azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-27 11:11:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fb9e3ee31a157559cdb6b758564f21c073bc9d99
satellite-provider/_docs/02_tasks/done/AZ-1132_fluentvalidation_bump.md
T
Oleksandr Bezdieniezhnykh b3e5a66799
ci/woodpecker/push/02-build-push/2 Pipeline is pending
Details
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push/1 unknown status
Details
[AZ-1132] Bump FluentValidation 12.0.0 to 12.1.1 
Closes D-AZ795-1 production dependency carry-over.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-26 16:35:47 +03:00

4.8 KiB
Raw Blame History

Bump FluentValidation 12.0.0 → 12.1.1

Task: AZ-1132_fluentvalidation_bump Name: Bump FluentValidation 12.0.0 → 12.1.1 Description: Coordinated patch bump of FluentValidation and FluentValidation.DependencyInjectionExtensions from 12.0.0 to 12.1.1 in SatelliteProvider.Api. Closes security finding D-AZ795-1 — sole remaining Low production dependency carry-over from cycle 13. Complexity: 1 point Dependencies: AZ-795 (shared validation infra — already shipped) Component: SatelliteProvider.Api — dependency upgrade only Tracker: AZ-1132 Epic: AZ-795

Problem

Cycle-13 dependency scan (_docs/05_security/dependency_scan_cycle13.md) carries D-AZ795-1 (Low): production FluentValidation packages remain pinned at 12.0.0 while 12.1.1 is available. The finding is the last open Low-severity production dependency item from the AZ-795 validation-hardening epic footprint.

Leaving the pin stale keeps cumulative security posture at PASS_WITH_WARNINGS and defers a one-line manifest fix that should ride with the validation stack the epic introduced.

Outcome

  • Both FluentValidation and FluentValidation.DependencyInjectionExtensions resolve to 12.1.1 (or latest 12.1.x patch at implementation time if higher).
  • All existing validator unit tests and validation integration tests pass unchanged.
  • dotnet list SatelliteProvider.sln package --vulnerable reports no production FluentValidation finding.
  • D-AZ795-1 marked Resolved in the cycle-15 security artifacts.

Scope

Included

  • Edit SatelliteProvider.Api/SatelliteProvider.Api.csproj:
    • FluentValidation 12.0.0 → 12.1.1
    • FluentValidation.DependencyInjectionExtensions 12.0.0 → 12.1.1
  • Run full test suite (./scripts/run-tests.sh) — all green required.
  • Update cycle-15 security scan/report artifacts: mark D-AZ795-1 Resolved.
  • Update _docs/02_document/modules/api_program.md and _docs/02_document/modules/tests_unit.md version pins if they reference 12.0.0.

Excluded

  • Bumping unrelated packages (D2-cy4 JWT test packages, ImageSharp, etc.).
  • Any validator rule, contract, or API behavior change.
  • error-shape.md contract version bump — no wire-format change.

Acceptance Criteria

AC-1: Both FluentValidation packages pinned to 12.1.1 Given the post-task SatelliteProvider.Api.csproj When package versions are inspected Then both FluentValidation and FluentValidation.DependencyInjectionExtensions resolve to Version="12.1.1" (or latest 12.1.x if 12.1.1 is superseded).

AC-2: Validator unit tests pass Given the bumped repository When the validator unit test classes under SatelliteProvider.Tests/Validators/ run Then all tests pass with no changes to expected error keys or messages.

AC-3: Validation integration tests pass Given the bumped repository When validation-focused integration tests run (inventory, region, route, upload, latlon) Then all pass with no new failures vs. the pre-bump baseline.

AC-4: Vulnerable package scan clean for production FluentValidation Given the bumped repository When dotnet list SatelliteProvider.sln package --vulnerable is run Then no production-project finding references FluentValidation 12.0.0.

AC-5: Security finding D-AZ795-1 resolved Given the post-task _docs/05_security/ cycle-15 artifacts When dependency scan and security report are read Then D-AZ795-1 status is Resolved with a reference to this task's tracker ID.

Non-Functional Requirements

Compatibility

  • Patch-level bump within FluentValidation 12.x — no public API contract changes expected.

Reliability

  • Full test suite is the regression gate; smoke-only is insufficient for a validation-stack dependency.

Unit Tests

AC Ref What to Test Required Outcome
AC-2 All SatelliteProvider.Tests/Validators/* classes PASS unchanged

Blackbox Tests

AC Ref Initial Data/Conditions What to Test Expected Behavior NFR References
AC-3 Existing validation integration fixtures Inventory, region, route, upload, latlon validation suites HTTP 400 shapes unchanged for known bad payloads Compatibility

Constraints

  • Both FluentValidation packages must bump in lockstep (same version line).
  • No production code changes unless required by a breaking change in 12.1.1 (unlikely for patch).

Risks & Mitigation

Risk 1: Patch changes validator behavior

  • Risk: FluentValidation 12.1.x alters rule evaluation or error message formatting.
  • Mitigation: Full validator unit + integration test run; revert pin if unexpected diffs appear.

Risk 2: Transitive version conflict

  • Risk: Another package pins FluentValidation to 12.0.0.
  • Mitigation: Inspect dotnet list package --include-transitive after bump; align any direct pins.
Reference in New Issue View Git Blame Copy Permalink