# Bump FluentValidation 12.0.0 → 12.1.1 **Task**: AZ-1132_fluentvalidation_bump **Name**: Bump FluentValidation 12.0.0 → 12.1.1 **Description**: Coordinated patch bump of `FluentValidation` and `FluentValidation.DependencyInjectionExtensions` from 12.0.0 to 12.1.1 in `SatelliteProvider.Api`. Closes security finding D-AZ795-1 — sole remaining Low production dependency carry-over from cycle 13. **Complexity**: 1 point **Dependencies**: AZ-795 (shared validation infra — already shipped) **Component**: SatelliteProvider.Api — dependency upgrade only **Tracker**: AZ-1132 **Epic**: AZ-795 ## Problem Cycle-13 dependency scan (`_docs/05_security/dependency_scan_cycle13.md`) carries **D-AZ795-1** (Low): production `FluentValidation` packages remain pinned at 12.0.0 while 12.1.1 is available. The finding is the last open Low-severity production dependency item from the AZ-795 validation-hardening epic footprint. Leaving the pin stale keeps cumulative security posture at **PASS_WITH_WARNINGS** and defers a one-line manifest fix that should ride with the validation stack the epic introduced. ## Outcome - Both `FluentValidation` and `FluentValidation.DependencyInjectionExtensions` resolve to 12.1.1 (or latest 12.1.x patch at implementation time if higher). - All existing validator unit tests and validation integration tests pass unchanged. - `dotnet list SatelliteProvider.sln package --vulnerable` reports no production FluentValidation finding. - D-AZ795-1 marked Resolved in the cycle-15 security artifacts. ## Scope ### Included - Edit `SatelliteProvider.Api/SatelliteProvider.Api.csproj`: - `FluentValidation` 12.0.0 → 12.1.1 - `FluentValidation.DependencyInjectionExtensions` 12.0.0 → 12.1.1 - Run full test suite (`./scripts/run-tests.sh`) — all green required. - Update cycle-15 security scan/report artifacts: mark D-AZ795-1 Resolved. - Update `_docs/02_document/modules/api_program.md` and `_docs/02_document/modules/tests_unit.md` version pins if they reference 12.0.0. ### Excluded - Bumping unrelated packages (D2-cy4 JWT test packages, ImageSharp, etc.). - Any validator rule, contract, or API behavior change. - `error-shape.md` contract version bump — no wire-format change. ## Acceptance Criteria **AC-1: Both FluentValidation packages pinned to 12.1.1** Given the post-task `SatelliteProvider.Api.csproj` When package versions are inspected Then both `FluentValidation` and `FluentValidation.DependencyInjectionExtensions` resolve to `Version="12.1.1"` (or latest 12.1.x if 12.1.1 is superseded). **AC-2: Validator unit tests pass** Given the bumped repository When the validator unit test classes under `SatelliteProvider.Tests/Validators/` run Then all tests pass with no changes to expected error keys or messages. **AC-3: Validation integration tests pass** Given the bumped repository When validation-focused integration tests run (inventory, region, route, upload, latlon) Then all pass with no new failures vs. the pre-bump baseline. **AC-4: Vulnerable package scan clean for production FluentValidation** Given the bumped repository When `dotnet list SatelliteProvider.sln package --vulnerable` is run Then no production-project finding references FluentValidation 12.0.0. **AC-5: Security finding D-AZ795-1 resolved** Given the post-task `_docs/05_security/` cycle-15 artifacts When dependency scan and security report are read Then D-AZ795-1 status is Resolved with a reference to this task's tracker ID. ## Non-Functional Requirements **Compatibility** - Patch-level bump within FluentValidation 12.x — no public API contract changes expected. **Reliability** - Full test suite is the regression gate; smoke-only is insufficient for a validation-stack dependency. ## Unit Tests | AC Ref | What to Test | Required Outcome | |--------|-------------|-----------------| | AC-2 | All `SatelliteProvider.Tests/Validators/*` classes | PASS unchanged | ## Blackbox Tests | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References | |--------|------------------------|-------------|-------------------|----------------| | AC-3 | Existing validation integration fixtures | Inventory, region, route, upload, latlon validation suites | HTTP 400 shapes unchanged for known bad payloads | Compatibility | ## Constraints - Both FluentValidation packages must bump in lockstep (same version line). - No production code changes unless required by a breaking change in 12.1.1 (unlikely for patch). ## Risks & Mitigation **Risk 1: Patch changes validator behavior** - *Risk*: FluentValidation 12.1.x alters rule evaluation or error message formatting. - *Mitigation*: Full validator unit + integration test run; revert pin if unexpected diffs appear. **Risk 2: Transitive version conflict** - *Risk*: Another package pins FluentValidation to 12.0.0. - *Mitigation*: Inspect `dotnet list package --include-transitive` after bump; align any direct pins.