Skip to content

fix: remove duplicate trailing slash from client_assertion audience#236

Merged
kailash-b merged 1 commit into
auth0:mainfrom
samjetski:feat/fix-audience
Jun 15, 2026
Merged

fix: remove duplicate trailing slash from client_assertion audience#236
kailash-b merged 1 commit into
auth0:mainfrom
samjetski:feat/fix-audience

Conversation

@samjetski

Copy link
Copy Markdown
Contributor

Description

The OnAuthorizationCodeReceived handler builds the aud claim for the Private Key JWT client assertion sent to /oauth/token. Since v1.7.0 it has been double-appending the trailing slash:

var audience = Utils.ToAuthority(issuer) + "/";

Utils.ToAuthority (added in #206) already normalises its input to a value ending in /, so the resulting audience becomes https://{tenant}// (two slashes). Auth0's /oauth/token endpoint validates that aud exactly matches the tenant token endpoint with a single trailing slash, so it rejects the assertion with 401 invalid_client.

The visible symptom for affected apps (any app configured with ClientAssertionSecurityKey) is a callback loop: the OIDC middleware can't complete the code-for-token exchange, retries /authorize, Auth0's SSO cookie immediately returns a new code, and the cycle repeats. Server logs show:

Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler
Message contains error: 'invalid_client', error_description: 'Unauthorized',
error_uri: 'error_uri is null', status code '401'.

The companion TokenClient path (used for refresh-token exchange in TokenClient.cs:68) already used the single-slash form $"https://{domain}/" and was unaffected — so the fix brings the OIDC callback path back in line with it.

The change is a one-line removal of the duplicate + "/".

References

Testing

The existing integration test Should_Send_ClientAssertion_To_Token_Endpoint only asserted that a client_assertion form parameter was present, which is how this slipped through. It has been strengthened to:

  1. Capture the assertion JWT from the token-endpoint request body via a new HttpRequestMessage.GetClientAssertion() test helper.
  2. Decode it and assert Audiences contains exactly https://{domain}/ (single trailing slash), plus that Issuer and Subject equal the configured ClientId.

Verified by temporarily reverting the fix — the new assertion fails with the buggy double-slash audience; restoring the fix passes.

Full integration suite: 205/205 passing locally on net10.0.

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not main

@samjetski samjetski marked this pull request as ready for review May 28, 2026 07:06
@samjetski samjetski requested a review from a team as a code owner May 28, 2026 07:06
@kailash-b

kailash-b commented May 29, 2026

Copy link
Copy Markdown
Contributor

Hi @samjetski 👋

Thanks a lot of flagging this. Appreciate you taking the effort to help fix it as well.

We will take a look at this PR, in the meanwhile, can you please sign the commit?
Our pipelines, mandate the commit to be signed in-order to merge.

We will also make sure that this ask (mandatory signed commit) is clear in our contributing guidelines and PR template checklist.

EDIT
For now, we have signed the commit on your behalf.
Thanks for your contribution 🤝

@kailash-b kailash-b force-pushed the feat/fix-audience branch from fa89ce9 to 76601b1 Compare June 15, 2026 05:20
@kailash-b kailash-b force-pushed the feat/fix-audience branch from 76601b1 to fbf97fc Compare June 15, 2026 05:24
@kailash-b kailash-b merged commit d688958 into auth0:main Jun 15, 2026
9 checks passed
@kailash-b kailash-b mentioned this pull request Jun 29, 2026
mpaulosky added a commit to mpaulosky/IssueTrackerApp that referenced this pull request Jul 5, 2026
Updated [Aspire.Hosting.Redis](https://github.com/microsoft/aspire) from
13.4.2 to 13.4.6.

<details>
<summary>Release notes</summary>

_Sourced from [Aspire.Hosting.Redis's
releases](https://github.com/microsoft/aspire/releases)._

## 13.4.6

## What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.

### 🐛 Fixes

- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #​18110 and #​17910.
([#​18160](https://github.com/microsoft/aspire/pull/18160),
`@​sebastienros`)

- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#​18341](https://github.com/microsoft/aspire/pull/18341), `@​JamesNK`)

- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #​17981.
([#​18279](https://github.com/microsoft/aspire/pull/18279),
`@​Falco20019`)

### 🏷️ Housekeeping

- 🚀 Bumped branding to 13.4.6
([#​18343](https://github.com/microsoft/aspire/pull/18343))

---

_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_

_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->

## 13.4.5

## What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.

### 🐛 Fixes

- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#​18204](https://github.com/microsoft/aspire/pull/18204),
`@​mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#​18205](https://github.com/microsoft/aspire/pull/18205),
`@​mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#​18240](https://github.com/microsoft/aspire/pull/18240),
`@​damianedwards`)

