Use Central Package Management (cpm), move TargetFramework to BuildProps

[JW-CH]

Summary by CodeRabbit

• Chores
  • Standardized all projects to .NET 8.0 as the build target.
  • Added centralized package version management to unify dependency versions across the solution.
  • Converted many explicit package pins to use the central manifest (reducing per-project version declarations).
  • Simplified project configuration files to rely on the new central settings.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Centralized NuGet package version management via a new Directory.Packages.props, removed per-project PackageReference Version pins, and standardized the build target by replacing AvaloniaVersion with TargetFramework set to net8.0 in Directory.Build.props.

Changes

Cohort / File(s)	Summary
Build configuration Directory.Build.props	Removed AvaloniaVersion property and added TargetFramework = net8.0.
Central package management Directory.Packages.props	Added new central package versions file with ManagePackageVersionsCentrally=true, CentralPackageTransitivePinningEnabled=false, and multiple <PackageVersion> entries.
Core project ImmichFrame.Core/ImmichFrame.Core.csproj	Removed explicit TargetFramework/Nullable; removed Version attributes from PackageReference entries (packages such as NSwag, Newtonsoft.Json, Microsoft.Extensions.*, OpenWeatherMap.API, ThumbHash) while preserving PrivateAssets/IncludeAssets and OpenApiReference.
Core tests project ImmichFrame.Core.Tests/ImmichFrame.Core.Tests.csproj	Removed explicit TargetFramework/Nullable; stripped Version attributes from test-related PackageReference entries and removed an explicit assembly Reference.
WebApi project ImmichFrame.WebApi/ImmichFrame.WebApi.csproj	Removed explicit TargetFramework/Nullable; removed Version attributes from Swashbuckle.AspNetCore, Microsoft.AspNetCore.SpaProxy, and YamlDotNet references.
WebApi tests project ImmichFrame.WebApi.Tests/ImmichFrame.WebApi.Tests.csproj	Removed explicit TargetFramework/Nullable; removed Version attributes from test-related PackageReference entries (AwesomeAssertions, Microsoft.AspNetCore.Mvc.Testing, Microsoft.NET.Test.Sdk, Moq, NUnit, etc.).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Check Directory.Packages.props for completeness and correct version strings.
• Verify all projects now resolve versions centrally (no unintended missing versions).
• Confirm TargetFramework inheritance and that no project relied on the removed AvaloniaVersion.
• Review PrivateAssets/IncludeAssets retention and OpenApiReference correctness.

Possibly related PRs

• Chore: Update NuGet dependencies #486: Modifies per-project package version declarations; directly related to centralizing or updating package versions.

Poem

🐰
Versions scattered, I hopped and I found,
A single patch where they all gather 'round.
Net eight as our meadow, packages neat,
Builds hum like carrots—steady and sweet.
Tiny paws, happy changes, a tidy retreat.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: introducing Central Package Management and moving TargetFramework to Directory.Build.props.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cpm

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 51af077 and 2b1db38.

📒 Files selected for processing (1)

• ImmichFrame.Core.Tests/ImmichFrame.Core.Tests.csproj (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (csharp)

🔇 Additional comments (2)

ImmichFrame.Core.Tests/ImmichFrame.Core.Tests.csproj (2)

14-21: Metadata preservation for analyzer and collector packages is correct.

The PrivateAssets and IncludeAssets attributes are properly retained on NUnit.Analyzers and coverlet.collector (lines 14-21), ensuring that build-time dependencies remain scoped to development contexts. This follows best practices for CPM when managing analyzer and collector packages.

---

10-22: CPM migration is properly configured and complete.

The removal of explicit Version attributes from PackageReferences is correctly backed by centralized package management:

• Directory.Packages.props defines all 7 packages with pinned versions (Microsoft.Extensions.Logging.Console 8.0.1, Microsoft.NET.Test.Sdk 17.14.1, NUnit 4.4.0, NUnit3TestAdapter 5.2.0, NUnit.Analyzers 4.10.0, coverlet.collector 6.0.4, Moq 4.20.72)
• Directory.Build.props centrally sets <TargetFramework>net8.0</TargetFramework> and <Nullable>enable</Nullable>
• Preserved metadata on NUnit.Analyzers and coverlet.collector (PrivateAssets/IncludeAssets) correctly marks dev-only dependencies

The removed explicit Microsoft.Extensions.Logging reference is satisfied transitively by Microsoft.Extensions.Logging.Console 8.0.1. No breaking changes detected.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ImmichFrame.Core.Tests/ImmichFrame.Core.Tests.csproj (1)

30-32: Remove unnecessary hardcoded assembly reference.

Microsoft.Extensions.Logging is already available transitively through the Microsoft.Extensions.Logging.Console PackageReference (line 10). The hardcoded Reference with its absolute path to a specific .NET version (lines 30-32) is redundant and should be deleted. This will ensure the dependency is managed properly through NuGet rather than relying on a fragile environment-specific file path.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f6680f2 and 51af077.

📒 Files selected for processing (6)

• Directory.Build.props (1 hunks)
• Directory.Packages.props (1 hunks)
• ImmichFrame.Core.Tests/ImmichFrame.Core.Tests.csproj (1 hunks)
• ImmichFrame.Core/ImmichFrame.Core.csproj (2 hunks)
• ImmichFrame.WebApi.Tests/ImmichFrame.WebApi.Tests.csproj (1 hunks)
• ImmichFrame.WebApi/ImmichFrame.WebApi.csproj (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-09T16:12:49.488Z

Learnt from: JoeRu
Repo: immichFrame/ImmichFrame PR: 481
File: ImmichFrame.Core.Tests/Logic/Pool/ChronologicalAssetsPoolWrapperTests.cs:306-306
Timestamp: 2025-10-09T16:12:49.488Z
Learning: When testing the ChronologicalAssetsPoolWrapper in ImmichFrame.Core.Tests, use `Is.SupersetOf` rather than `Is.EquivalentTo` or `Is.EqualTo` assertions because the wrapper uses Fisher-Yates shuffle to randomize set order, making output non-deterministic between runs. The wrapper also uses a 10x fetch multiplier (capped at 1000) that may return more assets than requested, which is legitimate behavior.

Applied to files:

• ImmichFrame.Core.Tests/ImmichFrame.Core.Tests.csproj

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (csharp)

🔇 Additional comments (7)

ImmichFrame.WebApi/ImmichFrame.WebApi.csproj (1)

12-14: LGTM! CPM migration correctly implemented.

The package references correctly omit Version attributes, deferring to Directory.Packages.props for centralized version management.

Directory.Build.props (1)

4-4: LGTM! Centralized target framework configuration.

Setting TargetFramework globally ensures consistency across all projects in the solution.

ImmichFrame.Core.Tests/ImmichFrame.Core.Tests.csproj (1)

10-22: LGTM! CPM migration correctly implemented for test packages.

All package references correctly omit Version attributes, with central version management handled by Directory.Packages.props. PrivateAssets and IncludeAssets metadata is properly retained.

Directory.Packages.props (2)

3-4: LGTM! CPM configuration is correct.

The ManagePackageVersionsCentrally setting enables central package management, and disabling CentralPackageTransitivePinningEnabled allows NuGet to resolve transitive dependencies more flexibly.

---

14-14: Remove this review comment — no issue exists.

Microsoft.Extensions.Caching.Memory 9.0.5 is designed for and compatible with .NET 8.0 (targets .NET 8.0 and higher). The version difference between this package (9.0.5) and other Microsoft.Extensions packages (8.0.x) is normal and expected—different packages follow independent version lifecycles and do not cause assembly conflicts. This configuration is correct.

ImmichFrame.WebApi.Tests/ImmichFrame.WebApi.Tests.csproj (1)

10-23: LGTM! CPM migration correctly implemented for WebApi tests.

All package references correctly omit Version attributes, with PrivateAssets and IncludeAssets metadata properly retained for analyzers and collectors.

ImmichFrame.Core/ImmichFrame.Core.csproj (1)

14-28: LGTM! CPM migration correctly implemented for Core library.

All package references correctly omit Version attributes, deferring to Directory.Packages.props. PrivateAssets and IncludeAssets metadata is properly preserved for build-time tools.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Swashbuckle.AspNetCore 8.1.4 security vulnerabilities CVE

💡 Result:

Short answer: There is no known CVE that directly affects Swashbuckle.AspNetCore v8.1.4 itself. However:

• A transitive dependency risk exists: Newtonsoft.Json versions < 13.0.1 are affected by CVE-2024-21907 (DoS via deeply nested JSON); if your project (or any dependency in the chain used by Swashbuckle) pulls an affected Newtonsoft.Json, you are exposed. [1][3]

• Old swagger-ui packages had SSRF/click‑hijack issues (e.g. CVE-2021-46708) but that affects Swagger UI packages prior to their fixed releases (upgrade to fixed versions); it does not apply to Swashbuckle.AspNetCore.SwaggerUI >= 6.3. Confirm your installed swagger-ui subpackage version. [2]

Recommendation: verify your effective dependency tree (dotnet list package --include-transitive or a SCA tool) for Newtonsoft.Json < 13.0.1 or for swashbuckle.aspnetcore.swaggerui versions < 6.3 and upgrade those packages if present. [3][1][2]

Sources:

• NVD — CVE-2024-21907 (Newtonsoft.Json). [1]
• Snyk advisory — CVE-2021-46708 / swagger-ui SSRF. [2]
• Swashbuckle.AspNetCore 8.1.4 NuGet page (package metadata). [3]

---

🌐 Web query:

Newtonsoft.Json 13.0.4 security vulnerabilities known issues

💡 Result:

Short answer

• No publicly disclosed CVE affects Newtonsoft.Json 13.0.4 itself — the known high‑severity CVE (CVE‑2024‑21907) affects versions before 13.0.1 and was fixed in 13.0.1. [1][4]

Known non‑security issues reported for 13.0.4

• Users have reported regressions/behavior changes (SerializerSettings not respected) after upgrading to 13.0.4. [2]
• Runtime issues when mixing assemblies (apps built against 13.0.4 loading 13.0.3 from GAC) have been reported. These are runtime/compatibility bugs, not CVEs. [3]

Recommendations

• 13.0.4 includes the security fix for CVE‑2024‑21907; if you need protection against that DoS issue, ensure you are on >=13.0.1 (13.0.4 is fine). [1][4]
• Before upgrading to 13.0.4 in production, test for the reported regressions (SerializerSettings and GAC/assembly-binding scenarios) and apply binding redirects or avoid mixed GAC installs if necessary. [2][3]

Sources

• GitHub Advisory / CVE details (CVE‑2024‑21907) — fix in 13.0.1. [1]
• GitHub issues reporting 13.0.4 regressions (#3080). [2]
• GitHub issue reporting runtime/GAC compatibility (#3084). [3]
• Rapid7 / vulnerability databases summary of CVE‑2024‑21907. [4]

---

🌐 Web query:

Microsoft.AspNetCore.Mvc.Testing 8.0.20 security vulnerabilities

💡 Result:

Short answer: Yes — Microsoft.AspNetCore.Mvc.Testing 8.0.20 (and ASP.NET Core 8.0.20 and earlier) is covered by a critical ASP.NET Core HTTP request‑smuggling vulnerability tracked as CVE‑2025‑55315. Microsoft patched it in ASP.NET Core 8.0.21; you should update to 8.0.21 or later. [1][2]

Sources

• Microsoft / dotnet security advisory (CVE‑2025‑55315) — affected: ASP.NET Core 8.0.20 and earlier; guidance to update to patched releases. [1]
• NuGet package page showing Microsoft.AspNetCore.Mvc.Testing 8.0.20 (package/version referenced). Update to 8.0.21+ is recommended. [2]

Would you like exact upgrade steps for your project (csproj/central package management/Docker)?

---

🌐 Web query:

NUnit latest stable version December 2025

💡 Result:

Latest stable NUnit version (as of December 4, 2025) is 4.4.0. [1][2]

Sources:

• NuGet package profile for NUnit (latest version 4.4.0, last updated Aug 10, 2025). [1]
• NUnit GitHub repository (NUnit 4 framework). [2]

---

🌐 Web query:

Microsoft.NET.Test.Sdk latest version 2025

💡 Result:

The latest Microsoft.NET.Test.Sdk release is version 18.0.1, published November 11, 2025. [1]

Sources:
[1] NuGet — Microsoft.NET.Test.Sdk package page (version list). [2] NuGet — Microsoft.NET.Test.SDK (package) (same listing).

---

Update Microsoft.AspNetCore.Mvc.Testing to 8.0.21 or later—CVE-2025-55315 critical HTTP request-smuggling vulnerability.

Additionally:

• Microsoft.NET.Test.Sdk 17.14.1 is outdated. Update to 18.0.1 (latest as of November 2025).
• Newtonsoft.Json 13.0.4 has reported regressions (SerializerSettings not respected in some scenarios). Test thoroughly before production deployment, or consider downgrading to 13.0.3 if issues occur.
• Verify the effective dependency tree (e.g., dotnet list package --include-transitive) for any transitive Newtonsoft.Json < 13.0.1 pulled by Swashbuckle or other dependencies, and confirm swagger-ui subpackage version is ≥ 6.3.

🤖 Prompt for AI Agents

In Directory.Packages.props around lines 7 to 27, update vulnerable/outdated
package versions: bump Microsoft.AspNetCore.Mvc.Testing from 8.0.20 to 8.0.21 or
later to address CVE-2025-55315, update Microsoft.NET.Test.Sdk from 17.14.1 to
18.0.1, and evaluate Newtonsoft.Json 13.0.4 for regressions—either test
thoroughly or pin to 13.0.3 if issues arise; after changes run a full transitive
check (dotnet list package --include-transitive) to ensure no transitive
Newtonsoft.Json < 13.0.1 is pulled and confirm any swagger-ui subpackage is >=
6.3, then update Directory.Packages.props accordingly and re-run tests.

[JW-CH]

Will resolve this in another PR.

[coderabbitai]

@JW-CH, understood! Would you like me to create a follow-up issue to track the package updates (including the critical CVE-2025-55315 fix for Microsoft.AspNetCore.Mvc.Testing)?

[3rob3]

LOL, how was this still in there 😄

[3rob3]

Nice, much cleaner