Skip to content

Bump Refit from 10.1.6 to 13.0.0#1139

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/Refit-13.0.0
Open

Bump Refit from 10.1.6 to 13.0.0#1139
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/Refit-13.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Updated Refit from 10.1.6 to 13.0.0.

Release notes

Sourced from Refit's releases.

13.0.0

🗞️ What's Changed

Refit 13 is a major release focused on security hardening and a brand-new testing package.

  • Security hardening (#​2181) — closes issues found in a security audit. XML deserialization is now protected against XXE (external entity) attacks, the Newtonsoft.Json integration no longer honours unsafe TypeNameHandling by default (blocking type-confusion/deserialization attacks), and sensitive values (auth headers, tokens) are now redacted from exception and log output. This is the main reason for the major version bump: if you relied on permissive Newtonsoft type handling you may need to opt back in explicitly.
  • New Refit.Testing package (#​2184) — a first-party way to stub and verify Refit clients in tests without spinning up a real HttpClient. Supply canned responses for interface calls and assert which requests your code made, instead of hand-rolling HttpMessageHandler fakes.
  • R3 bridge analyzer fix (#​2186) — corrects the removal target for the R3 bridge analyzer.
  • CI and documentation tidy-ups for SonarCloud on fork pull requests.

✨ Features

  • reactiveui/refit@​cc24382535a48c24e15100a3f58914a6e4fe8dcc feat: security hardening from audit (XXE, Newtonsoft type handling, redaction) (#​2181) @​glennawatson
  • reactiveui/refit@​339cb8d39e16d05770217902ad9794f0fe289869 feat: add Refit.Testing package for stubbing and verifying clients (#​2184) @​glennawatson

🧹 General Changes

  • reactiveui/refit@​5d272c8dc2d691d8c793abe64f1b9e430fdbec4f ci: run SonarCloud on fork pull requests @​glennawatson

📝 Documentation

  • reactiveui/refit@​533bbbe525a51eed6397c0d522e5e9cdc281c50b docs: slim fork-PR SonarCloud wrapper comments @​glennawatson

📌 Other

  • reactiveui/refit@​c0bbb5a857691bb7cd39c19d573a3f21faaaf607 [codex] Fix R3 bridge analyzer removal target (#​2186) @​ChrisPulman

🔗 Full Changelog: reactiveui/refit@v12.1.0...v13.0.0

🙌 Contributions

💖 Thanks to all the contributors: @​ChrisPulman, @​glennawatson

12.1.0

🗞️ What's Changed

✨ Features

  • reactiveui/refit@​89f17aec24691e38a9b9f87238276e6b754ef981 feat: AOT-safe generated-only client DI registration and case-insensitive problem+json detection (#​2172) @​glennawatson
  • reactiveui/refit@​b31e9fe53f6d64c6e5597efd367cbddb123022a4 feat: read sent request body and synchronously inspect the error body on ApiException (#​2175) @​glennawatson

🐛 Fixes

  • reactiveui/refit@​e3ec13ffa2a8867ce93245b892bfe731d2acc96a fix: correctly annotate error out parameters for nullable flow (#​2177) @​HulinCedric

📝 Documentation

  • reactiveui/refit@​db3305331c7c81c663d233043a3ff5c53d3e65e9 docs: document v12 breaking changes and update package versions (#​2180) @​ChrisPulman

📦 Dependencies

  • reactiveui/refit@​459aec45f0705e9ed3237bab7c230ce9e521b7fe chore(deps): update dependency verify.diffplex to 3.3.0 (#​2178) @​renovate[bot]

🔗 Full Changelog: reactiveui/refit@v12.0.0...12.1.0

🙌 Contributions

💖 Thanks to all the contributors: @​ChrisPulman, @​glennawatson, @​HulinCedric

🤖 Automated services that contributed: @​renovate[bot]

12.0.0

Overview

Refit 12.0 is a large release centred on a near-complete rewrite of how requests are built. The source generator now constructs HTTP requests inline at compile time instead of going through the reflection pipeline, making generated clients faster and friendly to trimming and Native AOT. On top of that foundation it adds response streaming, JSON Lines, naming-convention presets, and a batch of long-standing fixes. Two small, well-scoped breaking changes are called out below.

This release also removed netstandard2.0 and netstandard2.1 support. You should to use net462/net8 as your base lines, and use multiple targets if you need to target both.

Highlights

  • Reflection-free, AOT-ready source generation. Eligible interface methods now have their request (URI, headers, body, request properties) built directly in generated code, with the reflection request-builder kept only as a fallback for shapes that cannot be generated inline. Form bodies flatten through compiled, source-generated field descriptors. The generator itself was modernised and optimised, and ships analyzer diagnostics and code fixes. There is also a generated-only client-creation mode and a build-time switch for generated request building.
  • IAsyncEnumerable<T> response streaming. Stream large responses, auto-detecting a JSON array vs JSON Lines from the content type, generated inline on the hot path.
  • JSON Lines request bodies. [Body(BodySerializationMethod.JsonLines)] plus a streaming JsonLinesContent (application/x-ndjson), wired through both the reflection and source-gen paths.
  • Naming-convention presets. RefitSettings.CamelCase() / SnakeCase() / KebabCase() configure query keys, form-url-encoded keys, and JSON body property names consistently, plus snake/kebab URL key formatters. Opt-in, so existing behaviour is unchanged.
  • Response ergonomics. EnsureSuccessStatusCodeAsync() / EnsureSuccessfulAsync() are now available directly on IApiResponse<T>; a new IsSuccessfulWithContent (and HasContent) gives a single, mock-safe success-with-content check; nullable annotations on IApiResponse<T> were corrected to be sound.
  • URL and route control. Opt-in RFC 3986 / HttpClient-style URL resolution via RefitSettings.UrlResolution, and RefitSettings.AllowUnmatchedRouteParameters to leave an unmatched {token} for a DelegatingHandler to rewrite.
  • Faster JSON. A fast-path serialization option (SystemTextJsonContentSerializer.GetFastPathJsonSerializerOptions()) and buffered/streamed request-body modes that run through it.
  • Smaller additions. [Query(SerializeNull = true)] to send a null property as key= instead of omitting it, and a public UniqueName.ForType<T>() to resolve the generated IHttpClientFactory client name.
  • Fixes. Multipart Guid/DateTime/DateTimeOffset/TimeSpan (and DateOnly/TimeOnly) are sent as plain text (#​2016); property-level [Query(delimiter, prefix)] is honoured when flattening complex objects (#​1334); [Query(Format = "")] serializes a complex value via ToString() (#​1281); and IApiResponse<T> no longer shadows base members (#​1933).

Breaking changes and migration

  • IApiResponse<T> no longer shadows base members. The new-shadowed Error, ContentHeaders, IsSuccessStatusCode, and IsSuccessful members are removed from the generic interface. Source that reads these still compiles (they bind to the inherited base members), but code compiled against v8-v11 that bound to the generic-interface slots needs a recompile. If you relied on IsSuccessful to narrow Content to non-null on an IApiResponse<T>-typed value, switch to HasContent / IsSuccessfulWithContent.
  • The default System.Text.Json serializer now reads numbers from JSON strings (NumberHandling = AllowReadingFromString). Opt back out with NumberHandling = JsonNumberHandling.Strict on your JsonSerializerOptions.

🗞️ What's Changed

💥 Breaking Changes

  • reactiveui/refit@​8b70ca1c072ac17741615e38918dfe50b970dc8b break: request-building fixes, JSON Lines, and response ergonomics (#​2155) @​glennawatson
  • reactiveui/refit@​3881cc67286012268521a58740752556ed500bcf break: add IAsyncEnumerable streaming and opt-in URL, route and JSON serialization modes (#​2157) @​glennawatson

✨ Features

  • reactiveui/refit@​6f2e43dadafdf965e6764b07220b30239990b860 feat: respect naming conventions across query, form and JSON body (#​2154) @​glennawatson
  • reactiveui/refit@​196cd4966dee21f89cc982970171e174f3249427 feat: add IsSuccessfulWithContent and correct IApiResponse nullable annotations (#​2159) @​glennawatson
  • reactiveui/refit@​e28a38438ebd16e94b41de860cc609820377170c feat: generate request construction to avoid reflection pipeline (#​2150) @​glennawatson
  • reactiveui/refit@​98982b48d27a94e0d3caac0d692ccc927db00d2c feat: reflection-free generated form serialization, opt-in null values, and public UniqueName (#​2164) @​glennawatson
  • reactiveui/refit@​bf488d6a0849184eb1d1b72368fb0d7b5c5b019f feat: improve generated clients for AOT (#​2151) @​glennawatson

♻️ Refactoring

  • reactiveui/refit@​3fd4ce6f0d76405c69c5681cc4a660ab3a708d9f refactor: replace System.Reactive with ReactiveUI.Primitives and integrate observable test helpers (#​2152) @​glennawatson
  • reactiveui/refit@​c7c14b43f9ff954cf5249a6c25e526b5bdf75eb6 refactor: align Refit with rxui coding standards and modernize (#​2149) @​glennawatson

⚡ Performance

  • reactiveui/refit@​3717256d32f6dac0503e66aad68795fe1929a2f7 perf: modernize and optimize the Refit source generator (#​2148) @​glennawatson

🧹 General Changes

  • reactiveui/refit@​0aae034524fef8a3b56074e56edc21d15f771bb7 build: update StyleSharp.Analyzers to 3.13.4 and align editorconfig (#​2163) @​glennawatson

🔗 Full Changelog: reactiveui/refit@v11.2.0...v12.0.0

... (truncated)

11.2.0

🗞️ What's Changed

🐛 Fixes

  • reactiveui/refit@​13882dacbfe0466a6fb432b22f0aac224e8ce36a fix: honor parameter-level CollectionFormat for inner collections (#​2144) @​glennawatson
  • reactiveui/refit@​54a8e62f263e3867a2f6ad5de4a915d7eb266717 fix: ValidationApiException propagates ContentHeaders and uses configured serializer (#​2146) @​glennawatson
  • reactiveui/refit@​d694baf1c6297e37c483068270f8758bb54140dc fix: populate ApiException.Content when deserialization fails (#​2145) @​glennawatson

🔗 Full Changelog: reactiveui/refit@v11.1.0...v11.2.0

🙌 Contributions

💖 Thanks to all the contributors: @​glennawatson

11.1.0

🗞️ What's Changed

🐛 Fixes

  • reactiveui/refit@​be087067732c838d320c98654bf8dc6368cb7884 Fix: serialize body by runtime type for interface/abstract parameters (#​2118) (#​2119) @​HulinCedric
  • reactiveui/refit@​d58ce5a3a5d815ec93fac22cd38e2b1ba15dc246 fix: keep only baseline analyzer on legacy toolchains (#​2136) @​glennawatson
  • reactiveui/refit@​10ab2ce39ddd40f52eb0b5cb427f4caa969e96e9 fix: handle empty responses and edge cases in JSON serialization (#​2138) @​ChrisPulman @​glennawatson
  • reactiveui/refit@​f9a24abf09056d12d238d8cf15a3b123f1bc1aec fix: clearer error when a response has no request message (#​2141) @​glennawatson
  • reactiveui/refit@​98868fa8d893090b81cb4c2ba7c67c114505b4ce fix: detect nullable CancellationToken parameters (#​2139) @​glennawatson
  • reactiveui/refit@​7a3489ef3772047858104e88ab13c6ba9c2d4c93 fix: correct URL and query string building edge cases (#​2137) @​glennawatson
  • reactiveui/refit@​8f9b4606f932f5ef65911aa0c4b5aaf64c4e4411 fix: request building edge cases for headers, query and enum params (#​2140) @​glennawatson

🧹 General Changes

  • reactiveui/refit@​988d17ab40281b22d017d0226eede0ccc4b54613 build: adopt central package management and modernize MSBuild (#​2142) @​glennawatson

📝 Documentation

  • reactiveui/refit@​2989a5e7044804231cb7072342a67aaa0cf71760 docs: Fix Refit 10 typo that should be Refit 11 (#​2143) @​PressXtoChris

📦 Dependencies

  • reactiveui/refit@​b71c90c70e19d1ad366455a56d4782938cc8d258 Update dotnet monorepo (#​2123) @​renovate[bot]
  • reactiveui/refit@​b2e3c17c9a614260da21c910da991cc18705a141 Update ASP.NET Core (#​2122) @​renovate[bot]
  • reactiveui/refit@​5f67752c26dc07851a77f2f42084fceca05ef106 chore(deps): update dotnet monorepo to v8 (#​2130) @​renovate[bot]
  • reactiveui/refit@​780979c8bda4bc96f13e84e07060db83317b2de8 Update Microsoft.Testing to 18.8.0 (#​2126) @​renovate[bot]

🔗 Full Changelog: reactiveui/refit@v11.0.1...v11.1.0

🙌 Contributions

🌱 New contributors since the last release: @​HulinCedric
💖 Thanks to all the contributors: @​ChrisPulman, @​glennawatson, @​HulinCedric, @​PressXtoChris

🤖 Automated services that contributed: @​renovate[bot]

11.0.1

🗞️ What's Changed

🧹 General Changes

  • reactiveui/refit@​484edf6e67310493766b9e4010793bdeaacfb1d7 build: default examples to IsPackable=false @​glennawatson

📌 Other

  • reactiveui/refit@​8652c5e7ac8189dc85aa3748dca1808b3c3c825d Proposal to fix 2115 (#​2116) @​xIceFox

🔗 Full Changelog: reactiveui/refit@v11.0.0...11.0.1

🙌 Contributions

🌱 New contributors since the last release: @​xIceFox
💖 Thanks to all the contributors: @​glennawatson, @​xIceFox

11.0.0

⚠️ This is a breaking release (major: 10.x → 11.0.0)

11.0.0 reworks Refit's error/exception model and tightens interface validation. Most apps will compile, but code that inspects ApiResponse.Error, reads StatusCode, or catches transport exceptions around Refit calls will need changes. These are the same breaking changes that briefly shipped in the now‑delisted 10.1.7 and were reported by the community in #​2114.

💡 Need a drop‑in, non‑breaking replacement for 10.1.6? Use 10.2.0 — it is 10.1.6 re‑signed with a valid certificate (the 10.1.6 cert was revoked, see #​2114). Move to 11.0.0 when you're ready to adopt the changes below.

💥 What changed & how to migrate

1. ApiResponse<T>.Error is now ApiExceptionBase? (was ApiException?) (#​2052)
A new abstract base ApiExceptionBase now sits under both ApiException and the new ApiRequestException. ApiExceptionBase does not expose Content / HasContent — those still live on ApiException.

// before
string? body = response.Error?.Content;

// after — narrow to ApiException first
if (response.Error is ApiException apiEx)
{
    string? body = apiEx.Content;   // Content/HasContent are on ApiException
}

2. New ApiRequestException wraps transport/connection failures (#​2052)
Exceptions thrown by HttpClient.SendAsync before a response arrives — HttpRequestException (DNS/host unreachable), TaskCanceledException (timeouts), etc. — are now wrapped in ApiRequestException : ApiExceptionBase, carrying the full request context. For ApiResponse<T> return types these are now surfaced via .Error instead of only being thrown, so you no longer need a separate try/catch and IsSuccessful check.

// catching transport errors: catch the base (or ApiRequestException) now
catch (ApiExceptionBase ex) { /* covers ApiException + ApiRequestException */ }

3. ApiResponse<T>.StatusCode is now nullable (HttpStatusCode?) (#​2052)
When the request never reached the server there is no status code. Code that assumed a non‑null value must handle null:

int code = (int)response.StatusCode;          // ❌ won't compile / may throw
int? code = (int?)response.StatusCode;         // ✅ handle the no-response case

4. Stricter interface validation + enum name handling (#​2068)
Synchronous return types are now only permitted for generated/non‑public interface members (RestMethodInfo enforces the rule), and the System.Text.Json enum converter now maps serialized names both ways (including JsonStringEnumMemberName on .NET 9+). Interfaces that previously relied on unsupported sync members may now fail generation.


🗞️ What's Changed

✨ Features & Enhancements

  • Create ApiRequestException for wrapping SendAsync exceptions (new error model) by @​PressXtoChris in #​2052
  • Support sync interface members & enum names by @​ChrisPulman in #​2068
  • Add AddRefitClient overloads and tests by @​ChrisPulman in #​2084

... (truncated)

10.2.0

NOTE

This is a re-release of v10.1.6 which had a certificate revoked.

🗞️ What's Changed

🐛 Fixes

  • reactiveui/refit@​cfe6862f468ce793fd5d5557ff47554de800a198 Fixes examples, issues 2058, 1761, 1889, and 2056 (#​2061) @​ChrisPulman
  • reactiveui/refit@​71e7a32b8c0fd428ae29949b45bf13f4d17bc2b7 Fix is packable (#​2063) @​ChrisPulman

🧹 General Changes

  • reactiveui/refit@​c945712afe664c07babcb1193e9f68ec20e48eb4 Update AoT, Add Roslyn 5.0, Update serialisation (#​2062) @​ChrisPulman

📦 Dependencies

  • reactiveui/refit@​d3b9f6eb2242728b1577489781d9b1ac9e41ceaf chore(deps): update .net test stack (#​2054) @​ChrisPulman @​renovate[bot]
  • reactiveui/refit@​804eb41f61b200c02765c7a0b63f4ddfe9164528 chore(deps): update .net test stack to v8 (#​2057) @​renovate[bot]

📌 Other

  • reactiveui/refit@​14811e0b27178a9b3da3b5d4bdda1e9cd8ea33fd Enhance release workflow with new jobs and permissions @​ChrisPulman
  • reactiveui/refit@​49858e348e9444b82735068c15919c3f31942bf4 Bump version from 10.0 to 10.1 @​ChrisPulman
  • reactiveui/refit@​2f43b67c0a78b76c048931dede5f671625b807a0 Remove productNamespacePrefix from release workflow @​ChrisPulman

🔗 Full Changelog: reactiveui/refit@10.0.1...10.1.6

🙌 Contributions

💖 Thanks to all the contributors: @​ChrisPulman

🤖 Automated services that contributed: @​renovate[bot]

Commits viewable in compare view.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---
updated-dependencies:
- dependency-name: Refit
  dependency-version: 13.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file labels Jul 1, 2026
Copilot AI review requested due to automatic review settings July 1, 2026 09:20
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 09:20
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file .NET Pull requests that update .net code labels Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.33%. Comparing base (55eb924) to head (1ad3443).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1139   +/-   ##
=======================================
  Coverage   99.33%   99.33%           
=======================================
  Files          15       15           
  Lines         896      896           
  Branches      205      205           
=======================================
  Hits          890      890           
  Misses          4        4           
  Partials        2        2           
Flag Coverage Δ
linux 99.33% <ø> (ø)
macos 99.33% <ø> (ø)
windows 99.33% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .net code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant