build: Bump dependencies

[DrBarnabus]

• Bump JetBrains.Annoations to v2025.2.2
• Bump Microsoft.CodeAnalysis.ResxSourceGenerator to v5.0.0-1.25277.114
• Bump JunitXml.TestLogger to v7.0.2
• Bump Microsoft.NET.Test.Sdk to v18.0.1
• Bump xunit.runner.visualstudio to v3.1.5
• Bump DotNet.ReproducibleBuilds to v1.2.39

Summary by CodeRabbit

• Chores
  • Updated internal dependencies and build tooling across multiple projects to maintain compatibility and stability.

[coderabbitai]

Warning

Rate limit exceeded

@DrBarnabus has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 22 minutes and 44 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between dad3404 and 15354c7.

📒 Files selected for processing (9)

• src/CompositeKey.Analyzers.Common.UnitTests/packages.lock.json (12 hunks)
• src/CompositeKey.Analyzers.Common/packages.lock.json (2 hunks)
• src/CompositeKey.Analyzers.UnitTests/packages.lock.json (15 hunks)
• src/CompositeKey.Analyzers/packages.lock.json (2 hunks)
• src/CompositeKey.SourceGeneration.FunctionalTests/packages.lock.json (12 hunks)
• src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json (12 hunks)
• src/CompositeKey.SourceGeneration/packages.lock.json (2 hunks)
• src/CompositeKey/packages.lock.json (1 hunks)
• src/Directory.Packages.props (1 hunks)

Walkthrough

This pull request updates NuGet package versions across the solution's package lock files and central package versions configuration. Updates include dependency version bumps (DotNet.ReproducibleBuilds, JetBrains.Annotations, Microsoft.NET.Test.Sdk, test tooling, and CodeAnalysis packages) and regenerated lock files to reflect resolved dependencies and content hashes.

Changes

Cohort / File(s)	Summary
Test Project Lockfiles src/CompositeKey.Analyzers.Common.UnitTests/packages.lock.json, src/CompositeKey.Analyzers.UnitTests/packages.lock.json, src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json	Updated Microsoft.NET.Test.Sdk from 17.14.1 to 18.0.1, JunitXml.TestLogger from 6.1.0 to 7.0.2, xunit.runner.visualstudio from 3.1.4 to 3.1.5, and DotNet.ReproducibleBuilds from 1.2.25 to 1.2.39. Removed obsolete transitive System.\* dependencies and updated Microsoft.CodeAnalysis-related packages.
Core Project Lockfiles src/CompositeKey.Analyzers/packages.lock.json, src/CompositeKey.SourceGeneration/packages.lock.json, src/CompositeKey/packages.lock.json	Updated DotNet.ReproducibleBuilds from 1.2.25 to 1.2.39 and JetBrains.Annotations from 2025.2.1 to 2025.2.2 across .NETStandard 2.0 and net8.0 target frameworks.
Analyzer Common Lockfile src/CompositeKey.Analyzers.Common/packages.lock.json	Updated DotNet.ReproducibleBuilds to 1.2.39, JetBrains.Annotations to 2025.2.2, and Microsoft.CodeAnalysis.ResxSourceGenerator to 5.0.0-1.25277.114.
Central Package Configuration src/Directory.Packages.props	Centralised version updates for six packages: DotNet.ReproducibleBuilds (1.2.25 → 1.2.39), JetBrains.Annotations (2025.2.1 → 2025.2.2), Microsoft.CodeAnalysis.ResxSourceGenerator (3.12.0-beta1.25218.8 → 5.0.0-1.25277.114), JunitXml.TestLogger (6.1.0 → 7.0.2), Microsoft.NET.Test.Sdk (17.14.1 → 18.0.1), and xunit.runner.visualstudio (3.1.4 → 3.1.5).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Repetitive nature: The same dependency version bumps are applied consistently across multiple lock files with minimal variation.
• Homogeneous changes: Lock file regenerations follow the same pattern throughout, reducing cognitive load per file.
• Files requiring attention:
  • src/Directory.Packages.props — Verify all six version bumps are intentional and compatible with the project's minimum supported frameworks.
  • Test project lock files — Confirm that test infrastructure upgrades (Microsoft.NET.Test.Sdk 18.0.1, JunitXml.TestLogger 7.0.2) are compatible with existing test suites.

Possibly related PRs

• build: Bump dependencies #32: Continues the same dependency-bump work, also updating JetBrains.Annotations and xunit.runner.visualstudio in Directory.Packages.props and lock files to newer versions.
• ci: Add codecov test results #24: Modifies test-related package references (JunitXml.TestLogger and Microsoft.NET.Test.Sdk versions) in Directory.Packages.props and packages.lock.json.

Poem

🐰 Hop, hop—dependencies upgraded with care,
Lock files renewed throughout everywhere,
From versions old to shiny and new,
Test tools and builders, all refreshed too!
The ecosystem hops on, ever so bright! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'build: Bump dependencies' accurately describes the main change: updating multiple NuGet package dependencies to newer versions across the project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.67%. Comparing base (ff99926) to head (15354c7).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #35   +/-   ##
=======================================
  Coverage   91.67%   91.67%           
=======================================
  Files          34       34           
  Lines        1525     1525           
  Branches      249      249           
=======================================
  Hits         1398     1398           
  Misses         60       60           
  Partials       67       67           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff99926 and dad3404.

