Skip to content

Bump xunit from 2.9.2 to 2.9.3#6

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/tests/PostQuantum.KeyManagement.Tests/xunit-2.9.3
Open

Bump xunit from 2.9.2 to 2.9.3#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/tests/PostQuantum.KeyManagement.Tests/xunit-2.9.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 31, 2026

Copy link
Copy Markdown

Updated xunit from 2.9.2 to 2.9.3.

Release notes

Sourced from xunit's releases.

No release notes found for this version range.

Commits viewable in compare view.

@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels May 31, 2026
systemslibrarian added a commit that referenced this pull request May 31, 2026
Lands recommendation items #2 (samples) and #3 (deployment guide) from the
adoption analysis in chat.md, and captures the operational blueprint for items
#1, #4, #5, #6 (Azure KMS, AWS KMS, external review, 1.0 cut) in future.md
rather than scaffolding cloud crypto code that cannot be honestly tested in a
single session.

samples/WorkerService.Sample
- LivenessWorker mints a content key every 10 seconds, encrypts a probe
  payload, then unwraps and decrypts it. Logs round-trip latency + the active
  KEK id so an ops dashboard can scrape both. A failure here is the early
  warning that something is wrong with the provider, the keyring, or the
  host's entropy.
- RotationWorker rotates the active KEK on a configurable interval and
  persists the multi-KEK ring through the registered IKeyringStore on every
  rotation. Default 2 minutes; Development environment overrides to 30
  seconds so the demo is visible at human speed.
- README explains the production adaptation points (real secret-manager
  passphrase source, cadence, health-check integration, keyring backup).

samples/EfCore.Sample
- SQLite + EF Core console app showing per-row envelope encryption. A
  SecureNote entity carries Ciphertext + Nonce + Tag + WrappedKey (encoded
  via WrappedContentKey.Encode) as separate columns; SecureNotesRepository
  does the async wrap/unwrap at the persistence boundary.
- Demo run: insert encrypted, read back through the repo, dump the raw row
  to prove only ciphertext is on disk, rotate the KEK, re-read the same row
  to prove the row's wrapped key still references the original KEK and
  decrypts without re-encryption.
- README documents why explicit columns + async repository beats EF Core
  ValueConverter (async support + lazy migration without re-encrypting every
  row on rotation).

docs/deployment.md
- Production operational guide. Opens with "the four things you absolutely
  must get right": passphrase only in your secret manager, keyring backups,
  automated rotation, tested restore procedure.
- Covers: passphrase storage (and where NOT to store it); keyring metadata
  durability + the realities of a single-file FileKeyringStore vs. cloud
  object stores; Argon2id preset selection by frequency-of-derivation rather
  than "how secure each preset feels"; what to log (KEK ids, rotation
  timestamps, liveness duration) and what to NEVER log (passphrases, DEK
  bytes); multi-instance deployments (shared keyring vs. dedicated rotator,
  and what does NOT work — shared passphrase without shared salt, two
  hosts both rotating); container + Kubernetes notes; the disaster-recovery
  matrix down to the irrecoverable "lost keyring AND passphrases" case.

future.md
- Concrete blueprint for items #1, #4, #5, #6:
  - Azure Key Vault provider: az provisioning script (RG, RBAC vault,
    RSA-3072 KEK, role assignment, purge protection), provider skeleton
    pinned to versioned key URIs, integration-test project layout using
    Xunit.SkippableFact so missing env vars skip rather than fail, and a
    GitHub Actions OIDC workflow.
  - AWS KMS provider: same shape with AWSSDK.KeyManagementService,
    aws kms create-key + alias, aws-actions/configure-aws-credentials OIDC,
    note that KMS Encrypt/Decrypt is already authenticated so Ciphertext
    just holds the AWS blob as-is.
  - External cryptographic review: two realistic engagement paths (named
    consultant at $15-50k for ~2-4 weeks vs. community/academic, slower but
    cheaper), exactly what to hand the reviewer (commit hash, threat model,
    KNOWN-GAPS, scope letter), and what to do with the report (publish it).
  - Cutting 1.0: explicit checklist (cloud providers shipped + in real use,
    audit done, formats stable for 2+ minors, named production deployment),
    and what 1.0 obligates the maintainer to (no breaking changes without a
    2.0, backport policy, deprecation cycles).
- Closes with sequencing: don't reorder; each step's value depends on the
  previous one being done.

Plumbing
- PostQuantum.KeyManagement.slnx references the two new sample projects.
- README links to docs/deployment.md and future.md from the security section
  and the samples table now lists all three samples + what each demonstrates.
- CHANGELOG updated under 0.3.0-preview.1.

Build: full solution 0 warnings, 0 errors on net8/9/10. 42 core tests + 11 DI
tests = 53 tests, all green. Both new samples build clean; EfCore.Sample was
smoke-tested end-to-end including a rotation.

To God be the glory - 1 Corinthians 10:31

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dependabot
dependabot Bot force-pushed the dependabot/nuget/tests/PostQuantum.KeyManagement.Tests/xunit-2.9.3 branch from 99f48f4 to 07b011d Compare May 31, 2026 23:20
---
updated-dependencies:
- dependency-name: xunit
  dependency-version: 2.9.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/nuget/tests/PostQuantum.KeyManagement.Tests/xunit-2.9.3 branch from 07b011d to a9d105d Compare June 1, 2026 01:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants