Skip to content

[PM-28727] Upgrade to .NET 10#7171

Open
dereknance wants to merge 59 commits intomainfrom
pm-28727-dotnet-10
Open

[PM-28727] Upgrade to .NET 10#7171
dereknance wants to merge 59 commits intomainfrom
pm-28727-dotnet-10

Conversation

@dereknance
Copy link
Copy Markdown
Contributor

@dereknance dereknance commented Mar 7, 2026
edited
Loading

🎟️ Tracking

PM-28727

📔 Objective

This PR upgrades from .NET 8 to 10.

I left most dependencies at their current versions so they can go through the usual Renovate process.

Notable Changes

  • [PM-33499] Permissive base64 decoder #7207 With .NET 9, Base64.IsValid enforces canonical padding.
  • Update to IHostBuilder style #6843 WebHostBuilder is obsolete
  • X509Certificate2 constructors are obsolete
    • ❗ The now-obsolete constructors allowed X.509, PKCS7, or PKCS12/PFX certs to be passed in. I now attempt to detect PKCS12 or X.509 and call the appropriate loader. I would appreciate a close eye on those changes.
  • NuGetAuditLevel defaults to low with .NET 10, resulting in any dependency with a known vulnerability to block when running dotnet restore. I elected to set it to critical to only block builds for vulns at that severity, and let the existing Renovate process take care of the rest. ❗ I can be convinced to disable this entirely.
  • System.Text.Json 8.0.5 pin removed because package pruning emits NU1510
  • Microsoft.Extensions.Caching.Memory 8.0.1 pin removed as Microsoft.Data.SqlClient requires >=9 and was resulting in a package downgrade
  • Microsoft.AspNetCore.HttpOverrides.IPNetwork and KnownNetworks have been marked as obsolete
  • .NET 10's configuration binder now preserves null values instead of coercing them to empty strings, causing NullReferenceException in .Trim() calls. Added null-conditional operators in property setters in GlobalSettings.cs
  • Upgraded SignalR packages, notably MessagePack from 2.x to 3.x. The wire format appears compatible for our use case
  • New lints required, mostly whitespace

justindbaur and others added 21 commits January 13, 2026 20:34
@justindbaur
Add some integration tests for the Server project
fd67255
@justindbaur
Not sure why this project got removed?
c7942d2
@justindbaur
Merge branch 'main' into add-server-integration-tests
6f2c3d6
@justindbaur
Format
6c844ea
@justindbaur
capture debug output
1c9ff89
@justindbaur
Update tests to work with the now legacy WebHostBuilder
2ecdc13 
- I accidentally had the updated Program locally and that was why tests were working for me locally
@justindbaur
Formatting...again
a5f1b3f
@justindbaur
Update to IHostBuilder style
753c702
@justindbaur
Formatting
00cc684
@justindbaur
Merge branch 'main' into update-server-program
3967984
@justindbaur
Merge branch 'main' into update-server-program
877363e
@dereknance
make integration test work on existing databases
cddcfd2
@dereknance
mimekit .net10 support and security patch
39af40e
@dereknance
updated csproj files
932b81a
@dereknance
x509 api upgrade
f53c099
@dereknance
Merge branch 'update-server-program' into dotnet-10
2a100c7
@dereknance
missed an x509 upgrade
43d2afa
@dereknance
nullable fixups
943e15d
@dereknance
fix bugged test
820d5a0
@dereknance
dockerfiles
12dfdcb
@dereknance
pre-net9 b64 decoding support
1471118
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 7, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Details07da2400-b526-4103-b3e9-5fa672b2f106

Fixed Issues (1) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
MEDIUM CSRF src/Api/Vault/Controllers/CiphersController.cs: 287

dereknance
dereknance commented Apr 22, 2026
View reviewed changes
Comment thread test/Api.Test/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
Copy link
Copy Markdown
Contributor Author

@dereknance dereknance Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changed tests in this file fix a bug where id (the Org ID) was AssertPropertyEqual'd at the second parameter of GetManyByOrganizationIdWriteAccessAsync which is actually the user ID.

I haven't yet exactly nailed down why this bug presents itself with .NET 10.

@dereknance
update seeder dockerfile to net10
cde3fda 
a slim debian variant is no longer available

also had to avoid clobbering /etc/environment
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 22, 2026

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@dereknance dereknance added the ai-review Request a Claude code review label Apr 22, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026
edited
Loading

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the .NET 8 → .NET 10 framework upgrade across all projects, including target framework bumps, obsolete API migrations (X509Certificate2 constructors → X509CertificateLoader, Microsoft.AspNetCore.HttpOverrides.IPNetworkSystem.Net.IPNetwork), SignalR/MessagePack major version bump, pinned transitive dependency cleanup, NuGetAuditLevel set to critical, and behavioral test fixes for .NET 10 changes (null preservation in configuration binder, stricter Base64.IsValid, new JSON error message formats). The PR description and existing inline threads already address the most notable concerns (X509 loader behavior, EF Core ReadOnlySpan query change, IDataProtector.Unprotect Base64URL requirement, AssertPropertyEqual list-capacity differences, AccessPoliciesControllerTests latent bug). One consistency question remains on the SeederApi Dockerfile.

Code Review Details
  • ❓ : SeederApi Dockerfile app stage still uses aspnet:8.0 while the build stage was bumped to sdk:10.0; every other Dockerfile updates both stages.
    • util/SeederApi/Dockerfile:92

Dependency Changes

Package Change Ecosystem
Microsoft.AspNetCore.SignalR.Protocols.MessagePack 8.0.8 → 10.0.3 (major) NuGet
Microsoft.AspNetCore.SignalR.StackExchangeRedis 8.0.8 → 10.0.3 (major) NuGet
MessagePack 2.5.192 → 3.1.4 (major) NuGet
Microsoft.AspNetCore.Mvc.Testing 8.0.10 → 10.0.3 (major) NuGet
System.Text.Json 8.0.5 → Removed (pin; pruned per NU1510) NuGet
Microsoft.Extensions.Caching.Memory 8.0.1 → Removed (pin; superseded by transitive ≥9) NuGet
Microsoft.AspNetCore.Http (Sso.csproj) 2.2.2 → Removed (legacy transitive pin) NuGet
Microsoft.Build.Sql (global.json) 1.0.0 → 2.1.0 (major) msbuild SDK
.NET SDK (global.json) 8.0.100 → 10.0.103 (major) .NET SDK
TargetFramework (all projects) net8.0 → net10.0 (major) .NET TFM

@dereknance dereknance marked this pull request as ready for review April 22, 2026 23:34
@dereknance dereknance requested review from a team as code owners April 22, 2026 23:34
claude[bot]
claude Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread util/SeederApi/Dockerfile
djsmith85
djsmith85 reviewed Apr 23, 2026
View reviewed changes
Comment thread bitwarden_license/test/Sso.IntegrationTest/Sso.IntegrationTest.csproj Outdated

<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<TargetFramework>net10.0</TargetFramework>
Copy link
Copy Markdown
Contributor

@djsmith85 djsmith85 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎨 Non-blocking:
Probably just an oversight when these projects got created. Any file that has the TargetFramework updated, should probably be changed to delete the TargetFramework line, so the framework can be picked up via the Directory.BuildProps

Copy link
Copy Markdown
Contributor Author

@dereknance dereknance Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. Maybe that helps reduce the reviewers required for the .NET 12 upgrade 😆

Copy link
Copy Markdown
Contributor Author

@dereknance dereknance Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed! 1e030bf

mimartin12
mimartin12 reviewed Apr 23, 2026
View reviewed changes
Comment thread bitwarden_license/src/Scim/Dockerfile Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djsmith85 djsmith85 djsmith85 left review comments

@mimartin12 mimartin12 mimartin12 left review comments

@claude claude[bot] claude[bot] left review comments

@amorask-bitwarden amorask-bitwarden amorask-bitwarden left review comments

@coroiu coroiu Awaiting requested review from coroiu coroiu is a code owner automatically assigned from bitwarden/team-platform-dev

@cyprain-okeke cyprain-okeke Awaiting requested review from cyprain-okeke cyprain-okeke is a code owner automatically assigned from bitwarden/team-billing-dev

@BTreston BTreston Awaiting requested review from BTreston BTreston is a code owner automatically assigned from bitwarden/team-admin-console-dev

@enmande enmande Awaiting requested review from enmande enmande is a code owner automatically assigned from bitwarden/team-auth-dev

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ai-review Request a Claude code review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dereknance @djsmith85 @mimartin12 @amorask-bitwarden @justindbaur