Merge branch 'master' into dependabot/github_actions/actions/checkout-6

Author: nanotaboada

.github/copilot-instructions.md

@@ -118,4 +118,5 @@ Example: `feat(api): add player search endpoint (#123)`
 feat(scope): description (#issue)
 
 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
+Co-authored-by: Claude <noreply@anthropic.com>
 ```

.github/dependabot.yml

@@ -9,10 +9,6 @@ updates:
     commit-message:
       include: scope
       prefix: "chore(deps): "
-    # Pin AutoMapper to 14.x line to avoid commercial v15.x upgrades
-    ignore:
-      - dependency-name: "AutoMapper"
-        update-types: ["version-update:semver-major"]
     groups:
       serilog:
         patterns:
@@ -34,10 +30,6 @@ updates:
     commit-message:
       include: scope
       prefix: "chore(deps): "
-    # Pin AutoMapper to 14.x line to avoid commercial v15.x upgrades
-    ignore:
-      - dependency-name: "AutoMapper"
-        update-types: ["version-update:semver-major"]
     groups:
       xunit:
         patterns:

.github/workflows/dotnet-cd.yml

@@ -136,7 +136,7 @@ jobs:
           } >> $GITHUB_OUTPUT
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2.5.0
+        uses: softprops/action-gh-release@v2.6.0
         with:
           name: "v${{ steps.version.outputs.semver }} - ${{ steps.version.outputs.stadium }} 🏟️"
           tag_name: ${{ steps.version.outputs.tag_name }}

CHANGELOG.md

@@ -46,6 +46,7 @@ This project uses famous football stadiums (A-Z) that hosted FIFA World Cup matc
 
 ### Changed
 
+- Upgrade AutoMapper from 14.x to 16.1.1 to resolve high-severity security vulnerability GHSA-rvv3-g6hj-g44x (#414)
 - Rename test methods to follow Microsoft .NET naming standard (#396)
 
 ### Deprecated

README.md

@@ -44,7 +44,7 @@ Proof of Concept for a RESTful API built with .NET 10 (LTS) and ASP.NET Core. Ma
 ## Tech Stack
 
 | Category | Technology |
-|----------|------------|
+| -------- | ---------- |
 | **Framework** | [.NET 10](https://github.com/dotnet/core) (LTS) |
 | **Web Framework** | [ASP.NET Core 10.0](https://github.com/dotnet/aspnetcore) |
 | **API Documentation** | [Swashbuckle](https://github.com/domaindrivendev/Swashbuckle.AspNetCore) (OpenAPI 3.0) |
@@ -95,7 +95,7 @@ test/Dotnet.Samples.AspNetCore.WebApi.Tests/
 
 ## Architecture
 
-Dependencies flow from data layer through repositories and services to controllers. External dependencies (AutoMapper, FluentValidation, Serilog, Swashbuckle) integrate at their respective layers.
+Layered architecture with dependency injection via constructors and interface-based contracts.
 
 ```mermaid
 
@@ -112,11 +112,19 @@ Dependencies flow from data layer through repositories and services to controlle
 
 graph RL
 
-    Models[Models]
+    Tests[Tests]
 
-    subgraph Layer4[" "]
-        Data[Data]
-        Repositories[Repositories]
+    subgraph Layer1[" "]
+        Program[Program]
+        Serilog[Serilog]
+        Swashbuckle[Swashbuckle]
+    end
+
+    subgraph Layer2[" "]
+        Controllers[Controllers]
+        Validators[Validators]
+        FluentValidation[FluentValidation]
+        AspNetCore[ASP.NET Core]
     end
 
     subgraph Layer3[" "]
@@ -126,44 +134,43 @@ graph RL
         MemoryCache[MemoryCache]
     end
 
-    subgraph Layer2[" "]
-        Controllers[Controllers]
-        Validators[Validators]
-        FluentValidation[FluentValidation]
-        Swashbuckle[Swashbuckle]
+    subgraph Layer4[" "]
+        Repositories[Repositories]
+        Data[Data]
+        EFCore[EF Core]
     end
 
-    subgraph Layer1[" "]
-        Program[Program]
-        Configurations[Configurations]
-        Serilog[Serilog]
-    end
+    Models[Models]
 
-    Tests[Tests]
+    %% Strong dependencies
 
-    %% Application flow
-    Data --> Models
-    Models --> Repositories
-    Repositories --> Services
-    Services --> Controllers
+    %% Layer 1
     Controllers --> Program
+    Serilog --> Program
+    Swashbuckle --> Program
 
-    %% Layer connections
-    Models --> Mappings
+    %% Layer 2
+    Services --> Controllers
     Validators --> Controllers
-    Mappings --> Services
-
-    %% External Dependencies connections
-    AutoMapper --> Mappings
     FluentValidation --> Validators
-    Serilog --> Program
-    Swashbuckle --> Controllers
+    AspNetCore --> Controllers
 
-    %% Supporting Features connections
-    Configurations --> Program
+    %% Layer 3
+    Repositories --> Services
     MemoryCache --> Services
+    Mappings --> Services
+    AutoMapper --> Mappings
+    Models --> Mappings
+
+    %% Layer 4
+    Models --> Repositories
+    Models --> Data
+    Data --> Repositories
+    EFCore --> Data
+    EFCore -.-> Repositories
+
+    %% Soft dependencies
 
-    %% Tests connections
     Services -.-> Tests
     Controllers -.-> Tests
 
@@ -176,10 +183,30 @@ graph RL
     class Data,Models,Repositories,Services,Controllers,Program,Validators,Mappings core;
     class AutoMapper,FluentValidation,Serilog,Swashbuckle deps;
     class Tests test;
-    class Configurations,MemoryCache feat;
+    class AspNetCore,EFCore,MemoryCache feat;
 ```
 
-*Layered architecture: Core application flow (blue), supporting features (yellow), external dependencies (red), and test coverage (green). Not all dependencies are shown.*
+### Arrow Semantics
+
+Arrows point from a dependency toward its consumer. Solid arrows (`-->`) denote **strong (functional) dependencies**: the consumer actively invokes behavior — registering types with the IoC container, executing queries, applying mappings, or handling HTTP requests. Dotted arrows (`-.->`) denote **soft (structural) dependencies**: the consumer only references types or interfaces without invoking runtime behavior. This distinction follows UML's `«use»` dependency notation and classical coupling theory (Myers, 1978): strong arrows approximate *control or stamp coupling*, while soft arrows approximate *data coupling*, where only shared data structures cross the boundary.
+
+### Composition Root Pattern
+
+The `Program` module acts as the composition root — it is the sole site where dependencies are registered with the IoC container, wired via interfaces, and resolved at runtime by the ASP.NET Core host. Rather than explicit object construction, .NET relies on built-in dependency injection: `Program` registers services, repositories, DbContext, mappers, validators, and middleware, and the framework instantiates them on demand. This pattern enables dependency injection, improves testability, and ensures no other module bears responsibility for type registration or lifecycle management.
+
+### Layered Architecture
+
+The codebase is organized into four conceptual layers: Initialization (`Program`), HTTP (`Controllers`, `Validators`), Business (`Services`, `Mappings`), and Data (`Repositories`, `Data`).
+
+Framework packages and third-party dependencies are co-resident within the layer that consumes them: `Serilog` and `Swashbuckle` inside Initialization, `ASP.NET Core` and `FluentValidation` inside HTTP, `AutoMapper` inside Business, and `EF Core` inside Data. `ASP.NET Core`, `EF Core`, and `MemoryCache` are Microsoft platform packages (yellow); `AutoMapper`, `FluentValidation`, `Serilog`, and `Swashbuckle` are third-party packages (red).
+
+The `Models` package is a **cross-cutting type concern** — it defines shared entities and DTOs consumed across multiple layers via strong dependencies, without containing logic or behavior of its own. Dependencies always flow from consumers toward their lower-level types: each layer depends on (consumes) the layers below it, and no layer invokes behavior in a layer above it.
+
+### Color Coding
+
+Core packages (blue) implement the application logic, supporting features (yellow) are Microsoft platform packages, third-party dependencies (red) are community packages, and tests (green) ensure code quality.
+
+*Simplified, conceptual view — not all components or dependencies are shown.*
 
 ## API Reference
 
@@ -387,7 +414,7 @@ STORAGE_PATH=/storage/players-sqlite3.db
 ## Command Summary
 
 | Command | Description |
-|---------|-------------|
+| ------- | ----------- |
 | `dotnet watch run --project src/...` | Start development server with hot reload |
 | `dotnet build` | Build the solution |
 | `dotnet test` | Run all tests |

src/Dotnet.Samples.AspNetCore.WebApi/Dotnet.Samples.AspNetCore.WebApi.csproj

@@ -15,7 +15,7 @@
   <ItemGroup Label="Runtime dependencies">
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.5" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.5" />
-    <PackageReference Include="AutoMapper" Version="[14.0.0,15.0.0)" />
+    <PackageReference Include="AutoMapper" Version="[16.1.1,17.0.0)" />
     <PackageReference Include="FluentValidation" Version="12.1.1" />
     <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.1.1" />
     <PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />

src/Dotnet.Samples.AspNetCore.WebApi/Extensions/ServiceCollectionExtensions.cs

@@ -138,7 +138,7 @@ public static IServiceCollection RegisterPlayerService(this IServiceCollection s
     /// <returns>The IServiceCollection for method chaining.</returns>
     public static IServiceCollection AddMappings(this IServiceCollection services)
     {
-        services.AddAutoMapper(typeof(PlayerMappingProfile));
+        services.AddAutoMapper(config => config.AddProfile<PlayerMappingProfile>());
         return services;
     }
 

src/Dotnet.Samples.AspNetCore.WebApi/packages.lock.json

@@ -4,9 +4,12 @@
     "net10.0": {
       "AutoMapper": {
         "type": "Direct",
-        "requested": "[14.0.0, 15.0.0)",
-        "resolved": "14.0.0",
-        "contentHash": "OC+1neAPM4oCCqQj3g2GJ2shziNNhOkxmNB9cVS8jtx4JbgmRzLcUOxB9Tsz6cVPHugdkHgCaCrTjjSI0Z5sCQ=="
+        "requested": "[16.1.1, 17.0.0)",
+        "resolved": "16.1.1",
+        "contentHash": "VNEky8JA15ci+oIDRGHITOGOpV4dILsf8pnn24QhDl2urtqgJ2IXiS/V2EtGU17P/+f6OeFQPJETaZXV9QOIZg==",
+        "dependencies": {
+          "Microsoft.IdentityModel.JsonWebTokens": "8.14.0"
+        }
       },
       "FluentValidation": {
         "type": "Direct",
@@ -815,6 +818,35 @@
         "resolved": "10.0.5",
         "contentHash": "xA4kkL+QS6KCAOKz/O0oquHs44Ob8J7zpBCNt3wjkBWDg5aCqfwG8rWWLsg5V86AM0sB849g9JjPjIdksTCIKg=="
       },
+      "Microsoft.IdentityModel.Abstractions": {
+        "type": "Transitive",
+        "resolved": "8.14.0",
+        "contentHash": "iwbCpSjD3ehfTwBhtSNEtKPK0ICun6ov7Ibx6ISNA9bfwIyzI2Siwyi9eJFCJBwxowK9xcA1mj+jBWiigeqgcQ=="
+      },
+      "Microsoft.IdentityModel.JsonWebTokens": {
+        "type": "Transitive",
+        "resolved": "8.14.0",
+        "contentHash": "4jOpiA4THdtpLyMdAb24dtj7+6GmvhOhxf5XHLYWmPKF8ApEnApal1UnJsKO4HxUWRXDA6C4WQVfYyqsRhpNpQ==",
+        "dependencies": {
+          "Microsoft.IdentityModel.Tokens": "8.14.0"
+        }
+      },
+      "Microsoft.IdentityModel.Logging": {
+        "type": "Transitive",
+        "resolved": "8.14.0",
+        "contentHash": "eqqnemdW38CKZEHS6diA50BV94QICozDZEvSrsvN3SJXUFwVB9gy+/oz76gldP7nZliA16IglXjXTCTdmU/Ejg==",
+        "dependencies": {
+          "Microsoft.IdentityModel.Abstractions": "8.14.0"
+        }
+      },
+      "Microsoft.IdentityModel.Tokens": {
+        "type": "Transitive",
+        "resolved": "8.14.0",
+        "contentHash": "lKIZiBiGd36k02TCdMHp1KlNWisyIvQxcYJvIkz7P4gSQ9zi8dgh6S5Grj8NNG7HWYIPfQymGyoZ6JB5d1Lo1g==",
+        "dependencies": {
+          "Microsoft.IdentityModel.Logging": "8.14.0"
+        }
+      },
       "Microsoft.NET.StringTools": {
         "type": "Transitive",
         "resolved": "17.11.48",