Skip to content

Bump Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt#44

Closed
dependabot[bot] wants to merge 58 commits into
masterfrom
dependabot/nuget/multi-439a0118a5
Closed

Bump Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt#44
dependabot[bot] wants to merge 58 commits into
masterfrom
dependabot/nuget/multi-439a0118a5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Copy link
Copy Markdown
Contributor

Pinned Microsoft.IdentityModel.Tokens at 8.17.0.

Release notes

Sourced from Microsoft.IdentityModel.Tokens's releases.

8.17.0

Dependencies

  • Downgrade MicrosoftExtensionsLoggingAbstractionsVersion to 8.0.0 on .NET 10. See PR #​3435.

8.16.0

New Features

  • Add telemetry around signature validation. See PR #​3415 for details.

Fundamentals

  • Fix FileVersion format to use two-digit year and day of year. See PR #​3389 for details.

8.15.0

New Features

  • Add ECDsa support in X509SecurityKey and JsonWebKeyConverter.ConvertFromX509SecurityKey
    Extended X509SecurityKey and JsonWebKeyConverter.ConvertFromX509SecurityKey to support ECDSA keys.
    See PR #​2377 for details.

Bug Fixes

  • Sanitize logs to avoid leaking sensitive data
    Updated logging to sanitize sensitive values, reducing the risk of inadvertently exposing secrets or PII in logs.
    See PR #​3316 for details.
  • Optimize log sanitization with SearchValues
    Improved the performance of the log sanitization logic introduced earlier by using SearchValues, making sanitization more efficient in high-throughput scenarios.
    See PR #​3341 for details.
  • Update test for IDX10400
    Adjusted the IDX10400 test to align with the current behavior and error messaging.
    See PR #​3314 for details.

Fundamentals

  • Add supported algorithm tests
    Added new tests to validate the set of supported cryptographic algorithms, increasing confidence in algorithm coverage and compatibility.
    See PR #​3296 for details.
  • Migrate repository agent rules from .clinerules to agents.md
    Moved repository agent/AI-assist rules into markdown documentation to make them more visible and easier to maintain.
    See PR #​3313 for details.
  • Migrate Microsoft.IdentityModel.TestExtensions from Newtonsoft.Json to System.Text.Json
    Updated Microsoft.IdentityModel.TestExtensions to use System.Text.Json instead of Newtonsoft.Json, aligning tests with the runtime serialization stack.
    See PR #​3356 for details.
  • Disable code coverage comments
    Turned off automated code coverage comments on PRs to reduce noise while retaining coverage data elsewhere.
    See PR #​3349 for details.
  • Fix CodeQL alerts
    Addressed CodeQL-reported issues to improve security posture and static analysis cleanliness.
    See PR #​3364 for details.

.NET 10 / SDK and tooling updates

  • Building with .NET 10 preview / RC 1
    Updated the repository to build and test against .NET 10.0 preview/RC1, ensuring early compatibility with the upcoming runtime.
    See PRs #​3287, #​3357, and #​3358 for details.
  • Fix .NET 10 test execution consistency
    Ensured consistent use of the TargetNetNext parameter across build, test, and pack phases so .NET 10.0 tests execute reliably.
    See PR #​3337 for details.
  • Update project files and workflows for .NET 10.0 compatibility
    Adjusted project files and CI workflows to correctly target and run on .NET 10.0, including test and pack scenarios.
    See PR #​3363 for details.
  • Update .NET version to meet CG compliance
    Updated the .NET version references to be compliant with corporate governance (CG) requirements.
    See PR #​3353 for details.
  • Update Coverlet collector and test SDK
    • Bumped CoverletCollectorVersion to 6.0.4.
      See PR #​3333 for details.
    • Upgraded Microsoft.NET.Test.Sdk to a newer version for improved test reliability and tooling support.
      ... (truncated)

8.14.0

8.14.0

Bug Fixes

  • Switch back to use ValidationResult instead of OperationResult when validating a token in a new experimental validation flow. Additionally removed the dependency on Microsoft.IdentityModel.Abstractions. See #​3299 for details.

8.13.1

8.13.1

Dependencies

Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0

Bug Fixes

  • Fixed a decompression failure happening for large JWE payloads. See #​3286 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

  • Update the validation methods to return Microsoft.Identity.Abstractions.OperationResult. See #​3284 for details.

8.13.0

8.13.0

8.13.0

Fundamentals

  • CaseSensitiveClaimsIdentity.SecurityToken setter is now protected internal (was internal). See PR #​3278 for details.
  • Update .NET SDK version to 9.0.108 used when building or running the code. See PR #​3274 for details.
  • Update RsaSecurityKey.cs to replace the Pkcs1 padding by Pss from HasPrivateKey check. See #​3280 for details.

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.12.1...8.13.0

8.12.1

8.12.1

Fundamentals

  • Update .NET SDK version to 9.0.107 used when building or running the code. See #​3263 for details.
  • To keep our experimental code separate from production code, all files associated with experimental features have been moved to the Experimental folders. See PR #​3261 for details.
  • Experimental code leaked into TokenValidationResult from early prototypes. See PR #​3259 for details.

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.12.0...8.12.1

8.12.0

8.12.0

New Features

  • Enhance ConfigurationManager with event handling
    Added event handling capabilities to the ConfigurationManager, enabling consumers to subscribe to configuration change events. This enhancement improves extensibility and allows more responsive applications. For details see #​3253

Bug Fixes

  • Add expected Base64UrlEncoder.Decode overload for NET6 and 8
    Introduced the expected overload of Base64UrlEncoder.Decode for .NET 6 and 8, ensuring compatibility and preventing missing method issues on these frameworks.
    For details see #​3249

Fundamentals

  • Add AI assist rules
    Incorporated AI assist rules to enhance AI agents effectiveness.
    For details see #​3255
  • Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0
    Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added).
    For details see #​3256
  • Move suppression of RS006 to csproj
    Centralized suppression of RS006 warnings in project files for easier management.
    For details see #​3230

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.11.0...8.12.0

8.11.0

8.11.0

New Features:

  • Microsoft.IdentityModel now exposes the AadIssuerValidator factory method publicly to enable caching functionality for AadIssuerValidator instances. See issue #​3245 for details.
  • Added a new public async API: JsonWebTokenHandler.DecryptTokenWithConfigurationAsync, which decrypts a JWE token using keys from either TokenValidationParameters or, if not present, from configuration (such as via a ConfigurationManager). This enhancement improves developer experience by enabling asynchronous, cancellation-aware JWE decryption scenarios, aligning with modern .NET async patterns and making integration with external key/configuration sources more robust and observable. See PR #​3243 for details.

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.10.0...8.11.0

8.10.0

8.10.0

Bug Fixes

  • Corrected casing of the Type attribute in SubjectConfirmationData. See #​3206.
  • Removed Microsoft.Bcl.Memory dependency for pre-.NET 9.0 targets. See #​3220.
  • Aligned Microsoft.Extensions.Logging.Abstractions version to 8.0.0 for .NET 9 to match other targets. See #​3226.

Fundamentals

8.9.0

8.9.0

Bug Fixes

New Features

Fundamentals

8.8.0

8.8.0

New Features

  • Adds the ability for the metadata refresh to be done as a blocking call, as per 8.0.1 behavior. This is done through the Switch.Microsoft.IdentityModel.UpdateConfigAsBlocking switch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR #​3193 for details.
  • Identity.Model updates some log and error messages (IDX10214, IDX10215). If the information is needed for debugging purposes, it can be reverted via the Switch.Microsoft.IdentityModel.DoNotScrubExceptions AppContextSwitch. See PR #​3195 and https://aka.ms/identitymodel/app-context-switches for details.
  • Change all plain object locks to System.Thread.Lock objects for .NET 9 or greater. See PRs #​3185 and #​3189 for details.

8.7.0

Bug Fixes

  • Add back internal methods IsRecoverableException and IsRecoverableExceptionType whose signatures were changed in the previous version. See #​3181.

New Features

  • Make Cnf class public and move it to Microsoft.IdentityModel.Tokens package. See #​3165.

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.6.1...8.7.0

8.6.1

8.6.1

Bug fix

  • Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue #​3148 for details.
  • Fix a bug in JsonWebTokenHandler where JwtTokenDecryptionParameters's Alg and Enc were not set during token decryption, causing IDX10611 and IDX10619 errors to show null values in the messages. See issue #​3003 for details.

Fundamentals

  • For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue #​2995 for details.

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.6.0...8.6.1

8.6.0

8.6.0

New Features

  • TokenValidationParameters has a new boolean property TryAllDecryptionKeys that let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to true (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See #​3128
  • Promote KeyInfo.MatchesKey from internal to protected internal virtual to enable SAML extensibility (for CoreWcf). See #​3140

Fundamentals

  • Update dependency on Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2 to avoid package downgrade in apps on .NET 9 using a netstandard2.0 library referencing logging.abstractions. See 3143
  • Add more tests for encrypted tokens. See #​3139

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.5.0...8.6.0

8.5.0

8.5.0

Reverting previous breaking change

  • The Configuration Manager has been reverted to version 8.3.1. The changes made in 8.4.0 assume the configuration manager is used as a singleton, which is similar to marking the type as disposable. We have since learned that adding IDisposable is a breaking change, so we are following semver guidance and reverting and releasing a minor version (8.5.0).
  • Cherry-picked Changes: Included changes from PR #​3022 and #​3104.

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.4.0...8.5.0

8.4.0

8.4.0

New Features

  • App context switch allows blocking or non-blocking calls for configuration. See PR #​3106 for details and issue #​3082 for details. If you are not using the ConfigurationManager as a singleton and not using the blocking option, you may need to call ShutdownBackgroundTask() to stop the background task to avoid leaking Tasks.
  • IdentityModel now enables symmetric and asymmetric keys to be created publicly with JWK. See #​3094 for details.
  • IdentityModel now allows specifying the HTTP protocol version and version policy. See #​2808 for details.

Repair items

  • Add request count and duration telemetry for configuration requests. See #​3022 for details.
  • KeyID should be present in exception messages and is no longer PII. See #​3104 for details.

Fundamentals

  • Fix spelling issues in xml comments. See #​3117 for details.
  • Fix comment coverage in PR builds. See #​3079 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

8.3.1

8.3.1

Bug Fixes

  • Respect TVP.RequireAudience when set to false. See #​3055
  • For net4.6.2 select RSACng for PSS support. See #​3097
  • Fix package downgrade in consuming libraries. See#​3062
  • Fix integer overflow in AuthenticationEncryptionProvider.cs. See #​3063

Fundamentals

  • Removed unused property on JsonWebToken ClaimsIdentity. See #​3071 for details.
  • Upgrade to C# 13. See #​2998
  • Use new Base64Url API. See #​22817
  • Add warning quality check. See #​3067
  • Update dotnet actions. see #​3074
  • Fix warnings. See #​3081
  • Test updates in JsonWebToken. See #​3080.

Work related to redesign of IdentityModel's token validation logic #​2711

What's Changed

New Contributors

... (truncated)

8.3.0

New features

Work related to redesign of IdentityModel's token validation logic #​2711

Bug fixes

Fundamentals

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.2.1...8.3.0

8.2.1

8.2.1

New features

  • Update to use .NET 9 GA. See 2990.

Bug fixes

  • Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See 2935.
  • Update cgmanifest to align with the JSON schema. See 2969.

Fundamentals

  • Streamline token creation in SecurityTokenDescriptor. See 2993.
  • Prevent inlining to guarantee stack frames in test. See 2999.

Work related to redesign of IdentityModel's token validation logic #​2711

  • Simplify stack frame caching. See 2976.
  • Implement reading SAML and SAML2 tokens. See 2980.
  • Implement validating SAML signature. See 2950.
  • Add tests for IssuerExtensibility. See 2987.
  • Add validation for SAML and SAML2 issuer signing key. See 2965.
  • Add validation for SAML and SAML2 algorithm. See 2984.

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.2.0...8.2.1

8.2.0

8.2.0

Fundamentals

Work related to redesign of IdentityModel's token validation logic #​2711

  • Validates Audience for SAML2TokenHandler with New Model 2863
  • Improvements to AudienceValidation 2902
  • Added properties to ValidationResult 2923
  • Implements Audience and Lifetime validations in SamlSecurityTokenHandler 2925
  • Implements Issuer validation in SamlSecurityTokenHandler 2948

What's Changed

8.1.2

What's Changed

Bug fixes

Fundamentals

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.1.1...8.1.2

8.1.1

8.1.1

Bug fixes

  • Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.1.0...8.1.1

8.1.0

8.1.0

Performance improvements

  • Improves performance during issuer validation by replacing string comparison with span comparison. See PR #​2826.

New features

  • Add optional check to prevent using keys that are shared across multiple clouds. See issue #​2832 for details.

Bug fixes

  • JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue #​2695 for details.

Fundamentals

  • Fix flaky tests. See #​2793 for details.
  • Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR #​2796 for details.
  • Onhboard to code coverage in ADO. See PR #​2798.
  • Use IsTargetFrameworkCompatible(*) so AOT is forward-compatible with .NET 9 and beyond. See PR #​2790 for details.
  • Fix a merge conflict impacting dev. See PR #​2819.
  • Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error.
    [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #​2820.
  • Remove perl dependency. See PR #​2830.

Work related to redesign of IdentityModel's token validation logic #​2711

What's Changed

8.0.2

8.0.2

Security fundamentals

  • Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors. See PR #​2778 for details.

Bug fixes

  • IdentityModel now allows the JWT payload to be an empty string. See issue #​2656 for details.
  • Cache UseRfcDefinitionOfEpkAndKid switch. See PR #​2747 for details.
  • Method was named DoNotFailOnMissingTid in 7x and DontFailOnMissingTid in 8x, adding the method for back compat. See issue #​2750 for details.
  • Metadata is now updated on a background thread. See #​2780 for details.
  • JsonWebKeySet stores the original string it was created with. See PR #​2755 for details.
  • Restore AOT compatibility. See #​2711.
  • Fix OpenIdConnect parsing bug. See #​2772 for details.
  • Remove the lock on creating a SignatureProvider. See #​2788 for details.

Fundamentals

  • Test clean up #​2742.
  • Use only FxCop in .NET framework targets #​2693.
  • Add rule to add file headers automatically #​2748.
  • Code analysis updates #​2746.
  • Include README packages in NuGet #​2752.
  • Update projects inside WilsonUnix solution #​2768.
  • Code style enforced in build #​2603.
  • CodeQL update #​2767.
  • Update build pipeline to new one release build format #​2777.
  • Update GitHub actions to 9.0.100-preview.7.24407.12 and add <NoWarn>$(NoWarn);SYSLIB0057</NoWarn> due to breaking changes in preview7. #​2786.

Work relating to #​2711

What's Changed

Description has been truncated

anticow and others added 30 commits March 21, 2026 21:16
- GrpcChannelManager: explicit HTTP/2 handler + AppContext switch for h2c
- AgentGateway Kestrel: split HTTP/2 (9444) and HTTP/1 (9445) endpoints
- Helm chart: add apiPort for agent-gw, broker uses API port for REST
- New AgentAutoRegistrationHostedService in Transport project
- Hostname/ServiceName JsonConverter attributes for proper serialization
- MachineRepository: fix EF Core entity tracking conflict in UpdateAsync
- Docker compose: Kestrel endpoint env vars, split ports
- New Blazor pages: MachineDetail, Admin, Audit, Credentials, Jobs, Patching, Services
- Add global.imagePullSecret config to values.yaml
- Create docker-registry secret template in secrets.yaml
- Add imagePullSecrets to all 5 deployment pod specs
- Add dockerconfigjson helper to _helpers.tpl
- Change agent-gw liveness/readiness probes from gRPC to HTTP (/healthz, /readyz on apiPort)
- Add retry logic to AgentAutoRegistrationHostedService.ExecuteAsync to handle agent-gw startup ordering
…gration, CI/CD fixes

- Rewrite AuditLoggerService with HMAC-SHA256 chain (ChainVersion=1)
  - AuditOptions with HmacKey injection and ValidateOnStart
  - EF migration: AddAuditChainVersion (ChainVersion INT DEFAULT 0)
  - POST /api/audit/verify-chain endpoint
- Rewrite CredentialVaultService: encrypted vault.dat, AES-GCM,
  Argon2id KDF, random salt per password, HMAC password sentinel,
  atomic writes, SemaphoreSlim concurrency
- Add VaultOptions and VaultCrypto EncryptDirect/DecryptDirect
- Pin Tmds.DBus.Protocol to 0.21.3 (CVE-2026-39959)
- Fix AuthService: EnsureCreatedAsync -> MigrateAsync (migration race)
- Fix Dockerfiles: missing COPY entries, /app/logs mkdir/chown
- Fix docker-compose: all ports bound to 127.0.0.1, TrustServerCertificate
  for internal Docker network, vaultdata volume, broker depends_on auth
- Fix CI: HM_BOOTSTRAP_ADMIN_ENABLED=true for smoke test stack startup;
  pass admin credentials env vars to Run platform smoke tests step
- Redact exposed vault key from security-report.md
- Add deploy/docker/.env.example and scripts/New-Secrets.ps1
- Add SCA job to ci.yml; all 8 platform secrets as GitHub secrets refs
- Fix Auth.Tests: SqliteConnection.ClearAllPools() to release handles
- Fix platform smoke tests: agent-gw port 9444->9445; read admin
  credentials from env rather than hardcoded defaults
- Security headers, rate limiting, JWT audience, non-root Docker user,
  image tag pinning, SSH StrictHostKeyChecking, WinRM encoding fixes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Platform smoke tests require Docker Compose stack running — they are
already covered by the dedicated Platform Smoke Tests job.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Remove empty Vault:StoragePath override in Broker appsettings.json that caused
  OptionsValidationException on startup, breaking all Web.Tests
- Migrate automation test classes from shared in-memory SqliteConnection to
  file-based SQLite with WAL mode + busy_timeout to eliminate concurrent
  thread-unsafe connection access
- Add InternalsVisibleTo for test assembly to enable IAnsibleHandoffService
  mocking in timeout simulation tests
- Fix AutomationTimeoutSimulationTests with DirectProcessHandoffService that
  bypasses ansible workspace path resolution (fails in CI) and replicates
  timeout CTS logic
- Extract IAgentApiKeyValidator interface; register PassthroughAgentApiKeyValidator
  in TestAgentGatewayHost to fix gRPC AgentGatewayGrpcService activation
- Migrate AuthHostWebApplicationFactory from in-memory to file-based SQLite
- Add AddAuthTables migration to HomeManagement.Data (SQLite-compatible) to
  create missing auth schema tables that only existed in SQL Server migrations
- Disable parallel test execution in Web.Tests assembly to prevent logger
  freeze when WebApplicationFactory hosts build concurrently

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
….26 (#28)

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.Authentication.JwtBearer
  dependency-version: 8.0.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: anticow <anticow@gmail.com>
Bumps Google.Protobuf from 3.28.3 to 3.34.1
Bumps Grpc.AspNetCore from 2.67.0 to 2.76.0
Bumps Grpc.Net.Client from 2.67.0 to 2.76.0
Bumps Grpc.Tools from 2.67.0 to 2.80.0

---
updated-dependencies:
- dependency-name: Google.Protobuf
  dependency-version: 3.34.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: grpc
- dependency-name: Grpc.AspNetCore
  dependency-version: 2.76.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: grpc
- dependency-name: Grpc.Net.Client
  dependency-version: 2.76.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: grpc
- dependency-name: Grpc.Tools
  dependency-version: 2.80.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: grpc
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: anticow <anticow@gmail.com>
* Bump the testing group with 5 updates

Bumps coverlet.collector from 6.0.2 to 10.0.0
Bumps FluentAssertions from 7.0.0 to 8.9.0
Bumps Microsoft.NET.Test.Sdk from 17.12.0 to 18.4.0
Bumps xunit from 2.9.2 to 2.9.3
Bumps xunit.runner.visualstudio from 2.8.2 to 3.1.5

---
updated-dependencies:
- dependency-name: coverlet.collector
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: testing
- dependency-name: FluentAssertions
  dependency-version: 8.9.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: testing
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: testing
- dependency-name: xunit
  dependency-version: 2.9.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: testing
- dependency-name: xunit.runner.visualstudio
  dependency-version: 3.1.5
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: testing
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: update FluentAssertions v8 renamed comparison assertion methods

FluentAssertions v8 renamed 'OrEqualTo' suffix variants to 'ThanOrEqualTo':
- BeLessOrEqualTo -> BeLessThanOrEqualTo
- BeGreaterOrEqualTo -> BeGreaterThanOrEqualTo
- HaveCountGreaterOrEqualTo -> HaveCountGreaterThanOrEqualTo

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: anticow <anticow@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps Quartz from 3.13.1 to 3.18.0
Bumps Quartz.Extensions.DependencyInjection from 3.13.1 to 3.18.0
Bumps Quartz.Extensions.Hosting from 3.13.1 to 3.18.0

---
updated-dependencies:
- dependency-name: Quartz
  dependency-version: 3.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: quartz
- dependency-name: Quartz.Extensions.DependencyInjection
  dependency-version: 3.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: quartz
- dependency-name: Quartz.Extensions.Hosting
  dependency-version: 3.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: quartz
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: anticow <anticow@gmail.com>
---
updated-dependencies:
- dependency-name: System.Reactive
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: anticow <anticow@gmail.com>
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4 to 5.
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](actions/setup-dotnet@v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-dotnet
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [dorny/test-reporter](https://github.com/dorny/test-reporter) from 1 to 2.
- [Release notes](https://github.com/dorny/test-reporter/releases)
- [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md)
- [Commits](dorny/test-reporter@v1...v2)

---
updated-dependencies:
- dependency-name: dorny/test-reporter
  dependency-version: '2'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4...v8)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
updated-dependencies:
- dependency-name: NSec.Cryptography
  dependency-version: 25.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: anticow <anticow@gmail.com>
Eliminates Node.js 20 deprecation warning on all Docker build jobs.
v4 uses Node.js 24, which is the upcoming GitHub Actions default.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Eliminates remaining Node.js 20 deprecation warnings in CI.
Both actions now use Node.js 24 runtimes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- actions/checkout v4 -> v6 (security-guards + dependency-scan jobs)
- actions/setup-dotnet v4 -> v5 (dependency-scan job)
- dorny/test-reporter v2 -> v3
- docker/login-action v3 -> v4
- softprops/action-gh-release v2 -> v3

Eliminates all Node.js 20 deprecation warnings across ci.yml and release.yml.
All GitHub Actions runner actions now use Node.js 24.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- HomeManagement.Integration.Action1
  - Action1Client: full REST API client (endpoints, patches, deployments, software)
  - Action1PatchService: implements IPatchService via Action1 API with hostname/tag fallback
  - Action1WebhookEndpoints: POST /api/action1/webhook with HMAC-SHA256 validation
  - Action1SyncJob: Quartz reconciliation job (15-min interval, configurable)
  - Action1IntegrationRegistration: DI wiring + DisabledAction1PatchService no-op
  - Machine identity mapped via tags[action1:endpoint_id] with hostname fallback

- HomeManagement.Integration.Prometheus
  - PrometheusClient: typed HttpClient with graceful degradation (empty on error)
  - PromQL: complete query builders for Windows (windows_exporter) + Linux (node_exporter)
  - PrometheusEndpointStateProvider: service state, availability, metrics (CPU/RAM/disk/uptime)
  - PrometheusIntegrationRegistration: DI wiring + DisabledPrometheusEndpointStateProvider

- Broker.Host wired up:
  - services.AddAction1Integration(configuration)
  - services.AddPrometheusIntegration(configuration)
  - app.MapAction1WebhookEndpoints()

Full solution: 0 warnings, 0 errors

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add IEndpointStateProvider to HomeManagement.Abstractions
  (GetServiceStateAsync, GetEndpointOnlineAsync, GetHardwareMetricsAsync)
- PrometheusEndpointStateProvider implements IEndpointStateProvider
  (Prometheus-first state reads; non-sealed for disabled subclass override)
- ServiceControllerService: Prometheus-first service state, falls back to agent
- InventoryService: Prometheus-first hardware metrics, falls back to remote cmd
- PatchingModuleRegistration: no longer registers IPatchService (conflict guard)
- PatchService + IPatchStrategy marked [Obsolete]; Patching csproj NoWarn'd
- Patching.Tests csproj: NoWarn CS0618 to keep legacy contract tests building
- Build: 0 warnings, 0 errors

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
anticow and others added 18 commits April 25, 2026 11:27
- PlatformHealthEndpoint: fans out parallel checks to all 9 components
  (Broker, Auth, Web, AgentGateway, Seq, Prometheus, Grafana, ArgoCD, AWX)
- Returns clean HTML dashboard (browser) or JSON (API/uptime monitors)
- Auto-refreshes every 30 s; Verbose log level (no noise)
- HTTP-only ingress at health.cowgomu.net/platform-health, no TLS, no auth
- Only /platform-health path exposed; rest of gateway stays HTTPS-only
- Platform health URLs injected via Helm env vars (overridable per env)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Pin OpenTelemetry.Api 1.15.3 (patches GHSA-g94r-2vxg-569j / Moderate)
- Bump all OpenTelemetry.* packages to latest: Extensions.Hosting 1.15.3,
  Instrumentation.AspNetCore 1.15.2, Http 1.15.1, Runtime 1.15.1,
  Prometheus 1.15.3-beta.1, GrpcNetClient 1.15.1-beta.1
- Apply dotnet format to PlatformHealthEndpoint.cs and 4 pre-existing files

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
CorrelationIdMiddleware requires ICorrelationContext via constructor
injection, but the Gateway never registered it (unlike other hosts
which get it via AddHomeManagement()). All gateway requests returned
500 causing all smoke tests to fail.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add docker/login-action@v3 for mcr.microsoft.com in both
  docker-build-validate and platform-smoke-tests jobs
  (MCR rate-limits anonymous pulls from GH Actions runner IPs)
- Add docker/setup-buildx-action to platform-smoke-tests so compose
  build uses BuildKit with the authenticated session
- Wire type=gha cache-from/cache-to per-image in docker-build-validate
  so SDK/runtime layers are not re-pulled on every run

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
docker/build-push-action@v7 enables provenance attestations by
default. BuildKit then makes extra manifest HEAD requests back to
mcr.microsoft.com which MCR rejects with 403 (anonymous HEAD not
allowed for attestation endpoints).

Adding docker/login-action without credentials caused a second failure
('Username and password required'). MCR is a public registry - no
credentials exist to supply.

Fix: set provenance: false on the build step to suppress the
attestation manifest requests entirely. The GHA layer cache is kept
so SDK/runtime layers are not re-pulled on every run.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Same issue as Gateway (1af9142) — CorrelationIdMiddleware injects
ICorrelationContext via method injection but neither host calls
AddHomeManagement() which is where the registration lives.

All 5 hosts now explicitly register ICorrelationContext:
- Broker/Auth: via AddHomeManagement() (already correct)
- Gateway/Web/AgentGateway: direct AddSingleton registration added

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The health ingress only routed /platform-health so hitting the root
returned a nginx 404.

Use app-root annotation to issue a 302 for bare / requests, and
broaden the path rule to Prefix / so the redirect and the health page
both work from the same ingress. The gateway still enforces JWT auth
on all proxied routes so broadening the path rule does not expose
unprotected endpoints.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Prevents MCR 403 during base image manifest resolution in release
pipeline — same root cause as the CI fix in f42f45a.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Seq: change health check URL from port 5341 (ingestion) to /api on
  port 80 (REST API). The ingestion port has no HTTP root handler,
  causing 404.
- ArgoCD: configure platform-health HttpClient to bypass SSL cert
  validation. ArgoCD server redirects HTTP->HTTPS and uses a
  self-signed cluster cert that is not in the pod trust store.
  These URLs are cluster-internal only — never user-facing traffic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix ArgoCD health URL: use https:// directly to avoid HTTP->HTTPS
  redirect round-trip (SSL cert bypass already configured in HttpClient)

- Add version information to /platform-health:
  - Gateway version shown in page header (from APP_VERSION env var)
  - New 'Version' column in service table
  - HM services (Broker, Auth, Web, AgentGateway): query /version endpoint
  - Grafana: parse version from /api/health response body
  - AWX: parse version from /api/v2/ping/ response body
  - ArgoCD: secondary call to /api/version
  - Prometheus: secondary call to /api/v1/status/buildinfo
  - Version lookup is best-effort — never affects health status

- Add APP_VERSION env var to all 5 Helm deployment templates
  (resolved from per-service image.tag, falls back to global.imageTag)

- Add /version endpoint to Broker, Auth, AgentGateway, Web host programs
  (returns {version: APP_VERSION}, anonymous + excluded from descriptions)

- Add 15-second result cache to /platform-health to limit internal
  fan-out traffic under external polling

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ArgoCD is deployed in insecure mode (plain HTTP on pod port 8080).
The service maps both port 80 and 443 to pod port 8080, so connecting
to https://argocd-server... triggers a TLS handshake against a plain
HTTP listener, causing 'SSL connection could not be established'.

Switch to http://argocd-server.argocd.svc.cluster.local:80/healthz which
matches the actual pod protocol.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Services like ArgoCD (secure mode) redirect HTTP:80 -> HTTPS:443.
With AllowAutoRedirect=true the health client followed these redirects,
re-triggering SSL errors when the HTTPS backend has cert issues.

Fix:
- AllowAutoRedirect=false: stops redirect-chasing
- 3xx responses classified as 'Healthy' (service is alive and redirecting)
- 4xx classified as 'Degraded' (service up but returning client errors)
- 5xx and exceptions remain 'Unhealthy'

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- PlatformHealthEndpoint: query Kubernetes in-cluster API for pod start
  times (get/list pods in homemanagement namespace), enriching each
  service row with a Pod Age column (hover tooltip shows exact UTC time)
- Gateway's own process start time shown in the page subtitle so restarts
  are immediately visible without inspecting kubectl
- Added k8s-api named HttpClient in Program.cs (5s timeout, bypasses
  self-signed in-cluster cert)
- New deploy/helm/homemanagement/templates/rbac.yaml: Role + RoleBinding
  granting default service account get/list on pods (namespace-scoped only)
- FormatAge helper formats durations as e.g. 2d 3h, 5h 12m, 47m
- All K8s lookups are best-effort: any failure silently omits pod age
  data without affecting health check results

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…per in rbac.yaml

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Apr 27, 2026
anticow and others added 2 commits April 28, 2026 21:52
- Introduced new models for authentication including AuthUser, AuthResult, and LoginRequest.
- Implemented IJwtTokenService and IPasswordPolicy interfaces for JWT handling and password validation.
- Created DefaultPasswordPolicy class to enforce password strength requirements.
- Developed AuthUserRepository, AuthRoleRepository, and AuthRefreshTokenRepository for user and role management.
- Added contract tests for AuthService to ensure correct delegation to IJwtTokenService and IPasswordPolicy.
- Implemented unit tests for DefaultPasswordPolicy to validate password strength logic.
- Updated various automation tests to include new dependencies and models.
- Enhanced application builder extensions for security headers and health endpoints.
Bumps Microsoft.IdentityModel.Tokens to 8.17.0
Bumps System.IdentityModel.Tokens.Jwt to 8.17.0

---
updated-dependencies:
- dependency-name: Microsoft.IdentityModel.Tokens
  dependency-version: 8.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 8.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/nuget/multi-439a0118a5 branch from bcef9fe to 84daf64 Compare April 29, 2026 05:02
@dependabot @github

dependabot Bot commented on behalf of github May 7, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot @github

dependabot Bot commented on behalf of github May 7, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #46.

@dependabot dependabot Bot closed this May 7, 2026
@dependabot dependabot Bot deleted the dependabot/nuget/multi-439a0118a5 branch May 7, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant