.NET 9 → .NET 10 Migration

Workflow

> Answer directly from the loaded reference documents. Do not search the filesystem or fetch web pages for breaking change information — the references contain the authoritative details. Focus on identifying which breaking changes apply and providing concrete fixes. Exception: If you suspect a security vulnerability (CVE) may apply to the project's dependencies, check for published security advisories — the reference documents may not cover post-publication CVEs. > > Commit strategy: Commit at each logical boundary — after updating the TFM (Step 2), after resolving build errors (Step 3), after addressing behavioral changes (Step 4), and after updating infrastructure (Step 5). This keeps each commit focused and reviewable.

Step 1: Assess the project

1. Identify how the project is built and tested. Look for build scripts, .sln/.slnx files, or individual .csproj files.
2. Run dotnet --version to confirm the .NET 10 SDK is installed. If it is not, stop and inform the user.
3. Determine which technology areas the project uses by examining:

- SDK attribute: Microsoft.NET.Sdk.Web → ASP.NET Core; Microsoft.NET.Sdk.WindowsDesktop with <UseWPF> or <UseWindowsForms> → WPF/WinForms - PackageReferences: Microsoft.EntityFrameworkCore.* → EF Core; Microsoft.Data.Sqlite → Sqlite; Microsoft.Extensions.Hosting → Generic Host / BackgroundService - Dockerfile presence → Container changes relevant - P/Invoke or native interop usage → Interop changes relevant - `System.Linq.Async` package reference → AsyncEnumerable migration needed - `System.Text.Json` usage with polymorphism → Serialization changes relevant

1. Record which reference documents are relevant (see the reference loading table in Step 3).
2. Do a clean build (dotnet build --no-incremental or delete bin/obj) on the current net9.0 target to establish a clean baseline. Record any pre-existing warnings.

Step 2: Update the Target Framework

1. In each .csproj (or Directory.Build.props if centralized), change:

``xml <TargetFramework>net9.0</TargetFramework> ` to: `xml <TargetFramework>net10.0</TargetFramework> ` For multi-targeted projects, add net10.0 to <TargetFrameworks> or replace net9.0`.

1. Update all Microsoft.Extensions.*, Microsoft.AspNetCore.*, Microsoft.EntityFrameworkCore.*, and other Microsoft package references to their 10.0.x versions. If using Central Package Management (Directory.Packages.props), update versions there.

1. Run dotnet restore. Watch for:

- NU1510: Direct references pruned by NuGet — the package may be included in the shared framework now. Remove the explicit <PackageReference> if so. - PackageReference without a version now raises an error — every <PackageReference> must have a Version (or use CPM). - NuGet auditing of transitive packages (dotnet restore now audits transitive deps) — review any new vulnerability warnings.

1. Run a clean build. Collect all errors and new warnings. These will be addressed in Step 3.

Step 3: Resolve build errors and source-incompatible changes

Work through compilation errors and new warnings systematically. Load the appropriate reference documents based on the project type:

| If the project uses… | Load reference | |-----------------------|----------------| | Any .NET 10 project | references/csharp-compiler-dotnet9to10.md | | Any .NET 10 project | references/core-libraries-dotnet9to10.md | | Any .NET 10 project | references/sdk-msbuild-dotnet9to10.md | | ASP.NET Core | references/aspnet-core-dotnet9to10.md | | Entity Framework Core | references/efcore-dotnet9to10.md | | Cryptography APIs | references/cryptography-dotnet9to10.md | | Microsoft.Extensions.Hosting, BackgroundService, configuration | references/extensions-hosting-dotnet9to10.md | | System.Text.Json, XmlSerializer, HttpClient, MailAddress, Uri | references/serialization-networking-dotnet9to10.md | | Windows Forms or WPF | references/winforms-wpf-dotnet9to10.md | | Docker containers, single-file apps, native interop | references/containers-interop-dotnet9to10.md |

Common source-incompatible changes to check for:

1. `System.Linq.Async` conflicts — Remove the System.Linq.Async package reference or upgrade to v7.0.0. If consumed transitively, add <ExcludeAssets>compile</ExcludeAssets>. Rename SelectAwait calls to Select where needed.

1. New obsoletion warnings (SYSLIB0058–SYSLIB0062):

- SYSLIB0058: Replace SslStream.KeyExchangeAlgorithm/CipherAlgorithm/HashAlgorithm with NegotiatedCipherSuite — if the old properties were used to reject weak TLS ciphers, preserve equivalent validation logic using the new API - SYSLIB0059: Replace SystemEvents.EventsThreadShutdown with AppDomain.ProcessExit - SYSLIB0060: Replace Rfc2898DeriveBytes constructors with Rfc2898DeriveBytes.Pbkdf2 - SYSLIB0061: Replace Queryable.MaxBy/MinBy overloads taking IComparer<TSource> with ones taking IComparer<TKey> - SYSLIB0062: Replace XsltSettings.EnableScript usage

1. C# 14 `field` keyword in property accessors — The identifier field is now a contextual keyword inside property get/set/init accessors. Local variables named field cause CS9272 (error). Class members named field referenced without this. cause CS9258 (warning). Fix by renaming (e.g., fieldValue) or escaping with @field. See references/csharp-compiler-dotnet9to10.md.

1. C# 14 `extension` contextual keyword — Types, aliases, or type parameters named extension are disallowed. Rename or escape with @extension.

1. C# 14 overload resolution with span parameters — Expression trees containing .Contains() on arrays may now bind to MemoryExtensions.Contains instead of Enumerable.Contains. Enumerable.Reverse on arrays may resolve to the in-place Span extension. Fix by casting to IEnumerable<T>, using .AsEnumerable(), or explicit static invocations. See references/csharp-compiler-dotnet9to10.md for full details.

1. ASP.NET Core obsoletions (if applicable):

- WebHostBuilder, IWebHost, WebHost are obsolete — migrate to Host.CreateDefaultBuilder or WebApplication.CreateBuilder - IActionContextAccessor / ActionContextAccessor obsolete - WithOpenApi extension method deprecated - IncludeOpenAPIAnalyzers property deprecated - IPNetwork and ForwardedHeadersOptions.KnownNetworks obsolete - Razor runtime compilation is obsolete - Microsoft.Extensions.ApiDescription.Client package deprecated - `Microsoft.OpenApi` v2.x breaking changes — Microsoft.AspNetCore.OpenApi 10.0 pulls in Microsoft.OpenApi v2.x which restructures namespaces and models. OpenApiString/OpenApiAny types are removed (use JsonNode), OpenApiSecurityScheme.Reference replaced by OpenApiSecuritySchemeReference, collections on OpenAPI model objects may be null, and OpenApiSchema.Nullable is removed. See references/aspnet-core-dotnet9to10.md for migration patterns.

1. SDK changes:

- dotnet new sln now defaults to SLNX format — use --format sln if the old format is needed - Double quotes in file-level directives are disallowed - dnx.ps1 removed from .NET SDK - project.json no longer supported in dotnet restore

1. EF Core source changes (if applicable) — See references/efcore-dotnet9to10.md for:

- ExecuteUpdateAsync now accepts a regular lambda (expression tree construction code must be rewritten) - IDiscriminatorPropertySetConvention signature changed - IRelationalCommandDiagnosticsLogger methods add logCommandText parameter

1. WinForms/WPF source changes (if applicable):

- Applications referencing both WPF and WinForms must disambiguate MenuItem and ContextMenu types - Renamed parameter in HtmlElement.InsertAdjacentElement - Empty ColumnDefinitions and RowDefinitions are disallowed in WPF

1. Cryptography source changes (if applicable):

- MLDsa and SlhDsa members renamed from SecretKey to PrivateKey (e.g., ExportMLDsaSecretKey → ExportMLDsaPrivateKey, SecretKeySizeInBytes → PrivateKeySizeInBytes) - Rfc2898DeriveBytes constructors are obsolete (SYSLIB0060) — replace with static Rfc2898DeriveBytes.Pbkdf2(password, salt, iterations, hashAlgorithm, outputLength) - CoseSigner.Key can now be null — check for null before use - X509Certificate.GetKeyAlgorithmParameters() and PublicKey.EncodedParameters can return null - Environment variable renamed from CLR_OPENSSL_VERSION_OVERRIDE to DOTNET_OPENSSL_VERSION_OVERRIDE

Build again after each batch of fixes. Repeat until the build is clean.

Step 4: Address behavioral changes

Behavioral changes do not cause build errors but may change runtime behavior. Review each applicable item and determine whether the previous behavior was relied upon.

High-impact behavioral changes (check first):

1. SIGTERM signal handling removed — The .NET runtime no longer registers default SIGTERM handlers. If you rely on AppDomain.ProcessExit or AssemblyLoadContext.Unloading being raised on SIGTERM:

- ASP.NET Core and Generic Host apps are unaffected (they register their own handlers) - Console apps and containerized apps without Generic Host must register PosixSignalRegistration.Create(PosixSignal.SIGTERM, _ => Environment.Exit(0)) explicitly

1. BackgroundService.ExecuteAsync runs entirely on a background thread — The synchronous portion before the first await no longer blocks startup. If startup ordering matters, move that code to StartAsync or the constructor, or implement IHostedLifecycleService.

1. Configuration null values are now preserved — JSON null values are no longer converted to empty strings. Properties initialized with non-default values will be overwritten with null. Review configuration binding code.

1. Microsoft.Data.Sqlite DateTimeOffset changes (all High impact):

- GetDateTimeOffset without an offset now assumes UTC (previously assumed local) - Writing DateTimeOffset into REAL columns now converts to UTC first - GetDateTime with an offset now returns UTC with DateTimeKind.Utc - Mitigation: AppContext.SetSwitch("Microsoft.Data.Sqlite.Pre10TimeZoneHandling", true) as a temporary workaround

1. EF Core parameterized collections — .Contains() on collections now uses multiple scalar parameters instead of JSON/OPENJSON. May affect query performance for large collections. Mitigation: UseParameterizedCollectionMode(ParameterTranslationMode.Parameter) to revert.

1. EF Core JSON data type on Azure SQL — Azure SQL and compatibility level ≥170 now use the json data type instead of nvarchar(max). A migration will be generated to alter existing columns. Mitigation: set compatibility level to 160 or use HasColumnType("nvarchar(max)") explicitly.

1. System.Text.Json property name conflict validation — Polymorphic types with properties conflicting with metadata names ($type, $id, $ref) now throw InvalidOperationException. Add [JsonIgnore] to conflicting properties.

Other behavioral changes to review:

• BufferedStream.WriteByte no longer implicitly flushes — add explicit Flush() calls if needed
• Default trace context propagator updated to W3C standard
• DriveInfo.DriveFormat returns actual Linux filesystem type names
• LDAP DirectoryControl parsing is more stringent
• Default .NET container images switched from Debian to Ubuntu (Debian images no longer shipped)
• Single-file apps no longer look for native libraries in executable directory by default
• DllImportSearchPath.AssemblyDirectory only searches the assembly directory
• MailAddress enforces validation for consecutive dots
• Streaming HTTP responses enabled by default in browser HTTP clients
• Uri length limits removed — add explicit length validation if Uri was used to reject oversized input from untrusted sources
• Cookie login redirects disabled for known API endpoints (ASP.NET Core)
• XmlSerializer no longer ignores [Obsolete] properties — audit obsolete properties for sensitive data and add [XmlIgnore] to prevent unintended data exposure
• dotnet restore audits transitive packages
• dotnet watch logs to stderr instead of stdout
• dotnet CLI commands log non-command-relevant data to stderr
• Various NuGet behavioral changes (see references/sdk-msbuild-dotnet9to10.md)
• StatusStrip uses System RenderMode by default (WinForms)
• TreeView checkbox image truncation fix (WinForms)
• DynamicResource incorrect usage causes crash (WPF)

Step 5: Update infrastructure

1. Dockerfiles: Update base images. Default tags now use Ubuntu instead of Debian. Debian images are no longer shipped for .NET 10.

``dockerfile # Before FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build FROM mcr.microsoft.com/dotnet/aspnet:9.0 # After FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build FROM mcr.microsoft.com/dotnet/aspnet:10.0 ``

1. CI/CD pipelines: Update SDK version references. If using global.json, update:

``json { "sdk": { "version": "10.0.100" } } ``

1. Environment variables renamed:

- DOTNET_OPENSSL_VERSION_OVERRIDE replaces the old name - DOTNET_ICU_VERSION_OVERRIDE replaces the old name - NUGET_ENABLE_ENHANCED_HTTP_RETRY has been removed

1. OpenSSL requirements: OpenSSL 1.1.1 or later is now required on Unix. OpenSSL cryptographic primitives are no longer supported on macOS.

1. Solution file format: If dotnet new sln is used in scripts, note it now generates SLNX format. Pass --format sln if the old format is needed.

Step 6: Verify

1. Run a full clean build: dotnet build --no-incremental
2. Run all tests: dotnet test
3. If the application is containerized, build and test the container image
4. Smoke-test the application, paying special attention to:

- Signal handling / graceful shutdown behavior - Background services startup ordering - Configuration binding with null values - Date/time handling with Sqlite - JSON serialization with polymorphic types - EF Core queries using .Contains() on collections

1. Security review — verify that the migration has not weakened security controls:

- TLS cipher validation logic is preserved after SslStream API migration (SYSLIB0058) - Obsolete properties containing sensitive data are excluded from serialization ([XmlIgnore], [JsonIgnore]) - Input validation still rejects oversized URIs if Uri was used as a length gate - Exception handlers emit security-relevant telemetry (auth failures, access violations) before returning true - Connection strings set an explicit Application Name that does not leak version info - dotnet restore vulnerability audit findings are addressed, not suppressed

1. Review the diff and ensure no unintended behavioral changes were introduced

Related skills