📒 Files selected for processing (8)

• src/CompositeKey.Analyzers.Common.UnitTests/packages.lock.json (15 hunks)
• src/CompositeKey.Analyzers.Common/packages.lock.json (2 hunks)
• src/CompositeKey.Analyzers.UnitTests/packages.lock.json (24 hunks)
• src/CompositeKey.Analyzers/packages.lock.json (2 hunks)
• src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json (15 hunks)
• src/CompositeKey.SourceGeneration/packages.lock.json (2 hunks)
• src/CompositeKey/packages.lock.json (1 hunks)
• src/Directory.Packages.props (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2025-08-28T19:57:32.588Z

Learnt from: DrBarnabus
Repo: DrBarnabus/CompositeKey PR: 30
File: src/CompositeKey.Analyzers.Common.UnitTests/Validation/TemplateValidationTests.cs:11-42
Timestamp: 2025-08-28T19:57:32.588Z
Learning: In CompositeKey projects, test files use global usings configuration (likely through ImplicitUsings or similar mechanisms) for common imports like xUnit and Shouldly, eliminating the need for explicit using directives in individual test files.

Applied to files:

• src/CompositeKey.Analyzers.Common.UnitTests/packages.lock.json
• src/CompositeKey.Analyzers.UnitTests/packages.lock.json
• src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json

📚 Learning: 2025-08-28T19:57:32.588Z

Learnt from: DrBarnabus
Repo: DrBarnabus/CompositeKey PR: 30
File: src/CompositeKey.Analyzers.Common.UnitTests/Validation/TemplateValidationTests.cs:11-42
Timestamp: 2025-08-28T19:57:32.588Z
Learning: In CompositeKey projects, test files use global usings (typically in GlobalUsings.cs files) for common imports like xUnit and Shouldly, so individual test files don't need explicit using directives for these frameworks.

Applied to files:

• src/CompositeKey.Analyzers.Common.UnitTests/packages.lock.json
• src/CompositeKey.Analyzers.UnitTests/packages.lock.json
• src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json

📚 Learning: 2025-08-28T19:57:32.588Z

Learnt from: DrBarnabus
Repo: DrBarnabus/CompositeKey PR: 30
File: src/CompositeKey.Analyzers.Common.UnitTests/Validation/TemplateValidationTests.cs:11-42
Timestamp: 2025-08-28T19:57:32.588Z
Learning: In CompositeKey projects, test files use global usings (typically in GlobalUsings.cs files or via ImplicitUsings in project files) for common imports like xUnit and Shouldly, so individual test files don't need explicit using directives for these frameworks.

Applied to files:

• src/CompositeKey.Analyzers.Common.UnitTests/packages.lock.json
• src/CompositeKey.Analyzers.UnitTests/packages.lock.json
• src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json

📚 Learning: 2025-08-28T19:57:32.588Z

Learnt from: DrBarnabus
Repo: DrBarnabus/CompositeKey PR: 30
File: src/CompositeKey.Analyzers.Common.UnitTests/Validation/TemplateValidationTests.cs:11-42
Timestamp: 2025-08-28T19:57:32.588Z
Learning: CompositeKey test projects use MSBuild's <Using Include="..." /> elements in .csproj files combined with <ImplicitUsings>enable</ImplicitUsings> in Directory.Build.props to automatically include Xunit and Shouldly namespaces, eliminating the need for explicit using statements in test files.

Applied to files:

• src/CompositeKey.Analyzers.UnitTests/packages.lock.json
• src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (7)

src/CompositeKey/packages.lock.json (1)

7-9: LGTM! Lockfile updated correctly.

The DotNet.ReproducibleBuilds package has been updated to version 1.2.39 with the corresponding contentHash. This is a generated lockfile change that aligns with the central package version update.

src/CompositeKey.SourceGeneration/packages.lock.json (1)

7-15: LGTM! Lockfile regenerated correctly.

Both DotNet.ReproducibleBuilds and JetBrains.Annotations have been updated consistently across .NETStandard 2.0 and net8.0 target frameworks with proper contentHash values.

Also applies to: 235-243

src/CompositeKey.Analyzers/packages.lock.json (1)

7-15: LGTM! Analyzer lockfile updated correctly.

Package versions and contentHashes are consistent across target frameworks.

Also applies to: 235-243

src/CompositeKey.Analyzers.Common.UnitTests/packages.lock.json (1)

13-21: LGTM! Test infrastructure updated consistently.

All test-related packages have been updated across net8.0, net9.0, and net10.0 target frameworks with proper transitive dependency resolution. The Microsoft.NET.Test.Sdk 18.0.1 update includes corresponding updates to Microsoft.CodeCoverage and Microsoft.TestPlatform.* packages.

Also applies to: 35-40, 66-68, 297-305, 319-324, 350-352, 587-595, 609-614, 640-642

src/CompositeKey.Analyzers.UnitTests/packages.lock.json (1)

13-21: LGTM! Test infrastructure lockfile updated correctly.

Package versions are consistent across all target frameworks with proper transitive dependency resolution.

Also applies to: 45-50, 76-78, 429-437, 461-466, 492-494, 860-868, 892-897, 923-925

src/CompositeKey.SourceGeneration.UnitTests/packages.lock.json (1)

13-21: LGTM! Final test lockfile updated correctly.

All package versions and contentHashes are consistent across target frameworks, completing the dependency update across the solution.

Also applies to: 35-40, 66-68, 297-305, 319-324, 350-352, 587-595, 609-614, 640-642

src/Directory.Packages.props (1)

9-9: All package versions are valid and compatible with the codebase.

Verification confirms:

• All three packages (Microsoft.NET.Test.Sdk 18.0.1, JunitXml.TestLogger 7.0.2, xunit.runner.visualstudio 3.1.5) exist on NuGet
• No security vulnerabilities detected
• The breaking change in Microsoft.NET.Test.Sdk 18.0.x (which requires net8.0 minimum) is not a concern—all projects in the codebase already target net8.0 or higher (including test projects targeting net10.0, net9.0, and net8.0)

The dependency updates are safe to proceed with.