azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-27 11:21:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-1132] Bump FluentValidation 12.0.0 to 12.1.1
ci/woodpecker/push/02-build-push/2 Pipeline is pending
Details
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push/1 unknown status
Details

Browse Source 
Closes D-AZ795-1 production dependency carry-over.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-06-26 16:35:47 +03:00
parent 6a948321d3
commit b3e5a66799
11 changed files with 271 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_tasks/done/AZ-1132_fluentvalidation_bump.md
+102
View File
@@ -0,0 +1,102 @@
# Bump FluentValidation 12.0.0 → 12.1.1
**Task**: AZ-1132_fluentvalidation_bump
**Name**: Bump FluentValidation 12.0.0 → 12.1.1
**Description**: Coordinated patch bump of `FluentValidation` and `FluentValidation.DependencyInjectionExtensions` from 12.0.0 to 12.1.1 in `SatelliteProvider.Api`. Closes security finding D-AZ795-1 — sole remaining Low production dependency carry-over from cycle 13.
**Complexity**: 1 point
**Dependencies**: AZ-795 (shared validation infra — already shipped)
**Component**: SatelliteProvider.Api — dependency upgrade only
**Tracker**: AZ-1132
**Epic**: AZ-795
## Problem
Cycle-13 dependency scan (`_docs/05_security/dependency_scan_cycle13.md`) carries **D-AZ795-1** (Low): production `FluentValidation` packages remain pinned at 12.0.0 while 12.1.1 is available. The finding is the last open Low-severity production dependency item from the AZ-795 validation-hardening epic footprint.
Leaving the pin stale keeps cumulative security posture at **PASS_WITH_WARNINGS** and defers a one-line manifest fix that should ride with the validation stack the epic introduced.
## Outcome
- Both `FluentValidation` and `FluentValidation.DependencyInjectionExtensions` resolve to 12.1.1 (or latest 12.1.x patch at implementation time if higher).
- All existing validator unit tests and validation integration tests pass unchanged.
- `dotnet list SatelliteProvider.sln package --vulnerable` reports no production FluentValidation finding.
- D-AZ795-1 marked Resolved in the cycle-15 security artifacts.
## Scope
### Included
- Edit `SatelliteProvider.Api/SatelliteProvider.Api.csproj`:
- `FluentValidation` 12.0.0 → 12.1.1
- `FluentValidation.DependencyInjectionExtensions` 12.0.0 → 12.1.1
- Run full test suite (`./scripts/run-tests.sh`) — all green required.
- Update cycle-15 security scan/report artifacts: mark D-AZ795-1 Resolved.
- Update `_docs/02_document/modules/api_program.md` and `_docs/02_document/modules/tests_unit.md` version pins if they reference 12.0.0.
### Excluded
- Bumping unrelated packages (D2-cy4 JWT test packages, ImageSharp, etc.).
- Any validator rule, contract, or API behavior change.
- `error-shape.md` contract version bump — no wire-format change.
## Acceptance Criteria
**AC-1: Both FluentValidation packages pinned to 12.1.1**
Given the post-task `SatelliteProvider.Api.csproj`
When package versions are inspected
Then both `FluentValidation` and `FluentValidation.DependencyInjectionExtensions` resolve to `Version="12.1.1"` (or latest 12.1.x if 12.1.1 is superseded).
**AC-2: Validator unit tests pass**
Given the bumped repository
When the validator unit test classes under `SatelliteProvider.Tests/Validators/` run
Then all tests pass with no changes to expected error keys or messages.
**AC-3: Validation integration tests pass**
Given the bumped repository
When validation-focused integration tests run (inventory, region, route, upload, latlon)
Then all pass with no new failures vs. the pre-bump baseline.
**AC-4: Vulnerable package scan clean for production FluentValidation**
Given the bumped repository
When `dotnet list SatelliteProvider.sln package --vulnerable` is run
Then no production-project finding references FluentValidation 12.0.0.
**AC-5: Security finding D-AZ795-1 resolved**
Given the post-task `_docs/05_security/` cycle-15 artifacts
When dependency scan and security report are read
Then D-AZ795-1 status is Resolved with a reference to this task's tracker ID.
## Non-Functional Requirements
**Compatibility**
- Patch-level bump within FluentValidation 12.x — no public API contract changes expected.
**Reliability**
- Full test suite is the regression gate; smoke-only is insufficient for a validation-stack dependency.
## Unit Tests
| AC Ref | What to Test | Required Outcome |
|--------|-------------|-----------------|
| AC-2 | All `SatelliteProvider.Tests/Validators/*` classes | PASS unchanged |
## Blackbox Tests
| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-3 | Existing validation integration fixtures | Inventory, region, route, upload, latlon validation suites | HTTP 400 shapes unchanged for known bad payloads | Compatibility |
## Constraints
- Both FluentValidation packages must bump in lockstep (same version line).
- No production code changes unless required by a breaking change in 12.1.1 (unlikely for patch).
## Risks & Mitigation
**Risk 1: Patch changes validator behavior**
- *Risk*: FluentValidation 12.1.x alters rule evaluation or error message formatting.
- *Mitigation*: Full validator unit + integration test run; revert pin if unexpected diffs appear.
**Risk 2: Transitive version conflict**
- *Risk*: Another package pins FluentValidation to 12.0.0.
- *Mitigation*: Inspect `dotnet list package --include-transitive` after bump; align any direct pins.