build: Bump the analyzers group with 4 updates by dependabot[bot] · Pull Request #183 · mcj-coder-org/claude-auto-resume

This is a focused patch release with one mission: squash a false positive that was getting in the way of real-world LINQ-to-Mocks usage. If you've been seeing Moq1302 warnings on perfectly valid code, this one's for you. 🎯

A big thank you to @abatishchev for reporting the issue with a clear, actionable reproduction. Community reports like this make all the difference.

🐛 False Positive Fix for Moq1302

What was happening

If you were using Mock.Of with a comparison expression — something totally normal like this:

Mock.Of<Response>(static r => r.Status == StatusCodes.Status200OK)

…you'd get a warning:

⚠️ Moq1302: Invalid member 'StatusCodes.Status200OK' in LINQ to Mocks expression

But there's nothing wrong with that code. It compiles, it runs, and it's how LINQ-to-Mocks expressions are supposed to work. The right-hand side of the comparison (StatusCodes.Status200OK) is just a constant — it's not a mock setup member. The analyzer shouldn't have been looking at it at all. 😬

The same false positive appeared with enum values, static fields, external locals, and other non-mock expressions on the right-hand side of ==, &&, or || comparisons.

How it was fixed

The fix introduces a lambda parameter guard: before the analyzer flags a member access, it now walks the receiver chain to check whether the operation is actually rooted in the lambda parameter (i.e., the r in r => r.Status == ...).

A new IsRootedInLambdaParameter() extension method traces the receiver chain — through property accesses, method calls, and conversions — all the way back to the lambda parameter. If the chain doesn't terminate in the lambda parameter, the member is silently skipped. Static members, constants, and external references pass right through without a warning.

The guard is applied only to leaf member operations (property references, method calls). Composite operations like && and || still get decomposed normally, so chained comparisons like r.Prop == "a" && r.Other == "b" continue to be fully analyzed. No false negatives.

As a bonus, MoqKnownSymbols is now threaded through the entire analysis chain instead of being recreated mid-analysis, and nested Mock.Of calls are excluded early to prevent false positives from inner mock expressions.

🧪 Comprehensive Test Coverage

This release adds 961 new lines of test code covering the full surface area of the fix (#1020):

✅ Static members and constants on the right-hand side of comparisons
✅ Enum value comparisons
✅ Chained && / || expressions
✅ Nested Mock.Of calls
✅ Deep receiver chain walking edge cases

👥 Contributors

Thank you to everyone who reported bugs and provided reproduction cases:

@abatishchev — Reported #1010 with a clear reproduction

... (truncated)

0.4.1

Moq.Analyzers 0.4.1

This is a patch release addressing critical bugs reported after v0.4.0.

🐛 Bug Fixes

Moq1203 False Positives

#849 - Fixed incorrect Moq1203 flagging after upgrading to v0.4.0. The analyzer now correctly resolves delegate-overload resolution for ReturnsAsync, Callback, and similar chained methods. (#886, #919)
#887 - Fixed Moq1203 false positive when the Setup call is wrapped in parentheses. (#895)

Parenthesized Expression Handling

#896 - Fixed parenthesized expressions breaking syntax chain walking in Moq1100 and Moq1206 analyzers. (#907)

Assembly Loading

#850 - Resolved CS8032 warning caused by System.Collections.Immutable assembly version mismatch. (#888)

🤝 Contributors

Thank you to everyone who reported bugs, provided reproduction cases, and engaged in issue discussions to help make this release possible:

@AgustinSabalza - Reported #849
@lkurzyniec - Reported #850
@DamienCassou - Feedback and upvote on #849
@Thijs153 - Feedback on #849
@basvanharten - Feedback on #849
@bkaidbb - Feedback and upvote on #849
@pavkam - Feedback on #849
@abatishchev - Feedback on #850
@bt-chaz-christie - Feedback on #850
@Philipp1806 - Upvote on #849
@philipmat - Upvote on #849

🔗 Resources

Full Changelog: rjmurillo/moq.analyzers@v0.4.0...v0.4.1
Documentation: https://github.com/rjmurillo/moq.analyzers/tree/main/docs/rules
Issue Tracker: https://github.com/rjmurillo/moq.analyzers/issues

💬 Feedback

If you encounter any issues or have suggestions:

Report bugs: https://github.com/rjmurillo/moq.analyzers/issues/new
Request features: https://github.com/rjmurillo/moq.analyzers/discussions
Ask questions: https://github.com/rjmurillo/moq.analyzers/discussions/categories/q-a

Thank you for using Moq.Analyzers!

0.4.1-alpha

v0.4.1-alpha

Prerelease containing 3 bug fixes since v0.4.0 to rebuild confidence with users.

Bug Fixes

fix: Moq1203 false positives for ReturnsAsync and Callback chaining (#886)
fix: resolve CS8032 assembly version mismatch (#850) (#888)
fix: Moq1203 false positive when Setup call is wrapped in parentheses (#895)

Critical: CS8032 Fix

v0.4.0 shipped DLLs that referenced System.Collections.Immutable versions incompatible with .NET 8 SDK hosts, causing CS8032 warnings on every build. This release downgrades the transitive dependency pins and adds CI load tests to prevent recurrence.

Commits viewable in compare view.

Updated SonarAnalyzer.CSharp from 10.18.0.131500 to 10.22.0.136894.

Release notes

Sourced from SonarAnalyzer.CSharp's releases.

10.22

Hello everyone,
This release brings 4 new rules to help developers transition to C# 14, and a bunch of false positive fixes.

New rules

NET-3361 - New rule S8381: "scoped" should be escaped when used as a type name in lambda parameters
NET-3359 - New rule S8368: "extension" identifiers should be escaped to avoid contextual keyword conflicts
NET-3347 - New rule S8380: Return types named "partial" should be escaped with "@"
NET-3345 - New rule S8367: Identifiers should not conflict with the "field" keyword in C# 14?

False Positive

NET-3443 - Fix S1940 FP: for floating point numbers that can be NaN "!(a <= b)" is not the same as "a > b"
NET-3001 - Fix S3063 FP: Concatenation with identifier
NET-1569 - Fix S5944 FP: AddressOf(MethodName) in Return statement
NET-3445 - Fix T0029 FP: Inside target-typed new
NET-2817 - Fix T0029 FP: Ident for collection expression members
NET-2024 - Fix T0029 FP: Inside array initializer
NET-3341 - Fix T0029 FP: After member access
NET-3462 - Fix T0042 FP: Inside constructors and collection initializers
NET-3426 - Fix T0042: Raw string in collection initializer
NET-2888 - Fix T0042 FP: Returned from method
NET-2874 - Fix T0042 FP: Raw string in ternary

Bugs

NET-3386 - Fix S4583 AD0001: BeginInvoke callback declared in separate file

Other

NET-3385 - S2612: Rule type changed from Security Hotspot to Vulnerability

10.21

### Bug

NET-3376 - Fix S6930 AD0001: Issue on template / code files for blazor
NET-3367 - Fix S4830 AD0001: CertificateValidationCheck Syntax node is not within syntax tree

Feature

NET-3260 - Fix broken links in S6960 RSPEC

False Positive

NET-2886 - Fix T0015 FP: In constructor
NET-1678 - Fix S4275 FP: with property overload

10.20

This release brings 9 precision improvements — 7 false positive fixes and 2 false negative fixes — across rules S1116, S1144, S1210, S1643, S1854, S2365, S3254, S3265, and S127. It also promotes S2068 and S6418 from Security Hotspot to Vulnerability, making them visible directly in the IDE, and removes S3256 from the Sonar Way quality profile.

Changes

NET-3227 - Remove S3256 from "Sonar Way" quality profile
NET-3208 - S6418: Rule type changed from Security Hotspot to Vulnerability
NET-3207 - S2068: Rule type changed from Security Hotspot to Vulnerability
NET-3206 - Remove links to rules.sonarsource.com

False Positive

NET-3215 - Fix FP on S127: Should only raise on stop condition variables
NET-3212 - Fix FP on S3254: Don't raise if the parameter isn't last
NET-3053 - Fix FP on S1210: Implementing comparable operators for private types
NET-2984 - Fix FP on S3265: BCL enums with [Flags] not recognized due to metadata resolution
NET-2976 - Fix FP on S1854: Default value initializations flagged despite exemptions
NET-2966 - Fix FP on S1144: Constructors in MEF-exported types
NET-2956 - Fix FP on S1116: Empty loop body with side effects in condition

False Negative

NET-1261 - Fix FN on S2365: Rule should report on new collection
NET-1259 - Fix FN on S1643: Concatenation for parameters, fields and properties are not detected

Rule specification

NET-3246 - Modify Rule S127: Update Description
NET-3218 - Modify Rule S3265: Add exception for MethodImplAttributes
NET-3086 - Modify Rule S1116: Add loop exception

Maintenance

NET-3047 - Update RSPEC before 10.20 release

10.19

Documentation

NET-3012 - Modify Rule S3903: Update description for C#10

False Positive

NET-3004 - Fix S2696 FP: New extension method format triggers FP when accessing static fields

False Negative

NET-3011 - Fix S4790 FN: Support Using statement

Task

NET-2948 - Update RSPEC before 10.19 release

Bug

NET-1866 - Support future VS versions in NuGet package

Commits viewable in compare view.

Updated xunit.analyzers from 1.26.0 to 1.27.0.

Release notes

Sourced from xunit.analyzers's releases.

No release notes found for this version range.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps Meziantou.Analyzer from 2.0.276 to 3.0.29 Bumps Moq.Analyzers from 0.4.0 to 0.4.2 Bumps SonarAnalyzer.CSharp from 10.18.0.131500 to 10.22.0.136894 Bumps xunit.analyzers from 1.26.0 to 1.27.0 --- updated-dependencies: - dependency-name: Meziantou.Analyzer dependency-version: 3.0.29 dependency-type: direct:production update-type: version-update:semver-major dependency-group: analyzers - dependency-name: Moq.Analyzers dependency-version: 0.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: analyzers - dependency-name: SonarAnalyzer.CSharp dependency-version: 10.22.0.136894 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: analyzers - dependency-name: xunit.analyzers dependency-version: 1.27.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: analyzers ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-03-30T06:27:22Z

Labels

The following labels could not be found: dependencies, nuget. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

github-actions · 2026-03-30T06:27:35Z

This Dependabot PR contains a version-update:semver-major update and requires manual review before merging.

github-actions · 2026-03-30T06:27:44Z

	Fails
🚫	PR must have a Summary or Description section.
🚫	PR must have auto-merge enabled. Enable via PR settings → "Enable auto-merge". This ensures PRs are merged automatically once all checks pass.
🚫	PR title subject should start with lowercase. Current: "build: Bump the analyzers group with 4 updates" The subject after the colon should start with a lowercase letter.
🚫	PR body must contain an issue reference. Add one of the following to your PR description: Refs: docs: add dependency injection coding standards and ADR #123 Closes docs: add dependency injection coding standards and ADR #123 Fixes docs: add dependency injection coding standards and ADR #123 This ensures traceability between commits and issues.

Generated by 🚫 dangerJS against 0391fde

dependabot · 2026-04-06T06:18:36Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot bot requested a review from mcj-coder as a code owner March 30, 2026 06:27

dependabot bot closed this Apr 6, 2026

dependabot bot deleted the dependabot/nuget/analyzers-65ca670cd0 branch April 6, 2026 06:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build: Bump the analyzers group with 4 updates#183

build: Bump the analyzers group with 4 updates#183
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/nuget/analyzers-65ca670cd0

dependabot bot commented on behalf of github Mar 30, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Apr 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

3.0.29

What's Changed

3.0.28

What's Changed

3.0.27

What's Changed

3.0.26

What's Changed

3.0.25

3.0.24

3.0.23

What's Changed

3.0.22

What's Changed

3.0.21

What's Changed

3.0.20

What's Changed

3.0.19

What's Changed

3.0.18

What's Changed

3.0.17

What's Changed

3.0.16

What's Changed

3.0.15

What's Changed

3.0.14

What's Changed

3.0.13

What's Changed

3.0.12

What's Changed

3.0.11

What's Changed

3.0.10

What's Changed

3.0.9

What's Changed

3.0.8

What's Changed

3.0.7

What's Changed

3.0.6

What's Changed

3.0.5

What's Changed

3.0.4

What's Changed

3.0.3

What's Changed

3.0.2

What's Changed

3.0.1

What's Changed

2.0.302

2.0.301

What's Changed

New Contributors

2.0.300

What's Changed

2.0.299

What's Changed

2.0.298

What's Changed

2.0.297

What's Changed

2.0.296

What's Changed

2.0.295

What's Changed

2.0.294

2.0.293

What's Changed

2.0.292

What's Changed

dependabot bot commented on behalf of github Mar 30, 2026 •

edited

Loading