deps(api): Bump the safe-dependencies group with 15 updates

[dependabot]

Updated Autofac from 9.0.0 to 9.1.0.

Release notes

Sourced from Autofac's releases.

9.1.0

This is a pretty big release for Autofac with some major new functionality!

AnyKey Support

First, Autofac now natively supports the concept of AnyKey. It behaves the same way AnyKey works in Microsoft.Extensions.DependencyInjection, but it is native to Autofac directly. The unit tests here show some very detailed examples of usage, but on a high level:

var builder = new ContainerBuilder();
builder.RegisterType<Service>().Keyed<IService>(KeyedService.AnyKey);

var container = builder.Build();

// Registering as AnyKey allows it to respond to... any key!
var service = container.ResolveKeyed<IService>("service1");

Inject Service Key Into Constructors

The new [ServiceKey] attribute allows you to inject the service key provided during resolution. This is handy in conjunction with AnyKey. Again, this is similar to the construct in Microsoft.Extensions.DependencyInjection, but with native Autofac.

First, mark up your class to take the constructor parameter.

public class Service : IService
{
  private readonly string _id;
  public Service([ServiceKey] string id) => _id = id;
}

Then when you resolve the class, the service key will automatically be injected.

You can also make use of this in a lambda registration.

var builder = new ContainerBuilder();
builder.Register<Service>((ctx, p) => {
  var key = p.TryGetKeyedServiceKey(out string value) ? value : null;
  return new Service(key);
}).Keyed<Service>(KeyedService.AnyKey);

Metrics

Some metrics have been introduced that can allow you to capture counters on how long middleware is taking, how often lock contention occurs, and so on.

Set the AUTOFAC_METRICS environment variable in your process to true or 1 to enable this feature. You can see the set of counters that will become available here.

⚠️ This is NOT FREE. Collecting counters and metrics will incur a performance hit, so it's not something you want to leave on in production.

... (truncated)

Commits viewable in compare view.

Updated Dapper from 2.1.66 to 2.1.72.

Release notes

Sourced from Dapper's releases.

2.1.72

What's Changed

• TFM packaging for .NET 10 by @​mgravell in TFM packaging for .NET 10 DapperLib/Dapper#2195
• Fix and clarify OrWhere caveats in SqlBuilder docs by @​jnoordsij in Fix and clarify OrWhere caveats in SqlBuilder docs DapperLib/Dapper#2149
• OutputExpression wasn't working for methods that use QueryRowAsync by @​ri-rgb in OutputExpression wasn't working for methods that use QueryRowAsync DapperLib/Dapper#2156
• CI: use preinstalled sdk by @​kbth in CI: use preinstalled sdk DapperLib/Dapper#2160
• CI: serialize DB-dependent tests by @​kbth in CI: serialize DB-dependent tests DapperLib/Dapper#2163

New Contributors

• @​jnoordsij made their first contribution in Fix and clarify OrWhere caveats in SqlBuilder docs DapperLib/Dapper#2149
• @​ri-rgb made their first contribution in OutputExpression wasn't working for methods that use QueryRowAsync DapperLib/Dapper#2156
• @​kbth made their first contribution in CI: use preinstalled sdk DapperLib/Dapper#2160

Full Changelog: DapperLib/Dapper@2.1.66...2.1.72

Commits viewable in compare view.

Updated Fastenshtein from 1.0.11 to 1.0.12.

Release notes

Sourced from Fastenshtein's releases.

1.0.12

What's Changed

• Adding new static Distance method for Spans for net8.0 or greater.
• direct support for .Net 10
• Updatiing Nuget's
• Updating GitHub actions

Full Changelog: DanHarltey/Fastenshtein@1.0.11...1.0.12

Commits viewable in compare view.

Updated Google.Cloud.Firestore from 4.1.0 to 4.2.0.

Release notes

Sourced from Google.Cloud.Firestore's releases.

4.2.0

New features

• Expose the variable definition in the Cloud Firestore API

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Http from 2.3.0 to 2.3.9.

Release notes

Sourced from Microsoft.AspNetCore.Http's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.OpenApi from 10.0.2 to 10.0.5.

Release notes

Sourced from Microsoft.AspNetCore.OpenApi's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.2 to 10.0.5.

Release notes

Sourced from Microsoft.Extensions.Caching.StackExchangeRedis's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Http.Polly from 10.0.2 to 10.0.5.

