SteeltoeOSS · bart-vmware · May 1, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -31,17 +31,19 @@ jobs:
 
     steps:
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
         dotnet-version: |
-          6.0.*
           8.0.*
+          10.0.*
 
     - name: Git checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Restore packages
-      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal
+      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal
 
     - name: Calculate package version (for release)
       if: ${{ github.event_name == 'release' }}
@@ -108,7 +110,7 @@ jobs:
       run: dotnet pack ${{ env.SOLUTION_FILE }} --no-build --configuration Release --output ${{ github.workspace }}/packages /p:VersionSuffix=${{ env.PACKAGE_VERSION_SUFFIX }}
 
     - name: Upload unsigned packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         if-no-files-found: error
         name: unsigned-packages
@@ -126,21 +128,21 @@ jobs:
 
     steps:
     - name: Download unsigned packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         name: unsigned-packages
         path: packages
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
         dotnet-version: 8.0.*
 
     - name: Install code signing tool
       run: dotnet tool install --global sign --prerelease
 
     - name: Azure login
-      uses: azure/login@v2
+      uses: azure/login@v3
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -159,7 +161,7 @@ jobs:
         --description-url 'https://steeltoe.io/'
 
     - name: Upload signed packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         if-no-files-found: error
         name: signed-packages
@@ -179,22 +181,22 @@ jobs:
 
     steps:
     - name: Azure login
-      uses: azure/login@v2
+      uses: azure/login@v3
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Download signed packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         name: signed-packages
         path: packages
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
-        dotnet-version: 8.0.x
+        dotnet-version: 8.0.*
         source-url: ${{ vars.AZURE_ARTIFACTS_FEED_URL }}
       env:
         NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -223,12 +225,12 @@ jobs:
 
     steps:
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
-        dotnet-version: 8.0.x
+        dotnet-version: 8.0.*
 
     - name: Download signed packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         name: signed-packages
         path: packages
@@ -248,7 +250,9 @@ jobs:
 
     steps:
     - name: Git checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: true
 
     - name: Calculate next package version
       shell: pwsh

diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml
@@ -27,14 +27,31 @@ jobs:
 
     steps:
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
         dotnet-version: |
-          6.0.*
           8.0.*
+          10.0.*
 
     - name: Git checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Report vulnerable dependencies
-      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low /p:TreatWarningsAsErrors=True
+      shell: pwsh
+      run: |
+        $ErrorActionPreference = 'Stop'
+        $PSNativeCommandUseErrorActionPreference = $true
+
+        $output = dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive --format json --output-version 1 2>&1
+        $text = ($output | Out-String).TrimEnd()
+        $json = $text | ConvertFrom-Json
+
+        foreach ($project in $json.projects) {
+          if ($project.frameworks) {
+            Write-Host 'Vulnerable package references were found.'
+            dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive
+            exit 1
+          }
+        }
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -0,0 +1,5 @@
+<Project>
+  <PropertyGroup>
+    <EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
+  </PropertyGroup>
+</Project>
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -33,14 +33,14 @@ jobs:
   pool:
     vmImage: $(imageName)
   steps:
-  - task: UseDotNet@2
-    displayName: Install .NET 6
-    inputs:
-      version: 6.0.x
   - task: UseDotNet@2
     displayName: Install .NET 8
     inputs:
       version: 8.0.x
+  - task: UseDotNet@2
+    displayName: Install .NET 10
+    inputs:
+      version: 10.0.x
   - pwsh: |
       # https://github.com/dotnet/core/issues/4749#issuecomment-2329706172
       wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.24_amd64.deb
@@ -87,13 +87,6 @@ jobs:
       projects: '**/*.csproj'
       arguments: '--blame-hang-timeout 3m -f net8.0 --no-build -c $(buildConfiguration) -maxcpucount:1 $(skipFilter) --collect "XPlat Code Coverage" --settings coverlet.runsettings --logger trx --results-directory $(Build.SourcesDirectory)'
       publishTestResults: false
-  - task: DotNetCoreCLI@2
-    displayName: dotnet test 6.0
-    inputs:
-      command: test
-      projects: '**/*.csproj'
-      arguments: '--blame-hang-timeout 3m -f net6.0 --no-build -c $(buildConfiguration) -maxcpucount:1 $(skipFilter) --collect "XPlat Code Coverage" --settings coverlet.runsettings --logger trx --results-directory $(Build.SourcesDirectory)'
-      publishTestResults: false
   - task: CopyFiles@2
     condition: failed()
     inputs:

diff --git a/build/templates/component-build.yaml b/build/templates/component-build.yaml
@@ -16,14 +16,14 @@
   pool:
     vmImage: ${{parameters.OS}}-latest
   steps:
-  - task: UseDotNet@2
-    displayName: Install .NET 6
-    inputs:
-      version: 6.0.x
   - task: UseDotNet@2
     displayName: Install .NET 8
     inputs:
       version: 8.0.x
+  - task: UseDotNet@2
+    displayName: Install .NET 10
+    inputs:
+      version: 10.0.x
   - task: DotNetCoreCLI@2
     displayName: dotnet restore
     inputs:
@@ -50,15 +50,8 @@
    inputs:
      command: test
       projects: $(SolutionFile)
       arguments: -f net8.0 ${{parameters.skipFilter}} $(CommonTestArgs)
       publishTestResults: false
-  - task: DotNetCoreCLI@2
-    displayName: dotnet test 6.0
-    inputs:
-      command: test
-      projects: $(SolutionFile)
-      arguments: -f net6.0 ${{parameters.skipFilter}} $(CommonTestArgs)
-      publishTestResults: false
   - task: CopyFiles@2
     condition: failed()
     inputs:

diff --git a/sharedproject.props b/sharedproject.props
@@ -57,9 +57,4 @@
   <ItemGroup>
     <None Include="..\..\..\..\build\icon.png" Pack="true" PackagePath="\"/>
   </ItemGroup>
-
-  <ItemGroup>
-    <!-- All versions of Microsoft.Rest.ClientRuntime are vulnerable, but all higher versions of KubernetesClient without breaking changes depend on it. -->
-    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-whph-446h-6m9v" />
-  </ItemGroup>
 </Project>
diff --git a/sharedtest.props b/sharedtest.props
@@ -37,9 +37,4 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
   </ItemGroup>
-
-  <ItemGroup>
-    <!-- All versions of Microsoft.Rest.ClientRuntime are vulnerable, but all higher versions of KubernetesClient without breaking changes depend on it. -->
-    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-whph-446h-6m9v" />
-  </ItemGroup>
 </Project>
diff --git a/src/Bootstrap/src/Autoconfig/Steeltoe.Bootstrap.Autoconfig.csproj b/src/Bootstrap/src/Autoconfig/Steeltoe.Bootstrap.Autoconfig.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net8.0;net6.0</TargetFrameworks>
+    <TargetFrameworks>net8.0</TargetFrameworks>
     <RootNamespace>Steeltoe.Bootstrap.Autoconfig</RootNamespace>
     <Description>Package for automatically configuring Steeltoe packages that have separately been added to a project.</Description>
     <PackageTags>Autoconfiguration;automatic configuration;application bootstrapping</PackageTags>

diff --git a/src/Bootstrap/test/Autoconfig.Test/HostBuilderExtensionsTest.cs b/src/Bootstrap/test/Autoconfig.Test/HostBuilderExtensionsTest.cs
@@ -302,7 +302,7 @@ public void TracingBase_IsAutowired()
         Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
         // confirm instrumentation(s) were added as expected
-        var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+        var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
         Assert.NotNull(instrumentations);
         Assert.Single(instrumentations);
         Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));
@@ -325,7 +325,7 @@ public void TracingCore_IsAutowired()
         Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
         // confirm instrumentation(s) were added as expected
-        var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+        var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
         Assert.NotNull(instrumentations);
         Assert.Equal(2, instrumentations.Count);
         Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));

diff --git a/src/Bootstrap/test/Autoconfig.Test/OpenTelemetrySdkReflection.cs b/src/Bootstrap/test/Autoconfig.Test/OpenTelemetrySdkReflection.cs
@@ -0,0 +1,24 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the Apache 2.0 License.
+// See the LICENSE file in the project root for more information.
+
+using OpenTelemetry.Trace;
+using System.Collections.Generic;
+using System.Reflection;
+
+namespace Steeltoe.Bootstrap.Autoconfig.Test;
+
+/// <summary>
+/// Reflection helpers for OpenTelemetry SDK internals used by tests.
+/// </summary>
+public static class OpenTelemetrySdkReflection
+{
+    public static List<object> GetTracerProviderInstrumentations(TracerProvider tracerProvider)
+    {
+        var property = tracerProvider?.GetType().GetProperty(
+            "Instrumentations",
+            BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance);
+
+        return property?.GetValue(tracerProvider) as List<object>;
+    }
+}
diff --git a/src/Bootstrap/test/Autoconfig.Test/Steeltoe.Bootstrap.Autoconfig.Test.csproj b/src/Bootstrap/test/Autoconfig.Test/Steeltoe.Bootstrap.Autoconfig.Test.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net8.0;net6.0</TargetFrameworks>
+    <TargetFrameworks>net8.0</TargetFrameworks>
   </PropertyGroup>
 
   <Import Project="..\..\..\..\versions.props" />

diff --git a/src/Bootstrap/test/Autoconfig.Test/WebApplicationBuilderExtensionsTest.cs b/src/Bootstrap/test/Autoconfig.Test/WebApplicationBuilderExtensionsTest.cs
@@ -40,11 +40,7 @@ namespace Steeltoe.Bootstrap.Autoconfig.Test
 {
     public class WebApplicationBuilderExtensionsTest
     {
-#if NET8_0_OR_GREATER
         private const int ConfigurationProviderCountDelta = 2;
-#else
-        private const int ConfigurationProviderCountDelta = 0;
-#endif
 
         [Fact]
         public void ConfigServerConfiguration_IsAutowired()
@@ -230,7 +226,7 @@ public void TracingBase_IsAutowired()
             Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
             // confirm instrumentation(s) were added as expected
-            var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+            var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
             Assert.NotNull(instrumentations);
             Assert.Single(instrumentations);
             Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));
@@ -249,7 +245,7 @@ public void TracingCore_IsAutowired()
             Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
             // confirm instrumentation(s) were added as expected
-            var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+            var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
             Assert.NotNull(instrumentations);
             Assert.Equal(2, instrumentations.Count);
             Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));

diff --git a/src/Bootstrap/test/Autoconfig.Test/WebHostBuilderExtensionsTest.cs b/src/Bootstrap/test/Autoconfig.Test/WebHostBuilderExtensionsTest.cs
@@ -308,7 +308,7 @@ public void TracingBase_IsAutowired()
         Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
         // confirm instrumentation(s) were added as expected
-        var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+        var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
         Assert.NotNull(instrumentations);
         Assert.Single(instrumentations);
         Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));
@@ -331,7 +331,7 @@ public void TracingCore_IsAutowired()
         Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
         // confirm instrumentation(s) were added as expected
-        var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+        var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
         Assert.NotNull(instrumentations);
         Assert.Equal(2, instrumentations.Count);
         Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));

diff --git a/src/CircuitBreaker/src/Abstractions/Steeltoe.CircuitBreaker.Abstractions.csproj b/src/CircuitBreaker/src/Abstractions/Steeltoe.CircuitBreaker.Abstractions.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>netstandard2.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;netstandard2.0</TargetFrameworks>
     <RootNamespace>Steeltoe.CircuitBreaker</RootNamespace>
     <Description>Circuit breaker abstractions</Description>
     <PackageTags></PackageTags>

diff --git a/...er/src/Hystrix.MetricsEventsCore/Steeltoe.CircuitBreaker.Hystrix.MetricsEventsCore.csproj b/...er/src/Hystrix.MetricsEventsCore/Steeltoe.CircuitBreaker.Hystrix.MetricsEventsCore.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <Description>Steeltoe Netflix Hystrix Metrics Event Stream ASP.NET Core</Description>
-    <TargetFrameworks>net8.0;net6.0</TargetFrameworks>
+    <TargetFrameworks>net8.0</TargetFrameworks>
     <PackageTags>aspnetcore;Circuit Breaker;Spring;Spring Cloud;Spring Cloud Hystrix;Hystrix</PackageTags>
   </PropertyGroup>
 

diff --git a/...er/src/Hystrix.MetricsStreamCore/Steeltoe.CircuitBreaker.Hystrix.MetricsStreamCore.csproj b/...er/src/Hystrix.MetricsStreamCore/Steeltoe.CircuitBreaker.Hystrix.MetricsStreamCore.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net8.0;net6.0</TargetFrameworks>
+    <TargetFrameworks>net8.0</TargetFrameworks>
     <Description>Netflix Hystrix metrics event stream for ASP.NET Core over RabbitMQ</Description>
     <PackageTags>aspnetcore;Circuit Breaker;Spring;Spring Cloud;Spring Cloud Hystrix;Hystrix;turbine;cloudfoundry</PackageTags>
   </PropertyGroup>

diff --git a/src/CircuitBreaker/src/HystrixBase/Exceptions/HystrixRuntimeException.cs b/src/CircuitBreaker/src/HystrixBase/Exceptions/HystrixRuntimeException.cs
@@ -52,7 +52,9 @@ protected HystrixRuntimeException(SerializationInfo info, StreamingContext conte
 
     public Type ImplementingClass { get; }
 
+#pragma warning disable CS0672 // Member overrides obsolete member
     public override void GetObjectData(SerializationInfo info, StreamingContext context)
+#pragma warning restore CS0672 // Member overrides obsolete member
     {
         base.GetObjectData(info, context);
     }