Update project dependencies (#11503)

[ysmoradi]

closes #11503

Summary by CodeRabbit

• Chores
  • Upgraded build tool versions (esbuild 0.25.10 → 0.25.11)
  • Updated GitHub Actions artifact upload workflows to latest version
  • Bumped dependencies including Riok.Mapperly (4.2.1 → 4.3.0), Microsoft.Extensions.AI packages, and ModelContextProtocol
  • Restructured deployment workflows to handle separate web and API server configurations

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This PR updates project dependencies and GitHub Actions workflows. It bumps esbuild in multiple package.json files, upgrades NuGet packages including Riok.Mapperly and Microsoft.Extensions.AI across .csproj files, and upgrades GitHub Actions artifact upload action from v4 to v5 across CI/CD workflows. Additionally, admin-sample.cd.yml refactors to use separate SERVER_WEB_ADDRESS and SERVER_API_ADDRESS.

Changes

Cohort / File(s)	Summary
GitHub Actions artifact upload upgrades (v4 → v5) .github/workflows/bit.full.ci.yml, .github/workflows/blazorui.demo.cd.yml, .github/workflows/nuget.org.yml, .github/workflows/platform.website.cd.yml, .github/workflows/prerelease.nuget.org.yml, .github/workflows/sales-module-demo.cd.yml, .github/workflows/sales.website.cd.yml, .github/workflows/todo-sample.cd.yml, src/Templates/Boilerplate/Bit.Boilerplate/.github/workflows/cd-template.yml	Upgrade actions/upload-artifact from v4 to v5 across multiple jobs and steps; no behavioral changes to inputs or control flow.
Admin sample CD workflow refactoring .github/workflows/admin-sample.cd.yml	Replaces single SERVER_ADDRESS with distinct SERVER_WEB_ADDRESS and SERVER_API_ADDRESS across environment, build, and deployment steps; updates bit-bp template invocation, appsettings substitution, and artifact naming to reflect server-web and server-api components.
Boilerplate CI workflow enhancement src/Templates/Boilerplate/Bit.Boilerplate/.github/workflows/ci.yml	Upgrades actions/upload-artifact from v4.4.1 to v5; adds path: ./src/Tests/TestResults and retention-days: 14 parameters to artifact upload.
esbuild devDependency updates (0.25.10 → 0.25.11) src/BlazorUI/Bit.BlazorUI.Extras/package.json, src/BlazorUI/Bit.BlazorUI/package.json, src/BlazorUI/Demo/Client/Bit.BlazorUI.Demo.Client.Core/package.json, src/Bswup/Bit.Bswup/package.json, src/Butil/Bit.Butil/package.json, src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/package.json, src/Websites/Careers/src/Bit.Websites.Careers.Client/package.json, src/Websites/Platform/src/Bit.Websites.Platform.Client/package.json, src/Websites/Sales/src/Bit.Websites.Sales.Client/package.json	Bump esbuild from 0.25.10 to 0.25.11; no other dependency or configuration changes.
Riok.Mapperly updates (4.2.1 → 4.3.0) src/BlazorUI/Demo/Bit.BlazorUI.Demo.Shared/Bit.BlazorUI.Demo.Shared.csproj, src/Websites/Careers/src/Bit.Websites.Careers.Server/Bit.Websites.Careers.Server.csproj, src/Websites/Careers/src/Bit.Websites.Careers.Shared/Bit.Websites.Careers.Shared.csproj, src/Websites/Platform/src/Bit.Websites.Platform.Shared/Bit.Websites.Platform.Shared.csproj, src/Websites/Sales/src/Bit.Websites.Sales.Server/Bit.Websites.Sales.Server.csproj, src/Websites/Sales/src/Bit.Websites.Sales.Shared/Bit.Websites.Sales.Shared.csproj	Update Riok.Mapperly from 4.2.1 to 4.3.0; all other attributes preserved.
BlazorUI demo server package updates src/BlazorUI/Demo/Bit.BlazorUI.Demo.Server/Bit.BlazorUI.Demo.Server.csproj	Bump Microsoft.AspNetCore.OData (9.4.0 → 9.4.1), Microsoft.Extensions.AI.OpenAI (9.10.0-preview.1.25513.3 → 9.10.1-preview.1.25521.4), Riok.Mapperly (4.2.1 → 4.3.0), Microsoft.Extensions.AI (9.10.0 → 9.10.1), ModelContextProtocol (0.4.0-preview.2 → 0.4.0-preview.3).
Platform website package updates src/Websites/Platform/src/Bit.Websites.Platform.Server/Bit.Websites.Platform.Server.csproj	Bump Microsoft.Extensions.AI.OpenAI (9.10.0-preview.1.25513.3 → 9.10.1-preview.1.25521.4), Microsoft.Extensions.AI (9.10.0 → 9.10.1), ModelContextProtocol (0.4.0-preview.2 → 0.4.0-preview.3), Riok.Mapperly (4.2.1 → 4.3.0).
ResxTranslator package updates src/ResxTranslator/Bit.ResxTranslator/Bit.ResxTranslator.csproj	Update Microsoft.Extensions.AI (9.10.0 → 9.10.1) and Microsoft.Extensions.AI.OpenAI (9.10.0-preview.1.25513.3 → 9.10.1-preview.1.25521.4).
Boilerplate central package updates src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props	Version updates to central package management entries (specific versions not detailed in summary).

Sequence Diagram(s)

sequenceDiagram
    participant Workflow as CD Workflow
    participant Build as Build Step
    participant Deploy as Deploy Step

    Workflow->>Build: Use SERVER_WEB_ADDRESS + SERVER_API_ADDRESS
    Build->>Build: Build server-web & server-api separately
    Build->>Deploy: Upload server-web-bundle & server-api-bundle
    Deploy->>Deploy: Deploy using respective addresses

    Note over Workflow,Deploy: Old: Single SERVER_ADDRESS across all steps

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

• Focus areas during review:
  • .github/workflows/admin-sample.cd.yml: Verify that splitting SERVER_ADDRESS into SERVER_WEB_ADDRESS and SERVER_API_ADDRESS is correctly referenced in all build, deployment, and artifact steps; check that bit-bp template invocation properly uses both addresses and that artifact naming aligns with new structure.
  • Dependency versions: Confirm that esbuild (0.25.10 → 0.25.11), Riok.Mapperly (4.2.1 → 4.3.0), and Microsoft.Extensions.AI packages are compatible with existing codebase; no breaking changes in minor/patch updates.
  • GitHub Actions upgrade: Verify actions/upload-artifact@v5 behavior is compatible with existing artifact paths and naming conventions across all workflows.

Poem

🐰 A Hop Through Updates

Versions bumped with care and grace,
Dependencies find their place,
esbuild hops from ten to eleven,
Mapperly maps us straight to heaven,
Workflows flow with v5 delight! 🚀✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	The file .github/workflows/admin-sample.cd.yml contains significant structural changes that are unrelated to updating dependencies. These changes include splitting the single SERVER_ADDRESS into distinct SERVER_WEB_ADDRESS and SERVER_API_ADDRESS environment variables, refactoring deployment workflows into separate Server Web and Server API components, and updating artifact handling accordingly. These architectural and workflow changes are not related to the dependency update objective stated in linked issue #11503 ("Project dependencies are outdated") and appear to represent scope creep or misalignment with the PR's stated purpose.	The structural changes in .github/workflows/admin-sample.cd.yml should be either removed from this PR and addressed in a separate issue, or the PR scope should be clarified and documented to explain why these workflow refactoring changes are necessary as part of the dependency update effort. If these changes are intentional and necessary, consider creating a new linked issue to track them separately and update the PR description to explain their relationship to the dependency updates.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Update project dependencies" clearly and specifically summarizes the primary change in the pull request. The vast majority of modifications across the changeset involve updating dependencies: GitHub Actions workflow artifacts are upgraded from v4 to v5, npm packages (esbuild) are bumped to 0.25.11, and numerous NuGet packages are updated to newer versions across multiple projects. The title directly reflects this main objective and aligns with the linked issue #11503 about outdated dependencies. While there are some structural workflow changes in admin-sample.cd.yml, the predominant focus of the PR remains dependency updates.
Linked Issues Check	✅ Passed	The pull request addresses the primary objective of linked issue #11503: "Project dependencies are outdated." The PR updates dependencies across multiple categories including GitHub Actions workflows (upload-artifact v4→v5), npm packages (esbuild 0.25.10→0.25.11), and NuGet packages (Riok.Mapperly 4.2.1→4.3.0, Microsoft.Extensions.AI 9.10.0→9.10.1, Microsoft.AspNetCore.OData 9.4.0→9.4.1, and ModelContextProtocol 0.4.0-preview.2→0.4.0-preview.3) across numerous projects. These changes directly fulfill the requirement to update outdated dependencies as stated in the linked issue.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/admin-sample.cd.yml (1)

149-181: Critical: Missing server-api-bundle retrieval and deployment logic.

The deploy_api_blazor job only retrieves the server-web-bundle artifact (line 162) but does not retrieve or deploy the server-api-bundle artifact that was built and uploaded in the build_api_blazor job (lines 93-98). This appears to be incomplete:

• The build job publishes and uploads both server-web and server-api artifacts
• The deploy job only deploys the web artifact
• There is no deployment step for the API bundle

Either the API deployment is handled elsewhere (e.g., a separate job or manual process), or this is missing logic. Clarify the intended deployment architecture.

Suggested fix: Add a step to retrieve the server-api-bundle and deploy it to a separate API service:

 steps:

   - name: Retrieve server bundle
     uses: actions/download-artifact@v5
     with:
       name: server-web-bundle
+
+  - name: Retrieve server API bundle
+    uses: actions/download-artifact@v5
+    with:
+      name: server-api-bundle

   - name: Retrieve AppleAuthKey.p8
     run: echo "${{ secrets.APPSTORE_API_KEY_PRIVATE_KEY_ADMIN }}" > AppleAuthKey.p8

   - name: Deploy to Azure Web App
     id: deploy-to-webapp
     uses: azure/webapps-deploy@v3
     with:
       app-name: ${{ env.APP_SERVICE_NAME }}
       slot-name: 'production'
       publish-profile: ${{ secrets.ADMINPANEL_AZURE_APP_SERVICE_PUBLISH_PROFILE }}
       package: .
+
+  - name: Deploy API to Azure Web App
+    uses: azure/webapps-deploy@v3
+    with:
+      app-name: '<API_SERVICE_NAME>'
+      slot-name: 'production'
+      publish-profile: ${{ secrets.ADMINPANEL_API_AZURE_APP_SERVICE_PUBLISH_PROFILE }}
+      package: server-api

(Replace <API_SERVICE_NAME> and ADMINPANEL_API_AZURE_APP_SERVICE_PUBLISH_PROFILE with appropriate values.)

🧹 Nitpick comments (2)

src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props (1)

37-44: Verify OpenTelemetry package version consistency across pre-release stages.

OpenTelemetry packages are pinned to mixed pre-release versions: some at 1.13.0-beta.1, others at 1.13.0 (stable), and some at 1.14.0-rc.1. This inconsistency raises compatibility concerns:

• Lines 37-40, 42-44: 1.13.0-beta.1 (beta)
• Line 41: 1.13.0 (stable)
• Lines 67-68: 1.14.0-rc.1 (release candidate)
• Lines 69-71: 1.13.0 (stable)

Mixing beta, stable, and RC versions of the same package family can introduce subtle compatibility issues or runtime failures. Ensure these versions are compatible and that your test suite validates the OpenTelemetry instrumentation chain end-to-end.

Consider standardizing to a single pre-release track (e.g., all stable 1.13.0 or all RC 1.14.0-rc.1) unless there is a specific reason for the mix. If intentional, document the rationale in a comment or ADR.

Also applies to: 67-71

.github/workflows/admin-sample.cd.yml (1)

45-45: Template invocation updates look correct, but verify --api Standalone flag.

The template invocation now correctly passes ${{ env.SERVER_API_ADDRESS }} and ${{ env.SERVER_WEB_ADDRESS }} separately. Line 45 introduces a new --api Standalone flag in the build_api_blazor job; ensure this flag exists and is correctly configured in the Boilerplate template.

Also applies to: 119-119, 205-205, 259-259, 342-342

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between f568119 and 7795ae0.

⛔ Files ignored due to path filters (9)

• src/BlazorUI/Bit.BlazorUI.Extras/package-lock.json is excluded by !**/package-lock.json
• src/BlazorUI/Bit.BlazorUI/package-lock.json is excluded by !**/package-lock.json
• src/BlazorUI/Demo/Client/Bit.BlazorUI.Demo.Client.Core/package-lock.json is excluded by !**/package-lock.json
• src/Bswup/Bit.Bswup/package-lock.json is excluded by !**/package-lock.json
• src/Butil/Bit.Butil/package-lock.json is excluded by !**/package-lock.json
• src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/package-lock.json is excluded by !**/package-lock.json
• src/Websites/Careers/src/Bit.Websites.Careers.Client/package-lock.json is excluded by !**/package-lock.json
• src/Websites/Platform/src/Bit.Websites.Platform.Client/package-lock.json is excluded by !**/package-lock.json
• src/Websites/Sales/src/Bit.Websites.Sales.Client/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (30)

• .github/workflows/admin-sample.cd.yml (15 hunks)
• .github/workflows/bit.full.ci.yml (2 hunks)
• .github/workflows/blazorui.demo.cd.yml (4 hunks)
• .github/workflows/nuget.org.yml (1 hunks)
• .github/workflows/platform.website.cd.yml (1 hunks)
• .github/workflows/prerelease.nuget.org.yml (1 hunks)
• .github/workflows/sales-module-demo.cd.yml (2 hunks)
• .github/workflows/sales.website.cd.yml (1 hunks)
• .github/workflows/todo-sample.cd.yml (4 hunks)
• src/BlazorUI/Bit.BlazorUI.Extras/package.json (1 hunks)
• src/BlazorUI/Bit.BlazorUI/package.json (1 hunks)
• src/BlazorUI/Demo/Bit.BlazorUI.Demo.Server/Bit.BlazorUI.Demo.Server.csproj (1 hunks)
• src/BlazorUI/Demo/Bit.BlazorUI.Demo.Shared/Bit.BlazorUI.Demo.Shared.csproj (1 hunks)
• src/BlazorUI/Demo/Client/Bit.BlazorUI.Demo.Client.Core/package.json (1 hunks)
• src/Bswup/Bit.Bswup/package.json (1 hunks)
• src/Butil/Bit.Butil/package.json (1 hunks)
• src/ResxTranslator/Bit.ResxTranslator/Bit.ResxTranslator.csproj (1 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/.github/workflows/cd-template.yml (4 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/.github/workflows/ci.yml (1 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/package.json (1 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props (4 hunks)
• src/Websites/Careers/src/Bit.Websites.Careers.Client/package.json (1 hunks)
• src/Websites/Careers/src/Bit.Websites.Careers.Server/Bit.Websites.Careers.Server.csproj (1 hunks)
• src/Websites/Careers/src/Bit.Websites.Careers.Shared/Bit.Websites.Careers.Shared.csproj (1 hunks)
• src/Websites/Platform/src/Bit.Websites.Platform.Client/package.json (1 hunks)
• src/Websites/Platform/src/Bit.Websites.Platform.Server/Bit.Websites.Platform.Server.csproj (2 hunks)
• src/Websites/Platform/src/Bit.Websites.Platform.Shared/Bit.Websites.Platform.Shared.csproj (1 hunks)
• src/Websites/Sales/src/Bit.Websites.Sales.Client/package.json (1 hunks)
• src/Websites/Sales/src/Bit.Websites.Sales.Server/Bit.Websites.Sales.Server.csproj (1 hunks)
• src/Websites/Sales/src/Bit.Websites.Sales.Shared/Bit.Websites.Sales.Shared.csproj (1 hunks)

🔇 Additional comments (36)

src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props (2)

85-86: Verify Microsoft.Extensions.AI version alignment.

Line 85 pins Microsoft.Extensions.AI to 9.10.1 (stable) while line 86 pins the OpenAI connector to 9.10.1-preview.1.25521.4 (preview). Confirm this mixed versioning is intentional and tested, especially for runtime API compatibility between the stable and preview packages.

---

96-96: Verify PostgreSQL provider compatibility with EntityFramework RC.

Line 96 pins Npgsql.EntityFrameworkCore.PostgreSQL to 10.0.0-rc.2, which is a release candidate. Ensure this RC version is compatible with the EF Core RC (10.0.0-rc.2.25502.107 used elsewhere) and has been validated in your test environments.

src/BlazorUI/Demo/Client/Bit.BlazorUI.Demo.Client.Core/package.json (1)

3-3: Approve esbuild patch upgrade.

Consistent patch-level bump matching other files in the PR. No concerns.

src/Websites/Careers/src/Bit.Websites.Careers.Client/package.json (1)

3-3: Approve esbuild patch upgrade.

Consistent patch-level bump. No concerns.

.github/workflows/sales-module-demo.cd.yml (1)

81-81: Approve GitHub Actions artifact upload upgrades.

Both artifact upload steps (lines 81 and 173) are consistently upgraded to actions/upload-artifact@v5. Artifact names and paths remain unchanged, ensuring compatibility with download and deployment steps.

Also applies to: 173-173

src/Websites/Platform/src/Bit.Websites.Platform.Client/package.json (1)

3-3: Approve esbuild patch upgrade.

Consistent patch-level bump. No concerns.

src/Butil/Bit.Butil/package.json (1)

3-3: Approve esbuild patch upgrade.

Consistent patch-level bump across the repository. No concerns.

src/BlazorUI/Bit.BlazorUI.Extras/package.json (1)

3-3: Esbuild 0.25.11 patch upgrade is safe to proceed.

No known unpatched security vulnerabilities exist for esbuild v0.25.11, and v0.25.0+ (including 0.25.11) patches the GHSA-67mh-4wv8-2f99 CORS/dev-server issue that affected versions ≤0.24.2. Snyk reports no direct vulnerabilities for esbuild@0.25.11. The patch-level bump maintains backward compatibility and poses no risk.

src/Websites/Sales/src/Bit.Websites.Sales.Server/Bit.Websites.Sales.Server.csproj (1)

31-31: Approve Riok.Mapperly minor version upgrade.

Riok.Mapperly v4.3.0 has no new breaking changes; all breaking changes were introduced in the v4.0 series. The bump from 4.2.1 to 4.3.0 is safe and requires no code modifications.

src/BlazorUI/Bit.BlazorUI/package.json (1)

3-3: Consistent patch version bump across all packages.

esbuild 0.25.11 update aligns with other client projects in the PR. Assuming the patch release is verified as safe (bug fixes only), this change is approved.

.github/workflows/sales.website.cd.yml (1)

40-40: Verify actions/upload-artifact v5 support for include-hidden-files parameter.

The production deployment relies on include-hidden-files: true to preserve the .well-known folder. Confirm that v5 maintains support for this parameter and handles hidden files identically to v4.

src/Bswup/Bit.Bswup/package.json (1)

3-3: Consistent esbuild patch update aligned with other packages.

This matches the esbuild 0.25.11 update applied across the repository. Once esbuild v0.25.11 is verified as safe, this change is approved.

.github/workflows/bit.full.ci.yml (1)

67-67: Verify actions/upload-artifact v5 support for retention-days parameter.

Both test artifact uploads use the retention-days: 14 parameter. Confirm that v5 maintains full support for this parameter and that the retention behavior remains unchanged from v4.

Also applies to: 89-89

src/Websites/Sales/src/Bit.Websites.Sales.Client/package.json (1)

3-3: esbuild 0.25.11 patch update is safe—approved.

The 0.25.11 release adds support for import with { type: 'bytes' } and improves CSS media-query range syntax handling for older browsers. Both changes are non-breaking and pose no risk to existing TypeScript or module resolution behavior.

src/ResxTranslator/Bit.ResxTranslator/Bit.ResxTranslator.csproj (1)

17-19: No changes needed—AzureAIInference is already at the latest available version.

Microsoft.Extensions.AI.AzureAIInference's latest available release is 9.10.0-preview.1.25513.3, which matches the version currently specified in the codebase (line 19). The version mismatch between the 9.10.1 packages and the 9.10.0 preview is not a configuration error—it reflects Microsoft's current release schedule, where AzureAIInference has not yet been released for the 9.10.1 line.

Likely an incorrect or invalid review comment.

src/Websites/Careers/src/Bit.Websites.Careers.Server/Bit.Websites.Careers.Server.csproj (1)

31-31: Riok.Mapperly 4.3.0 upgrade verified.

No breaking changes in this version. The Careers project and related website projects (Sales, Platform, BlazorUI Demo) are consistently updated to 4.3.0 across both Server and Shared configurations.

src/Websites/Sales/src/Bit.Websites.Sales.Shared/Bit.Websites.Sales.Shared.csproj (1)

20-20: Riok.Mapperly minor version bump is consistent across the PR.

The update to Riok.Mapperly 4.3.0 is aligned with parallel updates in other projects. Verify that generated mapping code (if any) in this project compiles correctly post-upgrade.

.github/workflows/nuget.org.yml (1)

152-152: Artifact upload action upgrade consistent with other workflows.

No issues identified; this aligns with the PR-wide upgrade to actions/upload-artifact@v5.

src/Websites/Careers/src/Bit.Websites.Careers.Shared/Bit.Websites.Careers.Shared.csproj (1)

20-20: Riok.Mapperly upgrade consistent with repository-wide update.

src/Websites/Platform/src/Bit.Websites.Platform.Shared/Bit.Websites.Platform.Shared.csproj (1)

20-20: Riok.Mapperly upgrade consistent with repository-wide update.

.github/workflows/todo-sample.cd.yml (1)

83-83: Artifact upload action upgrade consistent with other workflows.

Also applies to: 320-320, 415-415, 511-511

.github/workflows/admin-sample.cd.yml (4)

6-7: Environment variable split improves configuration modularity.

Separating SERVER_ADDRESS into SERVER_WEB_ADDRESS and SERVER_API_ADDRESS allows independent scaling/deployment of API and web tiers. However, verify that all downstream consuming jobs properly reference both variables.

---

80-98: Split publish and artifact upload structure is clear.

The refactoring cleanly separates Server Web and Server API into distinct output directories and artifacts (server-web-bundle and server-api-bundle). This improves deployment flexibility.

---

235-235: Artifact upload action upgrades are consistent across jobs.

Also applies to: 310-310, 386-386

---

1-389: Scope concern: Architectural refactoring beyond dependency management.

The PR title indicates "Update project dependencies," but this file contains extensive architectural refactoring (splitting web and API deployment). While the refactoring appears beneficial, confirm this scope is intentional and documented in the PR description or related issue #11503.

src/Websites/Platform/src/Bit.Websites.Platform.Server/Bit.Websites.Platform.Server.csproj (2)

28-28: Riok.Mapperly 4.3.0 has no documented breaking changes; dependency upgrades are safe to proceed.

Riok.Mapperly v4.3.0 release notes list features and bug fixes only with no breaking changes documented. The patch bumps for Microsoft.Extensions.AI (9.10.0 → 9.10.1) and the preview patch bump for ModelContextProtocol (0.4.0-preview.2 → 0.4.0-preview.3) carry minimal risk. No source regeneration is required for Riok.Mapperly with this update.

---

13-13: Verify pre-release package versions are production-ready.

Microsoft.Extensions.AI.OpenAI 9.10.1-preview.1.25521.4 is published as a prerelease on NuGet, while the base package Microsoft.Extensions.AI has a 9.10.1 stable release. The pre-release variant is used in only 3 projects across the codebase, suggesting intentional but selective adoption. Confirm with the team that using the preview OpenAI provider package is appropriate for your deployment strategy and that no stable alternative meets your requirements.

.github/workflows/blazorui.demo.cd.yml (1)

55-55: Artifact upload action upgrade is verified safe.

The upgrade from actions/upload-artifact@v4 to @v5 is safe for this workflow. v5 maintains the include-hidden-files parameter, and line 59 confirms it's already configured with include-hidden-files: true to preserve the wwwroot/.well-known folder. No action needed.

src/Templates/Boilerplate/Bit.Boilerplate/.github/workflows/cd-template.yml (4)

62-67: Artifact upload action upgraded safely to v5.

The breaking change designation for v5 is only due to Node v24.x support, not functional behavior changes. The include-hidden-files: true on line 67 correctly preserves the .well-known folder.

---

142-146: Windows EXE artifact upload: v4 to v5 upgrade approved.

Standard upgrade with no functional impact.

---

199-203: Android AAB artifact upload: v4 to v5 upgrade approved.

No hidden-file concerns for signed binary artifacts.

---

265-269: iOS IPA artifact upload: v4 to v5 upgrade approved.

No hidden-file concerns for signed binary artifacts.

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/package.json (1)

1-7: esbuild patch bump is safe and recommended.

The upgrade from 0.25.10 to 0.25.11 is a patch release with bug fixes and no breaking changes.

src/Templates/Boilerplate/Bit.Boilerplate/.github/workflows/ci.yml (1)

45-51: Artifact upload v4 to v5 upgrade with test results capture approved.

The version bump is safe, and the added test artifact upload (14-day retention) is a useful addition for CI troubleshooting.

src/BlazorUI/Demo/Bit.BlazorUI.Demo.Server/Bit.BlazorUI.Demo.Server.csproj (1)

23-35: All NuGet package upgrades are safe and routine.

• Riok.Mapperly 4.3.0 includes features like unsafe accessors in generic classes and roslyn 4.14 support.
• OData, Extensions.AI, and ModelContextProtocol patch/preview increments are low-risk.
• Ensure the build regenerates mapper source code.

src/BlazorUI/Demo/Bit.BlazorUI.Demo.Shared/Bit.BlazorUI.Demo.Shared.csproj (1)

20-22: Riok.Mapperly 4.3.0 upgrade consistent with other projects.

Version bump aligns with Demo.Server and maintains proper build-time-only metadata.