π― Repository Quality Improvement Report β Dependency Health
Analysis Date: 2026-06-12 Focus Area: Dependencies (Standard)
Executive Summary
The repository uses Central Package Management (CPM) well β Directory.Packages.props centralises 54 packages across 107 .csproj files, Darc/Maestro handles Microsoft infra, and Dependabot runs daily. However, System.CommandLine 2.0.0-beta4.22272.1 is a beta from September 2022 (~4 years old). Sample projects deliberately opt out of CPM, leaving hardcoded versions of WinUI packages silently drifting. The CtrfPlayground sample bypasses CPM with an undocumented raw VersionOverride. Two prerelease build-tool dependencies lack explanatory comments.
Full Analysis Report
Current State
| Metric |
Value |
Status |
PackageVersion entries in central registry |
54 |
β
|
| Prerelease/beta packages in central registry |
4 |
β οΈ |
System.CommandLine version age |
~4 years (Sep 2022) |
β |
Microsoft.WindowsAppSDK distinct versions across repo |
3 |
β οΈ |
Undocumented VersionOverride usages |
2 |
β οΈ |
| Dependabot entries |
2 (root / + .NET SDK) |
β οΈ |
| Samples opting out of CPM |
samples/public/ subtree |
β οΈ |
Prerelease packages in Directory.Packages.props:
| Package |
Version |
Risk |
StyleCop.Analyzers |
1.2.0-beta.556 |
Low β no stable 1.2 release |
Microsoft.Extensions.AI.OpenAI |
9.10.0-preview.1.25513.3 |
Low β AI preview expected |
Microsoft.TestPlatform.Filter.Source |
18.8.0-preview-26276-01 |
Low β VSTest preview expected |
System.CommandLine |
2.0.0-beta4.22272.1 |
High β Sep 2022 beta |
Undocumented VersionOverride usages bypassing CPM:
samples/CtrfPlayground/XunitMtp/XunitMtp.csproj β xunit.v3.mtp-v2 VersionOverride="3.2.2"samples/public/MTPOTel/MTPOTel.csproj β OpenTelemetry.Exporter.Console VersionOverride="1.13.1"
WinUI version inconsistency:
- Root CPM:
Microsoft.WindowsAppSDK 1.8.251003001
samples/public/mstest-runner/MSTestRunnerWinUI: hardcoded 1.8.251106002 (newer patch, bypasses CPM)samples/public/BlankWinUINet9App: hardcoded 1.6.241114003 (different major, intentional)
Strengths:
- CPM rationale is documented (
CentralPackageTransitivePinningEnabled=false comment)
- Security vulnerabilities explicitly addressed (Nerdbank.MessagePack, System.Diagnostics.DiagnosticSource)
- Moq exclusion from Dependabot documented with SponsorLink rationale
- Three CodeAnalysis version properties (prod/source-gen/tests) follow deliberate compatibility strategy
π€ Suggested Improvement Tasks
Task 1: Upgrade System.CommandLine from the 2022 beta
Priority: High | Effort: Small
System.CommandLine 2.0.0-beta4.22272.1 in Directory.Packages.props dates from September 2022 and is only used in test/Performance/MSTest.Performance.Runner/MSTest.Performance.Runner.csproj. Upgrade to the latest available version or replace with simple args[] parsing given that this is internal performance tooling with minimal CLI needs.
Task 2: Sync Microsoft.WindowsAppSDK between root CPM and MSTestRunnerWinUI sample
Priority: Medium | Effort: Small
Directory.Packages.props has Microsoft.WindowsAppSDK 1.8.251003001, but samples/public/mstest-runner/MSTestRunnerWinUI/MSTestRunnerWinUI/MSTestRunnerWinUI.csproj hardcodes 1.8.251106002 (newer patch) and Microsoft.Windows.SDK.BuildTools 10.0.26100.7175 (not in root CPM at all). Update the root CPM to the versions the sample actually requires and remove the hardcoded versions from the .csproj, or add a comment explaining why the sample must override.
Task 3: Add Dependabot entry for samples/public/
Priority: Medium | Effort: Small
samples/public/Directory.Packages.props disables CPM (ManagePackageVersionsCentrally=false). Hardcoded versions in sample .csproj files (e.g., Microsoft.VisualStudio.Azure.Containers.Tools.Targets 1.19.6, Aspire.Hosting.Testing 13.2.1) are invisible to the existing Dependabot entry. Add a second package-ecosystem: nuget entry in .github/dependabot.yml:
- package-ecosystem: nuget
directory: "/samples/public"
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: '[main] '
Task 4: Register orphaned VersionOverride packages in Directory.Packages.props
Priority: Low | Effort: Small
Two VersionOverrides in the main CPM subtree bypass central management without documentation:
samples/CtrfPlayground/XunitMtp/XunitMtp.csproj: xunit.v3.mtp-v2 VersionOverride="3.2.2" β add a <PackageVersion Include="xunit.v3.mtp-v2" Version="3.2.2" /> entry following the existing "Declared by MSTest.Sdk but not used directly" pattern.samples/public/MTPOTel/MTPOTel.csproj: OpenTelemetry.Exporter.Console VersionOverride="1.13.1" β add alongside the existing OpenTelemetry 1.15.3 entry.
Task 5: Add explanatory comments for prerelease build-tool pins
Priority: Low | Effort: Small
Add inline <!-- --> comments (following the existing Microsoft.ApplicationInsights and Nerdbank.MessagePack comment style) before:
MicrosoftCodeAnalysisPublicApiAnalyzersVersion = 5.5.0-2.26224.1 β explain the daily-build format and what feature/fix it tracksMicrosoftTestingInternalFrameworkVersion = 1.5.0-preview.24577.4 β explain why the stable release is not used and when this can be promoted
π Historical Context
Previous Focus Areas (last 9 runs)
| Date |
Focus Area |
Type |
| 2026-05-22 |
test-framework-api-ergonomics |
Custom |
| 2026-05-25 |
agentic-workflow-maintainability |
Custom |
| 2026-05-26 |
workflow-ecosystem-health |
Custom |
| 2026-05-27 |
test-diagnostic-experience |
Custom |
| 2026-06-08 |
todo-comment-policy-compliance |
Custom |
| 2026-06-09 |
mstest-diagnostic-id-governance |
Custom |
| 2026-06-10 |
analyzer-code-fix-coverage-gap |
Custom |
| 2026-06-11 |
public-api-xml-documentation |
Standard |
| 2026-06-12 |
dependency-health |
Standard |
Statistics: 9 runs Β· 77.8% custom Β· 9 unique areas
π― Recommendations
This Week: Upgrade System.CommandLine (Task 1 β High priority, small effort)
This Month: Sync WinUI versions (Task 2), Add Dependabot for samples/public/ (Task 3), Register orphaned VersionOverrides (Task 4), Document prerelease pins (Task 5)
Next analysis: 2026-06-13 β Focus area selected via diversity algorithm (current: 77.8% custom, target ~60%)
π€ Automated content by GitHub Copilot. Posted via a maintainer's GitHub token, so it appears under their account β the account owner did not write or approve this content personally. Generated by the Repository Quality Improver workflow. Β· 541.1 AIC Β· β 25.8 AIC Β· [β·]( Β· β·)
Add this agentic workflows to your repo
To install this agentic workflow, run
gh aw add githubnext/agentics/workflows/repository-quality-improver.md@main
π― Repository Quality Improvement Report β Dependency Health
Analysis Date: 2026-06-12 Focus Area: Dependencies (Standard)
Executive Summary
The repository uses Central Package Management (CPM) well β
Directory.Packages.propscentralises 54 packages across 107.csprojfiles, Darc/Maestro handles Microsoft infra, and Dependabot runs daily. However,System.CommandLine 2.0.0-beta4.22272.1is a beta from September 2022 (~4 years old). Sample projects deliberately opt out of CPM, leaving hardcoded versions of WinUI packages silently drifting. TheCtrfPlaygroundsample bypasses CPM with an undocumented rawVersionOverride. Two prerelease build-tool dependencies lack explanatory comments.Full Analysis Report
Current State
PackageVersionentries in central registrySystem.CommandLineversion ageMicrosoft.WindowsAppSDKdistinct versions across repoVersionOverrideusages/+ .NET SDK)samples/public/subtreePrerelease packages in
Directory.Packages.props:StyleCop.Analyzers1.2.0-beta.556Microsoft.Extensions.AI.OpenAI9.10.0-preview.1.25513.3Microsoft.TestPlatform.Filter.Source18.8.0-preview-26276-01System.CommandLine2.0.0-beta4.22272.1Undocumented
VersionOverrideusages bypassing CPM:samples/CtrfPlayground/XunitMtp/XunitMtp.csprojβxunit.v3.mtp-v2 VersionOverride="3.2.2"samples/public/MTPOTel/MTPOTel.csprojβOpenTelemetry.Exporter.Console VersionOverride="1.13.1"WinUI version inconsistency:
Microsoft.WindowsAppSDK 1.8.251003001samples/public/mstest-runner/MSTestRunnerWinUI: hardcoded1.8.251106002(newer patch, bypasses CPM)samples/public/BlankWinUINet9App: hardcoded1.6.241114003(different major, intentional)Strengths:
CentralPackageTransitivePinningEnabled=falsecomment)π€ Suggested Improvement Tasks
Task 1: Upgrade
System.CommandLinefrom the 2022 betaPriority: High | Effort: Small
System.CommandLine 2.0.0-beta4.22272.1inDirectory.Packages.propsdates from September 2022 and is only used intest/Performance/MSTest.Performance.Runner/MSTest.Performance.Runner.csproj. Upgrade to the latest available version or replace with simpleargs[]parsing given that this is internal performance tooling with minimal CLI needs.Task 2: Sync
Microsoft.WindowsAppSDKbetween root CPM andMSTestRunnerWinUIsamplePriority: Medium | Effort: Small
Directory.Packages.propshasMicrosoft.WindowsAppSDK 1.8.251003001, butsamples/public/mstest-runner/MSTestRunnerWinUI/MSTestRunnerWinUI/MSTestRunnerWinUI.csprojhardcodes1.8.251106002(newer patch) andMicrosoft.Windows.SDK.BuildTools 10.0.26100.7175(not in root CPM at all). Update the root CPM to the versions the sample actually requires and remove the hardcoded versions from the.csproj, or add a comment explaining why the sample must override.Task 3: Add Dependabot entry for
samples/public/Priority: Medium | Effort: Small
samples/public/Directory.Packages.propsdisables CPM (ManagePackageVersionsCentrally=false). Hardcoded versions in sample.csprojfiles (e.g.,Microsoft.VisualStudio.Azure.Containers.Tools.Targets 1.19.6,Aspire.Hosting.Testing 13.2.1) are invisible to the existing Dependabot entry. Add a secondpackage-ecosystem: nugetentry in.github/dependabot.yml:Task 4: Register orphaned
VersionOverridepackages inDirectory.Packages.propsPriority: Low | Effort: Small
Two VersionOverrides in the main CPM subtree bypass central management without documentation:
samples/CtrfPlayground/XunitMtp/XunitMtp.csproj:xunit.v3.mtp-v2 VersionOverride="3.2.2"β add a<PackageVersion Include="xunit.v3.mtp-v2" Version="3.2.2" />entry following the existing "Declared by MSTest.Sdk but not used directly" pattern.samples/public/MTPOTel/MTPOTel.csproj:OpenTelemetry.Exporter.Console VersionOverride="1.13.1"β add alongside the existingOpenTelemetry 1.15.3entry.Task 5: Add explanatory comments for prerelease build-tool pins
Priority: Low | Effort: Small
Add inline
<!-- -->comments (following the existingMicrosoft.ApplicationInsightsandNerdbank.MessagePackcomment style) before:MicrosoftCodeAnalysisPublicApiAnalyzersVersion = 5.5.0-2.26224.1β explain the daily-build format and what feature/fix it tracksMicrosoftTestingInternalFrameworkVersion = 1.5.0-preview.24577.4β explain why the stable release is not used and when this can be promotedπ Historical Context
Previous Focus Areas (last 9 runs)
Statistics: 9 runs Β· 77.8% custom Β· 9 unique areas
π― Recommendations
This Week: Upgrade
System.CommandLine(Task 1 β High priority, small effort)This Month: Sync WinUI versions (Task 2), Add Dependabot for
samples/public/(Task 3), Register orphaned VersionOverrides (Task 4), Document prerelease pins (Task 5)Next analysis: 2026-06-13 β Focus area selected via diversity algorithm (current: 77.8% custom, target ~60%)
Add this agentic workflows to your repo
To install this agentic workflow, run