a version comment: azure/trusted-signing-action,
azure/login, softprops/action-gh-release, docker/*. A hijacked mutable
tag can no longer run in the signing/publish job. Add .github/dependabot.yml
(github-actions + npm + nuget, grouped) so pinned SHAs still get bumped.

#5: Verify the appliance's inputs before baking them in (build-appliance.sh):
- Ubuntu cloud image: verify SHA256SUMS's detached GPG signature against
  the pinned Ubuntu Cloud Image signing key, then verify the image hash
  against it. Fail-closed.
- packages-microsoft-prod.deb: pin its SHA256 so a swapped bootstrap .deb
  can't install a rogue repo/key. (Individual packages are already apt
  signature-verified; this closes the bootstrap gap.)

Addresses audit findings #4, #5.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…w change

#6 Decompression bomb: the 2GiB cap was on the compressed upload only.
Add CopyCappedAsync (3GiB ceiling) and use it when extracting the payload
and when unwrapping a GitHub-wrapped .zip, so a gzip/zip bomb can't fill
the disk before the hash check. Reported as a friendly rejection.

#7 Session invalidation on password change: a changed admin password now
bumps a monotonic credential epoch (webui.session_epoch); the auth cookie
carries the epoch it was issued under, and OnValidatePrincipal rejects
cookies with an older epoch (cached, lag-tolerant strict-older check). The
acting admin's own cookie is re-issued so they stay signed in while every
other session is dropped. First-run setup doesn't bump (no prior sessions).

Addresses audit findings #6, #7.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
#10 Windows updater: replace Expand-Archive with a manual extraction that
validates every zip entry resolves strictly under the install dir before
writing (Expand-Archive/older .NET don't reject '..' entries), guarding
the SYSTEM-level apply against a zip-slip in a malicious release archive.

#9 Ingestion API: set the per-request MaxRequestBodySize to
MaxMessageBytes (+ framing overhead) before reading, so an upload without
Content-Length (chunked) is aborted while streaming instead of being
buffered into several in-memory copies; return 413 on BadHttpRequestException.

Addresses audit findings #9, #10.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- release.yml: fail the build if DISPATCH_UPDATE_SIGNING_KEY is unset
  instead of publishing an unsigned (always-rejected) upgrade package.
- Ingestion: reject a subject containing control chars up front
  (CRLF header-injection defense-in-depth over MimeKit's encoding).
- SecurityHeaders: add Permissions-Policy disabling camera/mic/geo/usb/payment.
- auth.tsx: password placeholder now says min 12 (matches server policy).
- api.ts sendJson: tolerate a non-JSON error body so the HTTP status
  surfaces instead of a parse error.
- install.sh: correct the stale UMask=0177 comment to 0077.

Addresses audit low/info items (M1, F2, placeholder, Permissions-Policy,
robustness, comment drift).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SQL Server Express install can run 15-20 minutes with a progress bar that
appears frozen, which looks stuck. Give the ExePackage a DisplayName the
bootstrapper shows as the current progress item, reassuring the user it's
normal and to wait.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Step 1 of in-product licensing. Add Dispatch.Core/Licensing: a
LicenseVerifier that authenticates license keys entirely offline (no
call-home), mirroring the FluxDeploy scheme - a 6-byte payload + 64-byte
ECDSA P-256 (SHA-256, IEEE-P1363) signature, Crockford-Base32 encoded as
a typeable XXXXX-XXXXX-... key, verified against an embedded SPKI public
key. Binary licensed/not (no editions); edu is just a free-issued valid
key. Payload: seqId | expiryMonth (0=perpetual) | reserved | flags.
LicenseStatus.Licensed = signature valid AND not expired; fails closed.

The embedded dispatch-license-public.pem is a DEV key; the production
keypair will be generated in the issuer tool and its public half embedded
here (private key never committed). 9 tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Verify() now checks the signature over payload||machineId, so a key issued
for one install fails on any other (reinstall gets a fresh GUID; a leaked key
won't verify elsewhere) - all still offline, no call-home. Adds an embedded
seqId revocation list (dispatch-revoked-licenses.txt) shipped with each
release, and a Revoked flag on LicenseStatus (Licensed = valid && !expired &&
!revoked). Embeds the real P-256 license public key (DEV key replaced).
13 tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- MachineIdentity: mints a stable per-install GUID (SQL config) that keys are
  node-locked to; surfaced for the dashboard.
- LicenseService: evaluates the stored key against this machine + a 30-day
  first-run grace into a LicenseSnapshot (Operational / EnforcementActive);
  validates + stores pasted keys.
- LicenseGate + LicenseWorker: worker re-evaluates on a timer (and on demand)
  and flips the gate; SMTP intake, HTTP ingestion, and the relay worker refuse/
  pause new mail when enforced. Spool + dashboard stay up so a key recovers it.
- Config keys license.{key,machine_id,first_run_utc}; DI in AddDispatchWeb.
- 6 new license-service tests + gate enforcement test; full suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- GET/POST /api/license: status (machineId, state, expiry, grace, revoked)
  and key entry; POST refreshes the enforcement gate immediately + audits.
- UI: System -> License page (shows Machine ID to send at purchase, license
  state + banner, paste-key box); nav + route wired.
- Messaging: retire the "SMTP relay" tagline for "self-hosted email relay",
  drop "open-source"/"no license check" framing, keep "no call home/offline".
  Homepage GitHub links removed. Docs product-name normalized to "Dispatch".

Note: binding LICENSE file, license.md/contributing/SPEC legal wording, and
the remaining docs GitHub links (downloads/issues/security) are left for a
deliberate licensing + distribution-channel decision - not fabricated here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remove the AGPL-3.0 + Commons Clause LICENSE file and licence-faq.md; the
product is proprietary, licensed per install via an offline node-locked key,
so no open-source license applies. Reconcile the references that claimed AGPL
or linked to the removed file: README badge + Licence section, the docs
License page, SPEC.md license lines, and the RELEASING signing note.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…nal PRs)

Delete CONTRIBUTING.md and the docs Contributing page; drop the contribution
rows from SPEC.md and the "more providers welcome" invite from the providers
overview. README's provider-adding steps are kept under a neutral "Adding a
provider" dev note.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the GitHub Releases download links (private repo - not public) with
https://dispatchrelay.app/download across the deployment docs, and route
security reports to security@dispatchrelay.app in the README to match the
docs. No github.com links remain in the docs site.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remove website/ (Astro landing + Starlight docs) and the GitHub Pages workflow
from this private repo - the docs now live in the public-facing dispatch-docs
repo (docs.dispatchrelay.app) and the marketing landing in dispatch-website
(dispatchrelay.app), both on Cloudflare Pages. Keeping a public site's build
out of the private commercial repo is the point. README doc links repointed to
docs.dispatchrelay.app; repo URLs updated to CinderHillsDev/dispatch-relay.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The previous commit accidentally staged the Astro build cache (website/.gitignore
was removed with the split). Remove it - website/ is fully gone now.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The product repo (relay service + dashboard + appliance + installers) gets a
more descriptive name. GitHub repo + remote renamed; README clone/badge URLs
and clone dir updated. Assemblies/service names (Dispatch.*, dispatch.service)
are unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Node 22 is now in Maintenance LTS (critical fixes only); 24 is the current
Active LTS. Updates the UI-build Node in all workflows and the Dockerfile.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Dashboard: a global LicenseBanner (in the Layout, every page) - amber during
  the first-run grace with a day countdown, red once enforcement is active or
  the key is expired/revoked; hidden when licensed; polls so a pasted key clears
  it without a reload.
- Tests: LicenseWorker (gate open during grace, closes past grace, reopens after
  a valid key) + a CidrMailboxFilter enforcement test (MAIL FROM refused when the
  gate is active). Core 129 / Web 98 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dispatch is now free and open source under the Apache License 2.0. Removed
the entire offline license-key system:

- Delete src/Dispatch.Core/Licensing/ (verifier, service, worker, gate,
  machine-identity, embedded public key + revocation list), the /api/license
  endpoint, the dashboard License page/banner, and the 3 license test files.
- Remove the three runtime enforcement points that paused/refused mail when
  "unlicensed past grace": SMTP intake (CidrMailboxFilter), HTTP API intake
  (ApiMessageHandler), and the relay worker (SpoolWorkerPool).
- Drop DI registrations, the LicenseWorker hosted service, the license.*
  config keys, and the csproj embedded-resource entries.
- Add Apache-2.0 LICENSE; update README, docs/SPEC.md, docs/RELEASING.md.

Build clean, all 312 tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps AWSSDK.SimpleEmailV2 from 4.0.14.5 to 4.0.100.3
Bumps coverlet.collector from 6.0.4 to 10.0.1
Bumps Microsoft.Data.SqlClient from 7.0.1 to 7.0.2
Bumps Microsoft.Extensions.Hosting.Systemd from 10.0.0 to 10.0.9
Bumps Microsoft.Extensions.Hosting.WindowsServices from 10.0.0 to 10.0.9
Bumps Microsoft.NET.Test.Sdk from 17.14.1 to 18.7.0
Bumps Serilog.AspNetCore from 9.0.0 to 10.0.0
Bumps System.Security.Cryptography.ProtectedData from 9.0.13 to 10.0.9
Bumps xunit.runner.visualstudio from 3.1.4 to 3.1.5

---
updated-dependencies:
- dependency-name: AWSSDK.SimpleEmailV2
  dependency-version: 4.0.100.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: coverlet.collector
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: coverlet.collector
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: coverlet.collector
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: coverlet.collector
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: Microsoft.Data.SqlClient
  dependency-version: 7.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.Data.SqlClient
  dependency-version: 7.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.Extensions.Hosting.Systemd
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.Extensions.Hosting.WindowsServices
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: Serilog.AspNetCore
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: System.Security.Cryptography.ProtectedData
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: xunit.runner.visualstudio
  dependency-version: 3.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: xunit.runner.visualstudio
  dependency-version: 3.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: xunit.runner.visualstudio
  dependency-version: 3.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: xunit.runner.visualstudio
  dependency-version: 3.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code labels Jul 9, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/nuget/src/Dispatch.Data/nuget-630781b8b4 branch July 10, 2026 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant