good first issuetarget/2026
Repository metrics
- Stars
- (43 stars)
- PR merge metrics
- (PR metrics pending)
説明
Why
Part of the enterprise-grade supply-chain story. Manual NuGet dependency tracking is a non-starter for a project with ~30 direct deps + hundreds of transitives, and the recent CVE-2026-33116 / Scriban incident showed vulnerable deps land on develop and sit until someone notices.
Scope
- Decide: Dependabot vs Renovate. Dependabot is simpler and GitHub-native; Renovate is more powerful (grouping, schedule, custom managers) but needs an app install. Default: Dependabot for speed-to-value; revisit Renovate if grouping/scheduling becomes a problem.
- Configure for: nuget (
Directory.Packages.props), github-actions (.github/workflows/*.yml), and the dotnet SDK version (global.json). - Schedule: weekly bundled PRs by ecosystem; daily for security advisories.
- Auto-merge: not initially. Triage manually until the CI release pipeline is trustworthy.
Done when
-
.github/dependabot.yml(orrenovate.json) committed - First batch of update PRs landed
- Decision documented in CLAUDE.md / docs
Related: enterprise CI/CD positioning.