### 🏷️ Housekeeping

- 📄 Refreshed the `@​microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#​18221](https://github.com/microsoft/aspire/pull/18221), `@​adamint`)

---

_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_

_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->

## 13.4.4

## What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.

### 🐛 Fixes

* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#​18096](https://github.com/microsoft/aspire/pull/18096),
`@​karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#​18150](https://github.com/microsoft/aspire/pull/18150), `@​JamesNK`)

### 🏷️ Housekeeping

* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#​18093](https://github.com/microsoft/aspire/pull/18093),
`@​adamratzman`)

* * *

_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_

_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_


## 13.4.3

## What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.

### 🐛 Fixes

- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#​17960, `@​danegsta`)

### 🏷️ Housekeeping

- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#​17958)

---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*

*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->

Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>

Updated [Aspire.Hosting.Testing](https://github.com/microsoft/aspire)
from 13.4.2 to 13.4.6.

<details>
<summary>Release notes</summary>

_Sourced from [Aspire.Hosting.Testing's
releases](https://github.com/microsoft/aspire/releases)._

## 13.4.6

## What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.

### 🐛 Fixes

- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #​18110 and #​17910.
([#​18160](https://github.com/microsoft/aspire/pull/18160),
`@​sebastienros`)

- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#​18341](https://github.com/microsoft/aspire/pull/18341), `@​JamesNK`)

- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #​17981.
([#​18279](https://github.com/microsoft/aspire/pull/18279),
`@​Falco20019`)

### 🏷️ Housekeeping

- 🚀 Bumped branding to 13.4.6
([#​18343](https://github.com/microsoft/aspire/pull/18343))

---

_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_

_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->

## 13.4.5

## What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.

### 🐛 Fixes

- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#​18204](https://github.com/microsoft/aspire/pull/18204),
`@​mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#​18205](https://github.com/microsoft/aspire/pull/18205),
`@​mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#​18240](https://github.com/microsoft/aspire/pull/18240),
`@​damianedwards`)

### 🏷️ Housekeeping

- 📄 Refreshed the `@​microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#​18221](https://github.com/microsoft/aspire/pull/18221), `@​adamint`)

---

_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_

_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->

## 13.4.4

## What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.

### 🐛 Fixes

* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#​18096](https://github.com/microsoft/aspire/pull/18096),
`@​karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#​18150](https://github.com/microsoft/aspire/pull/18150), `@​JamesNK`)

### 🏷️ Housekeeping

* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#​18093](https://github.com/microsoft/aspire/pull/18093),
`@​adamratzman`)

* * *

_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_

_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_


## 13.4.3

## What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.

### 🐛 Fixes

- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#​17960, `@​danegsta`)

### 🏷️ Housekeeping

- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#​17958)

---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*

*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->

Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>

Updated [Aspire.MongoDB.Driver](https://github.com/microsoft/aspire)
from 13.4.2 to 13.4.6.

<details>
<summary>Release notes</summary>

_Sourced from [Aspire.MongoDB.Driver's
releases](https://github.com/microsoft/aspire/releases)._

## 13.4.6

## What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.

### 🐛 Fixes

- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #​18110 and #​17910.
([#​18160](https://github.com/microsoft/aspire/pull/18160),
`@​sebastienros`)

- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#​18341](https://github.com/microsoft/aspire/pull/18341), `@​JamesNK`)

- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #​17981.
([#​18279](https://github.com/microsoft/aspire/pull/18279),
`@​Falco20019`)

### 🏷️ Housekeeping

- 🚀 Bumped branding to 13.4.6
([#​18343](https://github.com/microsoft/aspire/pull/18343))

---

_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_

_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->

## 13.4.5

## What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.

### 🐛 Fixes

- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#​18204](https://github.com/microsoft/aspire/pull/18204),
`@​mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#​18205](https://github.com/microsoft/aspire/pull/18205),
`@​mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#​18240](https://github.com/microsoft/aspire/pull/18240),
`@​damianedwards`)

### 🏷️ Housekeeping

- 📄 Refreshed the `@​microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#​18221](https://github.com/microsoft/aspire/pull/18221), `@​adamint`)

---

_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_

_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->

## 13.4.4

## What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.

### 🐛 Fixes

* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#​18096](https://github.com/microsoft/aspire/pull/18096),
`@​karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#​18150](https://github.com/microsoft/aspire/pull/18150), `@​JamesNK`)

### 🏷️ Housekeeping

* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#​18093](https://github.com/microsoft/aspire/pull/18093),
`@​adamratzman`)

* * *

_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_

_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_


## 13.4.3

## What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.

### 🐛 Fixes

- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#​17960, `@​danegsta`)

### 🏷️ Housekeeping

- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#​17958)

---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*

*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->

Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>

Updated
[Aspire.StackExchange.Redis](https://github.com/microsoft/aspire) from
13.4.2 to 13.4.6.

<details>
<summary>Release notes</summary>

_Sourced from [Aspire.StackExchange.Redis's
releases](https://github.com/microsoft/aspire/releases)._

## 13.4.6

## What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.

### 🐛 Fixes

- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #​18110 and #​17910.
([#​18160](https://github.com/microsoft/aspire/pull/18160),
`@​sebastienros`)

- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#​18341](https://github.com/microsoft/aspire/pull/18341), `@​JamesNK`)

- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #​17981.
([#​18279](https://github.com/microsoft/aspire/pull/18279),
`@​Falco20019`)

### 🏷️ Housekeeping

- 🚀 Bumped branding to 13.4.6
([#​18343](https://github.com/microsoft/aspire/pull/18343))

---

_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_

_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->

## 13.4.5

## What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.

### 🐛 Fixes

- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#​18204](https://github.com/microsoft/aspire/pull/18204),
`@​mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#​18205](https://github.com/microsoft/aspire/pull/18205),
`@​mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#​18240](https://github.com/microsoft/aspire/pull/18240),
`@​damianedwards`)

### 🏷️ Housekeeping

- 📄 Refreshed the `@​microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#​18221](https://github.com/microsoft/aspire/pull/18221), `@​adamint`)

---

_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_

_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->

## 13.4.4

## What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.

### 🐛 Fixes

* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#​18096](https://github.com/microsoft/aspire/pull/18096),
`@​karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#​18150](https://github.com/microsoft/aspire/pull/18150), `@​JamesNK`)

### 🏷️ Housekeeping

* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#​18093](https://github.com/microsoft/aspire/pull/18093),
`@​adamratzman`)

* * *

_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_

_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_


## 13.4.3

## What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.

### 🐛 Fixes

- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#​17960, `@​danegsta`)

### 🏷️ Housekeeping

- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#​17958)

---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*

*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*

> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M

<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->

Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>

Updated
[Auth0.AspNetCore.Authentication](https://github.com/auth0/auth0-aspnetcore-authentication)
from 1.7.0 to 1.8.0.

<details>
<summary>Release notes</summary>

_Sourced from [Auth0.AspNetCore.Authentication's
releases](https://github.com/auth0/auth0-aspnetcore-authentication/releases)._

## 1.8.0

**Added**

- **Multi-Resource Refresh Token (MRRT) support**
[\#​249](https://github.com/auth0/auth0-aspnetcore-authentication/pull/249),
[\#​251](https://github.com/auth0/auth0-aspnetcore-authentication/pull/251)
([kailash-b](https://github.com/kailash-b)) - applications can now
obtain access tokens for additional audiences and scopes on demand by
exchanging the session's refresh token, without forcing the user through
another interactive login.
- New `HttpContext.GetAccessTokenAsync(AccessTokenRequest)` extension
returns an access token for a requested audience and/or scope, served
from the session cache when possible and otherwise via a refresh-token
exchange.
- Configure default scopes per audience with
`Auth0WebAppWithAccessTokenOptions.ScopeByAudience`.
- The new `OnAccessTokenRefreshFailed` event surfaces refresh failures,
letting callers distinguish terminal failures (warranting re-login) from
transient ones.
- **MFA challenge handling** - when a refresh requires MFA, a new
`MfaRequiredException` surfaces the challenge, and
`IAuthenticationApiClient` (registered via
`WithAuthenticationApiClient()`) lets the application complete OTP, OOB,
or recovery-code grants and manage authenticators.
- **Configurable access-token expiration leeway**
[\#​247](https://github.com/auth0/auth0-aspnetcore-authentication/pull/247)
([kailash-b](https://github.com/kailash-b)) - new
`Auth0WebAppWithAccessTokenOptions.AccessTokenExpirationLeeway`
(`TimeSpan`, default 60s) controls how far ahead of expiry the SDK
proactively refreshes the access token. Previously hard-coded to 60
seconds; the default preserves prior behavior. Applies to both primary
and additional (MRRT) cached tokens, and only takes effect when
`UseRefreshTokens` is enabled.
- **Configurable server-side session store**
[\#​246](https://github.com/auth0/auth0-aspnetcore-authentication/pull/246)
([kailash-b](https://github.com/kailash-b)) - new `WithSessionStore`
method on `Auth0WebAppAuthenticationBuilder` stores the authentication
session server-side (via `ITicketStore`) instead of in the cookie. It
attaches the store to the SDK's own resolved cookie scheme, so it works
even with a custom `CookieAuthenticationScheme`. Two overloads are
provided: `WithSessionStore<TStore>()` (resolved from DI) and
`WithSessionStore(ITicketStore instance)`. Opt-in and additive; the
default stateless cookie session is unchanged.

**Fixed**

- **Remove duplicate trailing slash from `client_assertion` audience**
[\#​236](https://github.com/auth0/auth0-aspnetcore-authentication/pull/236)
([samjetski](https://github.com/samjetski)) - fixes a regression
introduced in 1.7.0 (#​206) where the Private Key JWT client assertion
`aud` claim was built as `https://{tenant}//` (double slash), causing
Auth0's `/oauth/token` endpoint to reject the assertion with `401
invalid_client` and leaving affected apps (any using
`ClientAssertionSecurityKey`) in a callback loop.
- **Wire `OnValidatePrincipal` to the configured cookie scheme**
[\#​248](https://github.com/auth0/auth0-aspnetcore-authentication/pull/248)
([kailash-b](https://github.com/kailash-b)) - fixes a scheme mismatch
where the access-token refresh hook was registered against the default
`"Cookies"` scheme rather than the configured
`CookieAuthenticationScheme`.

**Security**

- **Bump dependencies**
[\#​250](https://github.com/auth0/auth0-aspnetcore-authentication/pull/250)
([kailash-b](https://github.com/kailash-b)) - consolidates several
Dependabot bumps (supersedes #​240, #​242, #​243, #​244):
`Microsoft.IdentityModel.Protocols.OpenIdConnect` 8.18.0 → 8.19.1,
`Microsoft.AspNetCore.Mvc.Testing` 10.0.8 → 10.0.9,
`Microsoft.AspNetCore.Mvc.ViewFeatures` 2.3.10 → 2.3.11,
`System.Text.Encodings.Web` 10.0.8 → 10.0.9.
- **Pin GitHub Actions to commit SHAs**
[\#​241](https://github.com/auth0/auth0-aspnetcore-authentication/pull/241)
([jcchavezs](https://github.com/jcchavezs)) - pins all third-party
actions in the workflow files to commit SHAs for improved supply-chain
security and reproducibility.

## 1.7.1


**Security**
- chore: Upgrade dependencies
[\#​237](https://github.com/auth0/auth0-aspnetcore-authentication/pull/237)
([kailash-b](https://github.com/kailash-b))
- chore(deps): Bump System.Text.Encodings.Web from 10.0.6 to 10.0.7
[\#​228](https://github.com/auth0/auth0-aspnetcore-authentication/pull/228)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.AspNetCore.Mvc.Testing from 10.0.6 to
10.0.7
[\#​227](https://github.com/auth0/auth0-aspnetcore-authentication/pull/227)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.NET.Test.Sdk from 18.4.0 to 18.5.1
[\#​229](https://github.com/auth0/auth0-aspnetcore-authentication/pull/229)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.IdentityModel.Protocols.OpenIdConnect from
8.17.0 to 8.18.0
[\#​230](https://github.com/auth0/auth0-aspnetcore-authentication/pull/230)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump System.Text.Encodings.Web from 10.0.5 to 10.0.6
[\#​225](https://github.com/auth0/auth0-aspnetcore-authentication/pull/225)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.AspNetCore.Mvc.Testing from 10.0.5 to
10.0.6
[\#​224](https://github.com/auth0/auth0-aspnetcore-authentication/pull/224)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.NET.Test.Sdk from 18.3.0 to 18.4.0
[\#​222](https://github.com/auth0/auth0-aspnetcore-authentication/pull/222)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.IdentityModel.Protocols.OpenIdConnect from
8.16.0 to 8.17.0
[\#​221](https://github.com/auth0/auth0-aspnetcore-authentication/pull/221)
([dependabot[bot]](https://github.com/apps/dependabot))


Commits viewable in [compare
view](https://github.com/auth0/auth0-aspnetcore-authentication/compare/1.7.0...1.8.0).
</details>

Updated [Auth0.ManagementApi](https://github.com/auth0/auth0.net) from
8.4.0 to 8.6.0.

<details>
<summary>Release notes</summary>

_Sourced from [Auth0.ManagementApi's
releases](https://github.com/auth0/auth0.net/releases)._

## 8.6.0

**Breaking Changes**
- User date fields: `CreatedAt`, `UpdatedAt`, `MultifactorLastModified`,
`LastLogin`, and `LastPasswordReset` on the user response types
(`GetUserResponseContent`, `CreateUserResponseContent`,
`UpdateUserResponseContent`, `UserResponseSchema`) are now plain
`DateTime?` instead of the `UserDateSchema` union. The `UserDateSchema`
type and its `UserDateSchemaExtensions` (`ToDateTime`) helpers have been
removed — callers can drop `.ToDateTime()` and use the value directly
[\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- User identity IDs: The `UserId` property on `UserIdentitySchema` and
`DeleteUserIdentityResponseContentItem` is now the `UserId` union type
instead of `string`, allowing string or numeric user identifiers
[\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Native Social Login: `NativeSocialLogin` on
`UpdateClientRequestContent` is now `Optional<NativeSocialLoginPatch?>`
(with new `NativeSocialLoginPatch`, `NativeSocialLoginApplePatch`,
`NativeSocialLoginFacebookPatch`, and `NativeSocialLoginGooglePatch`
types) to support partial PATCH semantics
[\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- FedCM Login: `FedcmLogin` on `UpdateClientRequestContent` is now
`Optional<FedCmLoginPatch?>` (with new `FedCmLoginPatch` and
`FedCmLoginGooglePatch` types) to support partial PATCH semantics
[\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))

**Added**
- Phone Provider Protection: Added
`AttackProtection.PhoneProviderProtection` sub-client with `GetAsync()`
and `PatchAsync()` to read and update the tenant's phone provider
protection configuration, plus
`PatchPhoneProviderProtectionRequestContent`,
`GetPhoneProviderProtectionResponseContent`,
`PatchPhoneProviderProtectionResponseContent`, and the
`PhoneProviderProtectionBackoffStrategyEnum` (`exponential`/`none`) type
[\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Cross-App Access: Added `CrossAppAccessRequestingApp` type (with
`Active`) and a `CrossAppAccessRequestingApp` property to the OIDC and
Okta connection request/response types
(`CreateConnectionRequestContentOidc`,
`CreateConnectionRequestContentOkta`,
`UpdateConnectionRequestContentOidc`,
`UpdateConnectionRequestContentOkta`, `ConnectionResponseContentOidc`,
`ConnectionResponseContentOkta`, `ConnectionForList`, and the connection
response types) [\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Token Vault Privileged Access: Added `TokenVaultPrivilegedAccess`
property to client types —
`ClientTokenVaultPrivilegedAccessWithPublicKey` (with `Credentials` and
`IpAllowlist`) on `CreateClientRequestContent`, and
`ClientTokenVaultPrivilegedAccessWithCredentialId` on
`UpdateClientRequestContent`, `Client`, and the client response types
[\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Email Templates: Added `auth_email_by_code` (`AuthEmailByCode`) value
to `EmailTemplateNameEnum`
[\#​1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))

## 8.5.0

**Added**
- Tenant Security Headers: Added `SecurityHeaders`
(`TenantSettingsNullableSecurityHeaders`) property to
`UpdateTenantSettingsRequestContent`,
`GetTenantSettingsResponseContent`, and
`UpdateTenantSettingsResponseContent` for configuring Content Security
Policy and XSS protection at the tenant level
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Content Security Policy: Added `ContentSecurityPolicyConfig`,
`CspPolicy`, `CspPolicyMode` (`enforcing`/`reporting`), `CspFlag`
(`upgrade-insecure-requests`/`block-all-mixed-content`),
`CspPolicyReporting`, `CspReportingInfrastructure`, `CspReportTo`, and
`CspReportToEndpoint` types to model CSP directives, flags, and
reporting endpoints
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- XSS Protection: Added `XssProtectionConfig` and `XssProtectionMode`
(`block`) types to configure the `X-XSS-Protection` response header
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Tenant Settings: Added minute-granularity session lifetime fields
`SessionLifetimeInMinutes`, `IdleSessionLifetimeInMinutes`,
`EphemeralSessionLifetimeInMinutes`, and
`IdleEphemeralSessionLifetimeInMinutes` on
`UpdateTenantSettingsRequestContent` (each mutually exclusive with its
hours-based counterpart)
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Tenant Settings: Added `IncludeSessionMetadataInTenantLogs` (`bool?`)
on tenant settings request/response types to include session metadata in
`slo` and OIDC back-channel logout tenant logs
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Connections: Added `IdTokenSessionExpirySupported` (`bool?`) property
to `ConnectionOptionsCommonOidc`, `ConnectionOptionsOidc`,
`ConnectionOptionsOkta`, `ConnectionPropertiesOptions`, and
`UpdateConnectionOptions`
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Client My Organization: Added `InvitationLandingClientId` property to
`ClientMyOrganizationPostConfiguration`,
`ClientMyOrganizationPatchConfiguration`, and
`ClientMyOrganizationResponseConfiguration`
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Enums: Added `Experiment` value to `AculContextEnum`, and
`Confirmation` value to `PromptGroupNameEnum` and `ScreenGroupNameEnum`
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))

**Removed**
- Branding Identifiers: Removed the `Identifiers` property (and the
`BrandingIdentifiers` / `UpdateBrandingIdentifiers` types) from
`UpdateBrandingRequestContent`, `GetBrandingResponseContent`, and
`UpdateBrandingResponseContent`. **Breaking change**
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Branding Phone Enums: Removed the `BrandingPhoneMaskingEnum`,
`UpdateBrandingPhoneMaskingEnum`, and
`UpdateBrandingPhoneFormattingEnum` types. **Breaking change**
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))

**Changed**
- Phone Templates: The `Id` property on `PhoneTemplate`,
`GetPhoneTemplateResponseContent`, `CreatePhoneTemplateResponseContent`,
`UpdatePhoneTemplateResponseContent`, and
`ResetPhoneTemplateResponseContent` is now optional/nullable (`string?`)
instead of `required`. **Breaking change**
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Refresh Tokens: Clarified `RevokeRefreshTokensRequestContent.ClientId`
semantics — it must be paired with `UserId` and can be narrowed further
with `Audience`, rather than revoking all of a client's tokens
[\#​1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))


Commits viewable in [compare
view](https://github.com/auth0/auth0.net/compare/mgmt-8.4.0...mgmt-8.6.0).
</details>

Updated [gitversion.tool](https://github.com/GitTools/GitVersion) from
6.7.0 to 6.8.1.

<details>
<summary>Release notes</summary>

_Sourced from [gitversion.tool's
releases](https://github.com/GitTools/GitVersion/releases)._

## 6.8.1

As part of this release we had [18
commits](https://github.com/GitTools/GitVersion/compare/6.8.0...6.8.1)
which resulted in [9
issues](https://github.com/GitTools/GitVersion/milestone/87?closed=1)
being closed.

__Bug__

- [__!5005__](https://github.com/GitTools/GitVersion/pull/5005) ci: fix
homebrew publish — drop --fork-org (gittools-bot is a user) by
[arturcic](https://github.com/arturcic)

__Dependencies__

- [__!5006__](https://github.com/GitTools/GitVersion/pull/5006)
build(deps): bump devcontainers/dotnet from `da953a3` to `be5bd89` in
/.devcontainer by [dependabot[bot]](https://github.com/apps/dependabot)
- [__!5015__](https://github.com/GitTools/GitVersion/pull/5015)
chore(deps): consolidate Dependabot config and enable devcontainer
feature updates by [arturcic](https://github.com/arturcic)
- [__!5016__](https://github.com/GitTools/GitVersion/pull/5016) (build
deps): bump the codeql group across 1 directory with 3 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!5020__](https://github.com/GitTools/GitVersion/pull/5020) (deps):
Bump the microsoft group with 3 updates by
[dependabot[bot]](https://github.com/apps/dependabot)

__Improvements__

- [__!5004__](https://github.com/GitTools/GitVersion/pull/5004) ci:
replace homebrew bump action with brew bump-formula-pr by
[arturcic](https://github.com/arturcic)
- [__#​5007__](https://github.com/GitTools/GitVersion/issues/5007)
[ISSUE]: GitLab CI: Merge Request pipelines use source branch instead of
CI_MERGE_REQUEST_REF_PATH by
[JDanRibeiro](https://github.com/JDanRibeiro) resolved in
[__!5008__](https://github.com/GitTools/GitVersion/pull/5008) by
[JDanRibeiro](https://github.com/JDanRibeiro)
- [__#​5009__](https://github.com/GitTools/GitVersion/issues/5009)
[ISSUE]: Using environment variable with label can produce Semver
incompatible labels by
[robertcoltheart](https://github.com/robertcoltheart) resolved in
[__!5010__](https://github.com/GitTools/GitVersion/pull/5010) by
[robertcoltheart](https://github.com/robertcoltheart)

__Contributors__

4 contributors made this release possible.

<a href="/arturcic"><img
src="https://avatars.githubusercontent.com/u/1760506?v=4" alt="arturcic"
height="32" width="32"/></a> <a
href="/apps/dependabot"><img
src="https://avatars.githubusercontent.com/in/29110?v=4"
alt="dependabot[bot]" height="32" width="32"/></a> <a
href="/JDanRibeiro"><img
src="https://avatars.githubusercontent.com/u/86156563?v=4"
alt="JDanRibeiro" height="32" width="32"/></a> <a
href="/robertcoltheart"><img
src="https://avatars.githubusercontent.com/u/13191652?v=4"
alt="robertcoltheart" height="32" width="32"/></a>


## 6.8.0

As part of this release we had [248
commits](https://github.com/GitTools/GitVersion/compare/6.7.0...6.8.0)
which resulted in [86
issues](https://github.com/GitTools/GitVersion/milestone/86?closed=1)
being closed.

__Bug__

- [__#​4976__](https://github.com/GitTools/GitVersion/issues/4976)
[ISSUE]: {BranchName} format strings for label not working by
[moppa](https://github.com/moppa) resolved in
[__!4977__](https://github.com/GitTools/GitVersion/pull/4977) by
[robertcoltheart](https://github.com/robertcoltheart)

__Dependencies__

- [__!4893__](https://github.com/GitTools/GitVersion/pull/4893) (build
deps): Bump mislav/bump-homebrew-formula-action from 3 to 4 in
/.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4894__](https://github.com/GitTools/GitVersion/pull/4894) (deps):
Bump coverlet.MTP from 8.0.0 to 8.0.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4896__](https://github.com/GitTools/GitVersion/pull/4896) (deps):
Bump Scriban from 7.0.0 to 7.0.3 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4897__](https://github.com/GitTools/GitVersion/pull/4897) (docs
deps): Bump picomatch from 2.3.1 to 2.3.2 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4900__](https://github.com/GitTools/GitVersion/pull/4900) (deps):
Bump Scriban from 7.0.3 to 7.0.5 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4902__](https://github.com/GitTools/GitVersion/pull/4902) (build
deps): Bump codecov/codecov-action from 5 to 6 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4903__](https://github.com/GitTools/GitVersion/pull/4903) (deps):
Bump Scriban from 7.0.5 to 7.0.6 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4908__](https://github.com/GitTools/GitVersion/pull/4908) (deps):
Bump JsonSchema.Net.Generation from 7.1.3 to 7.2.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4909__](https://github.com/GitTools/GitVersion/pull/4909) (deps):
Bump the microsoft group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4911__](https://github.com/GitTools/GitVersion/pull/4911) (build
deps): Bump gittools/cicd from 1 to 2 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4913__](https://github.com/GitTools/GitVersion/pull/4913) (deps):
Bump Scriban from 7.0.6 to 7.1.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4914__](https://github.com/GitTools/GitVersion/pull/4914) (deps):
Bump System.IO.Abstractions from 22.1.0 to 22.1.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4915__](https://github.com/GitTools/GitVersion/pull/4915) (deps):
Bump JsonSchema.Net.Generation from 7.2.0 to 7.3.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4916__](https://github.com/GitTools/GitVersion/pull/4916) (deps):
Bump JsonSchema.Net.Generation from 7.2.0 to 7.3.4 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4917__](https://github.com/GitTools/GitVersion/pull/4917) (deps):
Bump JsonSchema.Net.Generation from 7.2.0 to 7.3.6 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4919__](https://github.com/GitTools/GitVersion/pull/4919) (sdk):
Bump dotnet-sdk from 10.0.201 to 10.0.202 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4920__](https://github.com/GitTools/GitVersion/pull/4920) (deps):
Bump the microsoft group with 11 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4921__](https://github.com/GitTools/GitVersion/pull/4921) (deps):
Bump NUnit3TestAdapter from 6.1.0 to 6.2.0 by
[arturcic](https://github.com/arturcic)
- [__!4922__](https://github.com/GitTools/GitVersion/pull/4922) (sdk):
Bump dotnet-sdk from 10.0.202 to 10.0.203 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4923__](https://github.com/GitTools/GitVersion/pull/4923) (deps):
Bump coverlet.MTP from 8.0.1 to 10.0.0 by
[arturcic](https://github.com/arturcic)
- [__!4924__](https://github.com/GitTools/GitVersion/pull/4924) (deps):
Bump the microsoft group with 12 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4925__](https://github.com/GitTools/GitVersion/pull/4925) (deps):
Bump SharpYaml from 3.4.0 to 3.7.0 by
[arturcic](https://github.com/arturcic)
- [__!4926__](https://github.com/GitTools/GitVersion/pull/4926) (deps):
Bump the microsoft group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4928__](https://github.com/GitTools/GitVersion/pull/4928) (deps):
Bump the analyzers group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4929__](https://github.com/GitTools/GitVersion/pull/4929) (deps):
Bump NUnit from 4.5.1 to 4.6.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4930__](https://github.com/GitTools/GitVersion/pull/4930) (build
deps): Bump test-summary/action from 2.4 to 2.6 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4931__](https://github.com/GitTools/GitVersion/pull/4931) (deps):
Bump Cake.Incubator from 10.0.0 to 11.0.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4934__](https://github.com/GitTools/GitVersion/pull/4934) (build
deps): Bump gittools/cicd from 2 to 5 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4935__](https://github.com/GitTools/GitVersion/pull/4935) (deps):
Bump the microsoft group with 8 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4936__](https://github.com/GitTools/GitVersion/pull/4936) (sdk):
Bump dotnet-sdk from 10.0.203 to 10.0.300 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4937__](https://github.com/GitTools/GitVersion/pull/4937) (deps):
Bump the microsoft group with 4 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4938__](https://github.com/GitTools/GitVersion/pull/4938) (deps):
Bump Scriban from 7.1.0 to 7.2.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4939__](https://github.com/GitTools/GitVersion/pull/4939) (deps):
Bump NUnit from 4.5.1 to 4.6.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4941__](https://github.com/GitTools/GitVersion/pull/4941) (deps):
Bump SharpYaml from 3.7.0 to 3.7.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4942__](https://github.com/GitTools/GitVersion/pull/4942) (deps):
Bump JsonSchema.Net.Generation from 7.3.6 to 7.3.7 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4943__](https://github.com/GitTools/GitVersion/pull/4943) (deps):
Bump coverlet.MTP from 10.0.0 to 10.0.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4945__](https://github.com/GitTools/GitVersion/pull/4945) (deps):
Bump NUnit from 4.6.0 to 4.6.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4946__](https://github.com/GitTools/GitVersion/pull/4946) (deps):
Bump NUnit from 4.6.0 to 4.6.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4948__](https://github.com/GitTools/GitVersion/pull/4948) (deps):
Bump the microsoft group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4949__](https://github.com/GitTools/GitVersion/pull/4949) (deps):
Bump Cake.Frosting from 6.1.0 to 6.2.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4950__](https://github.com/GitTools/GitVersion/pull/4950) (deps):
Bump JsonSchema.Net.Generation from 7.3.7 to 7.3.8 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4951__](https://github.com/GitTools/GitVersion/pull/4951) (deps):
Bump Scriban from 7.2.0 to 7.2.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
 ... (truncated)

Commits viewable in [compare
view](https://github.com/GitTools/GitVersion/compare/6.7.0...6.8.1).
</details>

Updated [MediatR](https://github.com/LuckyPennySoftware/MediatR) from
14.1.0 to 14.2.0.

<details>
<summary>Release notes</summary>

_Sourced from [MediatR's
releases](https://github.com/LuckyPennySoftware/MediatR/releases)._

## 14.2.0

## What's Changed
* Fix license validation deadlock when called from sync context by
@​jbogard in https://github.com/LuckyPennySoftware/MediatR/pull/1165
* Reporting test results by @​jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1166
* Attach NuGet packages and SBOM to GitHub Release by @​jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1169
* Treat blank license key as unconfigured (#​1170) by @​jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1171
* ci: publish fork-PR test reports via workflow_run by @​jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1173
* Run license validation off the Mediator construction path by @​jbogard
in https://github.com/LuckyPennySoftware/MediatR/pull/1174
* Support license key via environment variable fallback by @​jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1175


**Full Changelog**:
https://github.com/LuckyPennySoftware/MediatR/compare/v14.1.0...v14.2.0

Commits viewable in [compare
view](https://github.com/LuckyPennySoftware/MediatR/compare/v14.1.0...v14.2.0).
</details>

Updated
[Microsoft.AspNetCore.Mvc.Testing](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.AspNetCore.Mvc.Testing's
releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>

Updated [Microsoft.AspNetCore.OpenApi](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.AspNetCore.OpenApi's
releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>

Updated
[Microsoft.AspNetCore.SignalR.Client](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.AspNetCore.SignalR.Client's
releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>

Updated
[Microsoft.Extensions.Caching.StackExchangeRedis](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Extensions.Caching.StackExchangeRedis's
releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>

Updated
[Microsoft.Extensions.Configuration](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Extensions.Configuration's
releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>

Updated
[Microsoft.Extensions.Configuration.Abstractions](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Extensions.Configuration.Abstractions's
releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>

Updated
[Microsoft.Extensions.Configuration.Binder](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Extensions.Configuration.Binder…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants