fix: use 0.0.0-scrubbed sentinel version in snapshot scrubber to avoid false Dependabot alerts

[thomhurst]

Summary

• The template snapshot test scrubber was replacing package versions with 1.0.0, which triggered Dependabot security alerts (CVE-2024-32028) for OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.AspNetCore — even though the actual template uses patched 1.15.x versions
• Changed the scrubbed version to 0.0.0-scrubbed — a pre-release label that is structurally below all real releases, so Dependabot will never match it against any CVE
• Updated all 13 verified snapshot files to match

Test plan

• All 8 template instantiation tests pass

[claude]

Review: fix: scrub snapshot versions to 99.99.99 to avoid false Dependabot alerts

The change is pragmatic and solves the immediate problem cleanly. Here are my observations:

What this PR does well

The root cause is correctly identified: the snapshot scrubber was emitting 1.0.0, which happens to be a real (vulnerable) version of some OpenTelemetry packages, causing Dependabot to raise false CVE alerts against snapshot files that are never actually restored or executed. The fix is minimal and surgical — one line changed in the scrubbing logic, and all 13 affected verified snapshots updated consistently.

Design considerations worth discussing

1. Why 99.99.99 rather than a clearly-invalid sentinel?

99.99.99 is a valid SemVer string. While it is currently above any published vulnerable version, that is an accidental property — not an invariant the code enforces. If any package were ever published at 99.99.99 (or if Dependabot lowers its threshold logic), the same false-alert problem could resurface.

A more robust sentinel would be one that is structurally outside the NuGet version space Dependabot actually scans, or that is obviously non-real. Some options:

• 0.0.0-scrubbed — a pre-release label makes clear this is intentionally synthetic, is still valid SemVer, and is below every published release, so Dependabot would have nothing to match against.
• SCRUBBED — NuGet tolerates non-standard version strings in <PackageReference> for snapshot/template files; this makes the intent unmistakable in the file itself.

The advantage of 0.0.0-scrubbed specifically is that it also doubles as documentation: anyone reading the snapshot file immediately understands the version field is not meaningful.

2. Constant extraction

The magic string "99.99.99" appears only once in TemplateTestBase.cs, but extracting it to a private const string ScrubbedVersion = "99.99.99" (or similar) would make the intent explicit and make future changes (e.g., if the sentinel ever needs updating again) a one-line edit with no snapshot churn.

private const string ScrubbedVersion = "99.99.99"; // Sentinel: avoids Dependabot false alerts

private static void ScrubVersions(StringBuilder sb)
{
    var original = sb.ToString();
    var matches = VersionRegex().Matches(original);

    foreach (var match in matches.Where(m => m.Success))
    {
        var line = match.Groups[0].Value.Replace(match.Groups[1].Value, ScrubbedVersion);
        sb.Replace(match.Value, line);
    }
}

3. Scrubber applies to <Sdk Name="..." Version="..."> too

Looking at the diff, Aspire.AppHost.Sdk (an <Sdk> element, not a <PackageReference>) is also scrubbed. The regex Version="([^"]*)" is intentionally broad enough to catch both cases, which is fine — but worth making explicit in a comment, since SDK version attributes are a less obvious target.

Summary

The fix is correct and the PR is good to merge as-is. The suggestions above are minor quality improvements rather than blockers:

Suggestion	Severity
Prefer 0.0.0-scrubbed or similar structurally-invalid sentinel over 99.99.99	Low / Nice-to-have
Extract magic string to a named constant	Low / Nice-to-have
Add a comment noting the scrubber also targets <Sdk> attributes	Informational

None of these are required before merging, but the constant extraction in particular would make the code more maintainable if the sentinel ever needs updating again.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[claude]

Follow-up review

The PR has been updated since the previous review — the sentinel has been changed from 99.99.99 to 0.0.0-scrubbed, directly addressing the earlier recommendation.

Previous feedback addressed

Suggestion	Status
Prefer a structurally-invalid / self-documenting sentinel over 99.99.99	✅ Addressed — 0.0.0-scrubbed is now used
Constant extraction	Not done (still a single inline string) — acceptable given it only appears once

Assessment of current state

The choice of 0.0.0-scrubbed is well-reasoned:

• It is below every published package release, so Dependabot has nothing real to match against.
• The -scrubbed pre-release label makes the intent self-documenting in the snapshot files themselves.
• All 13 snapshot files are consistently updated to match.

The scrubber logic in TemplateTestBase.cs:44 is clean and there are no other concerns. This is ready to merge.

[claude]

Follow-up review (3rd pass)

All previously raised feedback has now been fully addressed. This is a clean, well-executed fix.

All previous feedback addressed

Suggestion	Status
Prefer 0.0.0-scrubbed over 99.99.99 as sentinel	✅ Done
Extract sentinel to a named constant	✅ Done — private const string ScrubbedVersion = "0.0.0-scrubbed"

Additional improvement in this revision

The scrubber loop was also tidied up:

• matches.Where(m => m.Success) → VersionRegex().Matches(original).Cast<Match>()
  The .Where(m => m.Success) guard was redundant: Regex.Matches only ever returns successful Match objects. Removing it (and the intermediate variable) is a small but correct simplification.

• match.Groups[0].Value → match.Value
  These are equivalent (Groups[0] is always the full match), but match.Value is the idiomatic spelling and reads more clearly.

Overall assessment

The fix is correct and the implementation is clean. The sentinel 0.0.0-scrubbed is structurally below all published releases (so Dependabot has nothing real to match against), self-documenting in the snapshot files, and now backed by a named constant that makes future changes trivial. No concerns — ready to merge.