Release notes

Sourced from Microsoft.Extensions.Http.Polly's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 18.0.1 to 18.3.0.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.3.0

What's Changed

• Fix answer file splitting by @​nohwnd in Fix answer file splitting microsoft/vstest#15306

Internal fixes and updates

• Bump branding to 18.1 by @​nohwnd in Bump branding to 18.1 microsoft/vstest#15286
• Remove stale copy of S.ComponentModel.Composition from testplatform packages by @​ViktorHofer in Remove stale copy of S.ComponentModel.Composition from testplatform packages microsoft/vstest#15287
• Update codeflow metadata to fix backflow by @​premun in Update codeflow metadata to fix backflow microsoft/vstest#15291
• [main] Update dependencies from devdiv/DevDiv/vs-code-coverage by @​dotnet-maestro[bot] in [main] Update dependencies from devdiv/DevDiv/vs-code-coverage microsoft/vstest#15283
• Update Microsoft.Build.Utilities.Core by @​Youssef1313 in Update Microsoft.Build.Utilities.Core microsoft/vstest#15300
• Disable DynamicNative instrumentation by default by @​nohwnd in Disable DynamicNative instrumentation by default microsoft/vstest#15299
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15293
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15302
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15314
• Delete sha1 custom implementation we are not using for a long time by @​nohwnd in Delete sha1 custom implementation we are not using for a long time microsoft/vstest#15313
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15315
• Update branding to 18.3.0 by @​nohwnd in Update branding to 18.3.0 microsoft/vstest#15321
• [main] Update dependencies from devdiv/DevDiv/vs-code-coverage by @​dotnet-maestro[bot] in [main] Update dependencies from devdiv/DevDiv/vs-code-coverage microsoft/vstest#15325
• [main] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in [main] Update dependencies from dotnet/arcade microsoft/vstest#15264
• Revert adding dotnet_host_path workaround by @​nohwnd in Revert adding dotnet_host_path workaround microsoft/vstest#15328
• [main] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in [main] Update dependencies from dotnet/arcade microsoft/vstest#15338
• [main] Source code updates from dotnet/dotnet by @​dotnet-maestro[bot] in [main] Source code updates from dotnet/dotnet microsoft/vstest#15322
• [main] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in [main] Update dependencies from dotnet/arcade microsoft/vstest#15343
• Change PreReleaseVersionLabel from 'preview' to 'release' by @​nohwnd in Change PreReleaseVersionLabel from 'preview' to 'release' microsoft/vstest#15352
• [rel/18.3] Update dependencies from devdiv/DevDiv/vs-code-coverage by @​dotnet-maestro[bot] in [rel/18.3] Update dependencies from devdiv/DevDiv/vs-code-coverage microsoft/vstest#15354
• [rel/18.3] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in [rel/18.3] Update dependencies from dotnet/arcade microsoft/vstest#15389
• [rel/18.3] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in [rel/18.3] Update dependencies from dotnet/arcade microsoft/vstest#15400
• Update build tools to 17.11.48 to be source buildable by @​nohwnd in Update build tools to 17.11.48 to be source buildable microsoft/vstest#15310
• Disable publishing on RTM by @​nohwnd in Disable publishing on RTM microsoft/vstest#15296
• Don't access nuget.org for package feeds by @​nohwnd in Don't access nuget.org for package feeds microsoft/vstest#15316
• No nuget access fix tests by @​nohwnd in No nuget access fix tests microsoft/vstest#15317
• Disable Dependabot updates in dependabot.yml by @​mmitche in Disable Dependabot updates in dependabot.yml microsoft/vstest#15324

New Contributors

• @​premun made their first contribution in Update codeflow metadata to fix backflow microsoft/vstest#15291

Commits viewable in compare view.

Updated Npgsql.NetTopologySuite from 10.0.1 to 10.0.2.

Release notes

Sourced from Npgsql.NetTopologySuite's releases.

10.0.2

v10.0.2 contains several minor bug fixes.

Milestone issues

Full Changelog: npgsql/npgsql@v10.0.1...v10.0.2

Commits viewable in compare view.

Updated NUnit from 4.4.0 to 4.5.1.

Release notes

Sourced from NUnit's releases.

4.5.1

See release notes for details.

4.5.0

See release notes for details.

Commits viewable in compare view.

Updated StackExchange.Redis from 2.10.1 to 2.12.1.

Release notes

Sourced from StackExchange.Redis's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated System.Text.Json from 9.0.12 to 9.0.14.

Release notes

Sourced from System.Text.Json's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated System.Text.Json from 10.0.2 to 10.0.5.

Release notes

Sourced from System.Text.Json's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated ZiggyCreatures.FusionCache from 2.5.0 to 2.6.0.

Release notes

Sourced from ZiggyCreatures.FusionCache's releases.

2.6.0

🏷️ Configurable cleanup behavior for RemoveByTag()

Normally, when calling RemoveByTag("my-tag"), the entries with such a tag will be gradually expired on a subsequent access.

Community member @​charlesvigneault asked for the ability to instead properly remove them.

So I added a new option to allow configuring this behavior:

services.AddFusionCache()
	.WithOptions(options =>
	{
		options.RemoveByTagBehavior = RemoveByTagBehavior.Remove;
	});

See here for the original issue.

Ⓜ️ Add support for RemoveByTag("*") in HybridCache adapter

After the initial release of HybridCache in 2025, the team added support for a special case: using RemoveByTag("*") to clear the entire cache.

I didn't notice untile recently, and thanks to community user @​vrbyjimmy I did that.
Or, to better say it, he did that!
He acted so quickly that a PR immediately landed with the implementation, so thanks Jakub for that!

What happens underneath is that a RemoveByTag("*") call on the adapter is detected and re-routed to a Clear() call on the underlying FusionCache instance: very simple and elegant, and I like that a lot.

See here for the original issue.

🔒 Better Distributed Locker + Eager Refresh

Community user @​jgshowpad noticed that when using the new distributed stampede protection introduced in v2.5.0 with Eager Refresh some errors were being logged.

That was caused by the Redis-based distributed locker not handling correctly a timeout of zero (which btw is a pretty common approach to basically check for a lock already being acquired by someone else, without having to wait).

This has now been fixed.

See here for the original issue.

⚡ Perf boost for GenerateOperationId()

Community user @​Inok contributed with a nice set of low-level perf optimizations for the GenerateOperationId() internal method, which may be called quite a lot when doing observability (logging, OTEL, etc).

That's a very nice and welcome contribution, thanks Pavel!

See here for the original issue.
... (truncated)

Commits viewable in compare view.

Updated ZiggyCreatures.FusionCache.Serialization.SystemTextJson from 2.5.0 to 2.6.0.

Release notes

Sourced from ZiggyCreatures.FusionCache.Serialization.SystemTextJson's releases.

2.6.0

🏷️ Configurable cleanup behavior for RemoveByTag()

Normally, when calling RemoveByTag("my-tag"), the entries with such a tag will be gradually expired on a subsequent access.

Community member @​charlesvigneault asked for the ability to instead properly remove them.

So I added a new option to allow configuring this behavior:

services.AddFusionCache()
	.WithOptions(options =>
	{
		options.RemoveByTagBehavior = RemoveByTagBehavior.Remove;
	});

See here for the original issue.

Ⓜ️ Add support for RemoveByTag("*") in HybridCache adapter

After the initial release of HybridCache in 2025, the team added support for a special case: using RemoveByTag("*") to clear the entire cache.

I didn't notice untile recently, and thanks to community user @​vrbyjimmy I did that.
Or, to better say it, he did that!
He acted so quickly that a PR immediately landed with the implementation, so thanks Jakub for that!

What happens underneath is that a RemoveByTag("*") call on the adapter is detected and re-routed to a Clear() call on the underlying FusionCache instance: very simple and elegant, and I like that a lot.

See here for the original issue.

🔒 Better Distributed Locker + Eager Refresh

Community user @​jgshowpad noticed that when using the new distributed stampede protection introduced in v2.5.0 with Eager Refresh some errors were being logged.

That was caused by the Redis-based distributed locker not handling correctly a timeout of zero (which btw is a pretty common approach to basically check for a lock already being acquired by someone else, without having to wait).

This has now been fixed.

See here for the original issue.

⚡ Perf boost for GenerateOperationId()

Community user @​Inok contributed with a nice set of low-level perf optimizations for the GenerateOperationId() internal method, which may be called quite a lot when doing observability (logging, OTEL, etc).

That's a very nice and welcome contribution, thanks Pavel!

See here for the original issue.
... (truncated)

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions