[release/13.4] Validate playwrightCliVersion shape with strict SemVer#18205
Conversation
The playwrightCliVersion configuration value is forwarded to npm as the package version specifier. Previously any non-empty string would be passed through, so a typo or unsupported shape (a range, an npm dist-tag like 'latest', a v-prefixed version, etc.) would surface as a generic 'failed to resolve' error from npm. Validate the override with SemVersion.TryParse using SemVersionStyles.Strict and fail fast with a clear message that names the configuration key and the offending value when it is not a valid SemVer 2.0 version. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18205Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18205" |
There was a problem hiding this comment.
Pull request overview
This PR adds strict SemVer 2.0 validation for the playwrightCliVersion configuration override in the Playwright CLI installer. Previously, any string (including npm ranges like >=0.2.0, dist-tags like latest, or malformed values) could be passed through to npm. Now, the installer validates the override is a well-formed MAJOR.MINOR.PATCH version before forwarding it, returning a clear error message on failure.
Changes:
- Adds
SemVersion.TryParsevalidation withSemVersionStyles.Strictbefore accepting a version override, with an early-return failure path and descriptive error message. - Adds a localized resource string (
PlaywrightCliInstaller_InvalidVersionOverride) across the.resxand all 11.xlffiles. - Adds a
[Theory]test with 5 invalid version variants verifying the installer returnsFailedstatus without calling npm.
Show a summary per file
| File | Description |
|---|---|
| src/Aspire.Cli/Agents/Playwright/PlaywrightCliInstaller.cs | Adds strict SemVer validation guard before using the version override |
| tests/Aspire.Cli.Tests/Agents/PlaywrightCliInstallerTests.cs | Adds parameterized test covering invalid version override values |
| src/Aspire.Cli/Resources/AgentCommandStrings.resx | Adds new resource string for invalid version error |
| src/Aspire.Cli/Resources/AgentCommandStrings.Designer.cs | Auto-generated property for the new resource string |
| src/Aspire.Cli/Resources/xlf/AgentCommandStrings.*.xlf (11 files) | Localization entries for the new error message |
Copilot's findings
Files not reviewed (1)
- src/Aspire.Cli/Resources/AgentCommandStrings.Designer.cs: Generated file
- Files reviewed: 16/17 changed files
- Comments generated: 0
|
❓ CLI E2E Tests unknown — 112 passed, 0 failed, 2 unknown (commit View all recordings
📹 Recordings uploaded automatically from CI run #27521770478 |
Document the playwrightCliVersion configuration setting and its strict SemVer 2.0 requirement, introduced in microsoft/aspire#18205. The Playwright CLI installer now validates that playwrightCliVersion contains a MAJOR.MINOR.PATCH version string before forwarding it to npm. Dist-tags (latest), ranges (>=1.0.0), and v-prefixed forms (v1.52.0) are all rejected with a descriptive error message. Add a 'Pin the Playwright CLI version' section to aspire-skills.mdx covering the configuration key, valid format, and the new error message users may see if their config value does not pass validation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Pull request created: #1265
|
|
📝 Documentation has been drafted in microsoft/aspire.dev#1265 targeting Added a new "Pin the Playwright CLI version" section to Note This draft PR needs human review before merging. |
Updated [Aspire.Hosting.MongoDB](https://github.com/microsoft/aspire) from 13.3.5 to 13.4.6. <details> <summary>Release notes</summary> _Sourced from [Aspire.Hosting.MongoDB's releases](https://github.com/microsoft/aspire/releases)._ ## 13.4.6 ## What's New in Aspire 13.4.6 Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in `--isolated` mode, and a MongoDB.Driver dependency update. ### 🐛 Fixes - 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK versions diverged** — `Aspire.TypeSystem` used a floating strong-name `AssemblyVersion` that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as `No code generator found for language: <lang>`. The `AssemblyVersion` is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. ([#18160](https://github.com/microsoft/aspire/pull/18160), `@sebastienros`) - 🔌 **Multiple AppHosts started with `--isolated` collided on the resource service port** — Both instances tried to bind to the same fixed port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address already in use" error on the second instance. `DashboardServiceHost` now binds to port 0 on loopback when `RandomizePorts` is true (set by `--isolated`), letting the OS assign a unique port per instance. ([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`) - 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned `SharpCompress` transitive dependency and uses the corrected `Snappier` transitive. Fixes #17981. ([#18279](https://github.com/microsoft/aspire/pull/18279), `@Falco20019`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.6 ([#18343](https://github.com/microsoft/aspire/pull/18343)) --- _Full Changelog: [v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_ _Full commit: [87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27855270514) · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.60, model: claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27855270514 --> ## 13.4.5 ## What's New in Aspire 13.4.5 Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry. ### 🐛 Fixes - 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use `SystemTextJsonFormatter` over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the `Aspire.Hosting` package. ([#18204](https://github.com/microsoft/aspire/pull/18204), `@mitchdenny`) - 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now fail fast with a clear diagnostic** — Previously an invalid override (range expression, dist-tag like `latest`, or a `v`-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. ([#18205](https://github.com/microsoft/aspire/pull/18205), `@mitchdenny`) - 🤖 **CLI telemetry now detects and reports the calling coding agent** — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as `copilot-cli`. ([#18240](https://github.com/microsoft/aspire/pull/18240), `@damianedwards`) ### 🏷️ Housekeeping - 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be TypeScript-only — updated examples to the current `ts-starter` template (`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing `aspire add` for PostgreSQL and Redis, and documented `aspire dashboard run` as a standalone dashboard option. ([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`) --- _Full Changelog: [v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_ _Full commit: [73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow) · ● 4.4M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27667814104 --> ## 13.4.4 ## What's New in Aspire 13.4.4 Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent `ExcludeFromMcp()` filtering across all CLI MCP tools. ### 🐛 Fixes * 🔌 **DCP requests could fail permanently when the connection dropped mid-request** — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. ([#18096](https://github.com/microsoft/aspire/pull/18096), `@karolz-ms`) * 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently filtered from CLI MCP tools** — Resources with the `resource.excludeFromMcp` property were not excluded uniformly from all CLI MCP tool results. `list_resources`, `list_console_logs`, `execute_resource_command`, `list_structured_logs`, `list_traces`, and `list_trace_structured_logs` all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. ([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`) ### 🏷️ Housekeeping * 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. ([#18093](https://github.com/microsoft/aspire/pull/18093), `@adamratzman`) * * * _Full Changelog: [v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_ _Full commit: [ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_ ## 13.4.3 ## What's New in Aspire 13.4.3 Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4. ### 🐛 Fixes - 🔌 **Persistent container endpoints had incorrect default behavior** — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless container endpoints with only a `targetPort` specified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960, `@danegsta`) ### 🏷️ Housekeeping - 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#17958) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3* *Full commit: [4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow) · ● 4.7M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27173824611 --> ## 13.4.2 ## What's New in Aspire 13.4.2 Patch release for Aspire 13.4 with a fix for Redis persistent container deadlock on startup when using TLS. ### 🐛 Fixes - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.2 (#17876) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.1...v13.4.2* *Full commit: [d7d0b6759ce4b936c76bc4775814d27db560dd6d](https://github.com/microsoft/aspire/commit/d7d0b6759ce4b936c76bc4775814d27db560dd6d)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26920328099/agentic_workflow) · ● 5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26920328099, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26920328099 --> ## 13.4.1 ## What's New in Aspire 13.4.1 Patch release for Aspire 13.4 with fixes for explicit-start resource lifecycle callbacks, Redis persistent container startup, proxyless endpoint allocation, and a duplicated `profiles` block in the empty C# AppHost template. ### 🐛 Fixes - ⏱️ **Explicit-start resources triggered lifecycle callbacks too early** — Session-scoped resources marked with `WithExplicitStart()` were having their execution configuration callbacks (environment variables, arguments, certificates) evaluated at AppHost startup instead of at manual start. This meant user-interaction callbacks such as `WithEnvironment(ctx => PromptForValueAsync(...))` were called before the user triggered the resource. DCP registration is now deferred until the user manually starts the resource; persistent explicit-start resources still register immediately but patch the existing DCP record to `Start = true` rather than deleting and recreating it. Fixes #17813. (#17825, backported via #17826, `@danegsta`) - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) - 🔌 **Proxyless container endpoint could hang when resolved before container creation** — Referencing a proxyless container endpoint in an environment variable callback (before the container port spec was finalized) could deadlock. An on-demand allocation path now commits the target port as the fallback host port in that case; once `BuildContainerPorts` runs, normal DCP dynamic port assignment takes over for any later resolution. (#17851, backported via #17859, `@danegsta`) - 📄 **Empty C# AppHost template emitted duplicate `profiles` block** — `aspire new aspire-empty` on 13.4 produced an `aspire.config.json` with a `profiles` block that duplicated the content already present in `apphost.run.json`, causing redundant launch configuration. The embedded template now contains only the required `appHost.path` binding; profile configuration lives exclusively in `apphost.run.json`. Fixes #17660. (#17781, backported via #17820, `@mitchdenny`) ### 🏷️ Housekeeping - 📦 Added Aspire CLI npm package to the release pipeline so the npm distribution is published as part of stable releases. (#17297, backported via #17766, `@adamint`) - 🚀 Bumped branding to 13.4.1 (#17819) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.0...v13.4.1* *Full commit: [cf985fa817dd5863e7f62eb74fa1725ab5069ed2](https://github.com/microsoft/aspire/commit/cf985fa817dd5863e7f62eb74fa1725ab5069ed2)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 1.0.40 > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 3.9M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26909313891, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26909313891 --> ## 13.4.0 # Aspire 13.4.0 Aspire 13.4 brings major improvements to Foundry hosted agents, the Aspire skills system, CLI reliability, and TypeScript AppHost stability — with cross-compute-environment deployment now working end-to-end and **TypeScript AppHost support — Aspire's polyglot story — reaching general availability (GA)**. ## Highlights - 🎉 **TypeScript AppHost is now GA** — First introduced as a preview in an earlier version of Aspire, the TypeScript AppHost — Aspire's polyglot story — has reached the quality bar for general availability and is now officially supported for production use alongside C#. As part of GA, the experimental markers on the Azure TypeScript AppHost (ATS) APIs have been removed and the ATS surface area is stable for 13.4. - 🤖 **Foundry hosted agents** — Protocol selection (`responses` / `invocations`) is now configurable from both C# and TypeScript AppHosts. Cross-compute-environment deployments (e.g., a Foundry hosted agent + an AKS consumer) now wire up correctly: endpoint resolution and the required **Azure AI User** RBAC role assignment on the Foundry account are generated automatically — no manual `az role assignment create` steps needed. - 🛠️ **Aspire skills catalog from bundle** — `aspire agent init` now drives its installable skill catalog from the bundle manifest, surfacing all six bundled skills (previously only three were visible). An embedded snapshot means the full catalog is available even in airgapped / disconnected environments. - 🔧 **CLI reliability** — Multiple CLI fixes: implicit-channel discovery restored, `aspire stop` no longer falsely reports failure on Unix, `aspire ps` no longer includes raw resource data (use `aspire describe` for detailed state), `aspire new` prefers the current CLI template version, friendly error for `aspire do --list-steps` without a step argument, and improved `--search` option description with documentation link. - ⌨️ **TypeScript AppHost** — Fixed a deadlock that occurred when lazy options callbacks invoked async methods; dev-localhost resource service URLs are now accepted for local development without extra configuration. - 📊 **Dashboard** — Summary log formatting improved for readability, `dotnet watch` dashboard auto-launch signal restored, and dynamic-port handling fixed for `DistributedApplicationTestingBuilder`. - ☸️ **Kubernetes** — The Helm CLI minimum version (≥ 4.2.0) is now validated before a Kubernetes deploy, giving a clear error instead of a cryptic failure. - ⚠️ **`Aspire.Hosting.Blazor` ships as preview in 13.4** — A packaging issue with the Blazor gateway scripts means the package is intentionally marked preview for this release. Full stable support is targeted for 13.5. ## ⚠️ Notable changes - `aspire ps` no longer includes raw resource data in its output. Use `aspire describe <resource>` to inspect detailed resource state. - Foundry hosted agent builder API shape updated — see [#17545](https://github.com/microsoft/aspire/pull/17545) and [#17669](https://github.com/microsoft/aspire/pull/17669) for the updated C# and TypeScript signatures. - `Aspire.Hosting.Blazor` is preview-versioned in 13.4 (`SuppressFinalPackageVersion=true`). A fix for the `addBlazorGateway` gateway script resolution error in TypeScript AppHosts is tracked in [#17685](https://github.com/microsoft/aspire/issues/17685). ## 📖 Learn more For the full details on everything in this release, check out the [What's new in Aspire 13.4](https://aspire.dev/whats-new/aspire-13-4/) documentation. Thank you to all the community contributors who helped make Aspire 13.4 possible! 💜 --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.3.5...v13.4.0* *Full commit: [becb48e2d61099e35ae336d527d3875e928d6594](https://github.com/microsoft/aspire/commit/becb48e2d61099e35ae336d527d3875e928d6594)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26779980139/agentic_workflow) · ● 6.5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26779980139, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26779980139 --> Commits viewable in [compare view](https://github.com/microsoft/aspire/compare/v13.3.5...v13.4.6). </details> Updated [Aspire.Hosting.Redis](https://github.com/microsoft/aspire) from 13.3.5 to 13.4.6. <details> <summary>Release notes</summary> _Sourced from [Aspire.Hosting.Redis's releases](https://github.com/microsoft/aspire/releases)._ ## 13.4.6 ## What's New in Aspire 13.4.6 Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in `--isolated` mode, and a MongoDB.Driver dependency update. ### 🐛 Fixes - 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK versions diverged** — `Aspire.TypeSystem` used a floating strong-name `AssemblyVersion` that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as `No code generator found for language: <lang>`. The `AssemblyVersion` is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. ([#18160](https://github.com/microsoft/aspire/pull/18160), `@sebastienros`) - 🔌 **Multiple AppHosts started with `--isolated` collided on the resource service port** — Both instances tried to bind to the same fixed port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address already in use" error on the second instance. `DashboardServiceHost` now binds to port 0 on loopback when `RandomizePorts` is true (set by `--isolated`), letting the OS assign a unique port per instance. ([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`) - 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned `SharpCompress` transitive dependency and uses the corrected `Snappier` transitive. Fixes #17981. ([#18279](https://github.com/microsoft/aspire/pull/18279), `@Falco20019`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.6 ([#18343](https://github.com/microsoft/aspire/pull/18343)) --- _Full Changelog: [v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_ _Full commit: [87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27855270514) · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.60, model: claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27855270514 --> ## 13.4.5 ## What's New in Aspire 13.4.5 Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry. ### 🐛 Fixes - 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use `SystemTextJsonFormatter` over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the `Aspire.Hosting` package. ([#18204](https://github.com/microsoft/aspire/pull/18204), `@mitchdenny`) - 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now fail fast with a clear diagnostic** — Previously an invalid override (range expression, dist-tag like `latest`, or a `v`-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. ([#18205](https://github.com/microsoft/aspire/pull/18205), `@mitchdenny`) - 🤖 **CLI telemetry now detects and reports the calling coding agent** — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as `copilot-cli`. ([#18240](https://github.com/microsoft/aspire/pull/18240), `@damianedwards`) ### 🏷️ Housekeeping - 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be TypeScript-only — updated examples to the current `ts-starter` template (`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing `aspire add` for PostgreSQL and Redis, and documented `aspire dashboard run` as a standalone dashboard option. ([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`) --- _Full Changelog: [v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_ _Full commit: [73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow) · ● 4.4M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27667814104 --> ## 13.4.4 ## What's New in Aspire 13.4.4 Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent `ExcludeFromMcp()` filtering across all CLI MCP tools. ### 🐛 Fixes * 🔌 **DCP requests could fail permanently when the connection dropped mid-request** — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. ([#18096](https://github.com/microsoft/aspire/pull/18096), `@karolz-ms`) * 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently filtered from CLI MCP tools** — Resources with the `resource.excludeFromMcp` property were not excluded uniformly from all CLI MCP tool results. `list_resources`, `list_console_logs`, `execute_resource_command`, `list_structured_logs`, `list_traces`, and `list_trace_structured_logs` all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. ([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`) ### 🏷️ Housekeeping * 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. ([#18093](https://github.com/microsoft/aspire/pull/18093), `@adamratzman`) * * * _Full Changelog: [v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_ _Full commit: [ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_ ## 13.4.3 ## What's New in Aspire 13.4.3 Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4. ### 🐛 Fixes - 🔌 **Persistent container endpoints had incorrect default behavior** — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless container endpoints with only a `targetPort` specified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960, `@danegsta`) ### 🏷️ Housekeeping - 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#17958) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3* *Full commit: [4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow) · ● 4.7M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27173824611 --> ## 13.4.2 ## What's New in Aspire 13.4.2 Patch release for Aspire 13.4 with a fix for Redis persistent container deadlock on startup when using TLS. ### 🐛 Fixes - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.2 (#17876) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.1...v13.4.2* *Full commit: [d7d0b6759ce4b936c76bc4775814d27db560dd6d](https://github.com/microsoft/aspire/commit/d7d0b6759ce4b936c76bc4775814d27db560dd6d)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26920328099/agentic_workflow) · ● 5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26920328099, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26920328099 --> ## 13.4.1 ## What's New in Aspire 13.4.1 Patch release for Aspire 13.4 with fixes for explicit-start resource lifecycle callbacks, Redis persistent container startup, proxyless endpoint allocation, and a duplicated `profiles` block in the empty C# AppHost template. ### 🐛 Fixes - ⏱️ **Explicit-start resources triggered lifecycle callbacks too early** — Session-scoped resources marked with `WithExplicitStart()` were having their execution configuration callbacks (environment variables, arguments, certificates) evaluated at AppHost startup instead of at manual start. This meant user-interaction callbacks such as `WithEnvironment(ctx => PromptForValueAsync(...))` were called before the user triggered the resource. DCP registration is now deferred until the user manually starts the resource; persistent explicit-start resources still register immediately but patch the existing DCP record to `Start = true` rather than deleting and recreating it. Fixes #17813. (#17825, backported via #17826, `@danegsta`) - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) - 🔌 **Proxyless container endpoint could hang when resolved before container creation** — Referencing a proxyless container endpoint in an environment variable callback (before the container port spec was finalized) could deadlock. An on-demand allocation path now commits the target port as the fallback host port in that case; once `BuildContainerPorts` runs, normal DCP dynamic port assignment takes over for any later resolution. (#17851, backported via #17859, `@danegsta`) - 📄 **Empty C# AppHost template emitted duplicate `profiles` block** — `aspire new aspire-empty` on 13.4 produced an `aspire.config.json` with a `profiles` block that duplicated the content already present in `apphost.run.json`, causing redundant launch configuration. The embedded template now contains only the required `appHost.path` binding; profile configuration lives exclusively in `apphost.run.json`. Fixes #17660. (#17781, backported via #17820, `@mitchdenny`) ### 🏷️ Housekeeping - 📦 Added Aspire CLI npm package to the release pipeline so the npm distribution is published as part of stable releases. (#17297, backported via #17766, `@adamint`) - 🚀 Bumped branding to 13.4.1 (#17819) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.0...v13.4.1* *Full commit: [cf985fa817dd5863e7f62eb74fa1725ab5069ed2](https://github.com/microsoft/aspire/commit/cf985fa817dd5863e7f62eb74fa1725ab5069ed2)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 1.0.40 > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 3.9M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26909313891, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26909313891 --> ## 13.4.0 # Aspire 13.4.0 Aspire 13.4 brings major improvements to Foundry hosted agents, the Aspire skills system, CLI reliability, and TypeScript AppHost stability — with cross-compute-environment deployment now working end-to-end and **TypeScript AppHost support — Aspire's polyglot story — reaching general availability (GA)**. ## Highlights - 🎉 **TypeScript AppHost is now GA** — First introduced as a preview in an earlier version of Aspire, the TypeScript AppHost — Aspire's polyglot story — has reached the quality bar for general availability and is now officially supported for production use alongside C#. As part of GA, the experimental markers on the Azure TypeScript AppHost (ATS) APIs have been removed and the ATS surface area is stable for 13.4. - 🤖 **Foundry hosted agents** — Protocol selection (`responses` / `invocations`) is now configurable from both C# and TypeScript AppHosts. Cross-compute-environment deployments (e.g., a Foundry hosted agent + an AKS consumer) now wire up correctly: endpoint resolution and the required **Azure AI User** RBAC role assignment on the Foundry account are generated automatically — no manual `az role assignment create` steps needed. - 🛠️ **Aspire skills catalog from bundle** — `aspire agent init` now drives its installable skill catalog from the bundle manifest, surfacing all six bundled skills (previously only three were visible). An embedded snapshot means the full catalog is available even in airgapped / disconnected environments. - 🔧 **CLI reliability** — Multiple CLI fixes: implicit-channel discovery restored, `aspire stop` no longer falsely reports failure on Unix, `aspire ps` no longer includes raw resource data (use `aspire describe` for detailed state), `aspire new` prefers the current CLI template version, friendly error for `aspire do --list-steps` without a step argument, and improved `--search` option description with documentation link. - ⌨️ **TypeScript AppHost** — Fixed a deadlock that occurred when lazy options callbacks invoked async methods; dev-localhost resource service URLs are now accepted for local development without extra configuration. - 📊 **Dashboard** — Summary log formatting improved for readability, `dotnet watch` dashboard auto-launch signal restored, and dynamic-port handling fixed for `DistributedApplicationTestingBuilder`. - ☸️ **Kubernetes** — The Helm CLI minimum version (≥ 4.2.0) is now validated before a Kubernetes deploy, giving a clear error instead of a cryptic failure. - ⚠️ **`Aspire.Hosting.Blazor` ships as preview in 13.4** — A packaging issue with the Blazor gateway scripts means the package is intentionally marked preview for this release. Full stable support is targeted for 13.5. ## ⚠️ Notable changes - `aspire ps` no longer includes raw resource data in its output. Use `aspire describe <resource>` to inspect detailed resource state. - Foundry hosted agent builder API shape updated — see [#17545](https://github.com/microsoft/aspire/pull/17545) and [#17669](https://github.com/microsoft/aspire/pull/17669) for the updated C# and TypeScript signatures. - `Aspire.Hosting.Blazor` is preview-versioned in 13.4 (`SuppressFinalPackageVersion=true`). A fix for the `addBlazorGateway` gateway script resolution error in TypeScript AppHosts is tracked in [#17685](https://github.com/microsoft/aspire/issues/17685). ## 📖 Learn more For the full details on everything in this release, check out the [What's new in Aspire 13.4](https://aspire.dev/whats-new/aspire-13-4/) documentation. Thank you to all the community contributors who helped make Aspire 13.4 possible! 💜 --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.3.5...v13.4.0* *Full commit: [becb48e2d61099e35ae336d527d3875e928d6594](https://github.com/microsoft/aspire/commit/becb48e2d61099e35ae336d527d3875e928d6594)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26779980139/agentic_workflow) · ● 6.5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26779980139, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26779980139 --> Commits viewable in [compare view](https://github.com/microsoft/aspire/compare/v13.3.5...v13.4.6). </details> Updated [Aspire.Hosting.Testing](https://github.com/microsoft/aspire) from 13.3.5 to 13.4.6. <details> <summary>Release notes</summary> _Sourced from [Aspire.Hosting.Testing's releases](https://github.com/microsoft/aspire/releases)._ ## 13.4.6 ## What's New in Aspire 13.4.6 Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in `--isolated` mode, and a MongoDB.Driver dependency update. ### 🐛 Fixes - 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK versions diverged** — `Aspire.TypeSystem` used a floating strong-name `AssemblyVersion` that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as `No code generator found for language: <lang>`. The `AssemblyVersion` is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. ([#18160](https://github.com/microsoft/aspire/pull/18160), `@sebastienros`) - 🔌 **Multiple AppHosts started with `--isolated` collided on the resource service port** — Both instances tried to bind to the same fixed port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address already in use" error on the second instance. `DashboardServiceHost` now binds to port 0 on loopback when `RandomizePorts` is true (set by `--isolated`), letting the OS assign a unique port per instance. ([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`) - 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned `SharpCompress` transitive dependency and uses the corrected `Snappier` transitive. Fixes #17981. ([#18279](https://github.com/microsoft/aspire/pull/18279), `@Falco20019`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.6 ([#18343](https://github.com/microsoft/aspire/pull/18343)) --- _Full Changelog: [v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_ _Full commit: [87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27855270514) · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.60, model: claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27855270514 --> ## 13.4.5 ## What's New in Aspire 13.4.5 Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry. ### 🐛 Fixes - 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use `SystemTextJsonFormatter` over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the `Aspire.Hosting` package. ([#18204](https://github.com/microsoft/aspire/pull/18204), `@mitchdenny`) - 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now fail fast with a clear diagnostic** — Previously an invalid override (range expression, dist-tag like `latest`, or a `v`-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. ([#18205](https://github.com/microsoft/aspire/pull/18205), `@mitchdenny`) - 🤖 **CLI telemetry now detects and reports the calling coding agent** — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as `copilot-cli`. ([#18240](https://github.com/microsoft/aspire/pull/18240), `@damianedwards`) ### 🏷️ Housekeeping - 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be TypeScript-only — updated examples to the current `ts-starter` template (`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing `aspire add` for PostgreSQL and Redis, and documented `aspire dashboard run` as a standalone dashboard option. ([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`) --- _Full Changelog: [v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_ _Full commit: [73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow) · ● 4.4M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27667814104 --> ## 13.4.4 ## What's New in Aspire 13.4.4 Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent `ExcludeFromMcp()` filtering across all CLI MCP tools. ### 🐛 Fixes * 🔌 **DCP requests could fail permanently when the connection dropped mid-request** — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. ([#18096](https://github.com/microsoft/aspire/pull/18096), `@karolz-ms`) * 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently filtered from CLI MCP tools** — Resources with the `resource.excludeFromMcp` property were not excluded uniformly from all CLI MCP tool results. `list_resources`, `list_console_logs`, `execute_resource_command`, `list_structured_logs`, `list_traces`, and `list_trace_structured_logs` all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. ([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`) ### 🏷️ Housekeeping * 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. ([#18093](https://github.com/microsoft/aspire/pull/18093), `@adamratzman`) * * * _Full Changelog: [v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_ _Full commit: [ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_ ## 13.4.3 ## What's New in Aspire 13.4.3 Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4. ### 🐛 Fixes - 🔌 **Persistent container endpoints had incorrect default behavior** — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless container endpoints with only a `targetPort` specified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960, `@danegsta`) ### 🏷️ Housekeeping - 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#17958) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3* *Full commit: [4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow) · ● 4.7M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27173824611 --> ## 13.4.2 ## What's New in Aspire 13.4.2 Patch release for Aspire 13.4 with a fix for Redis persistent container deadlock on startup when using TLS. ### 🐛 Fixes - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.2 (#17876) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.1...v13.4.2* *Full commit: [d7d0b6759ce4b936c76bc4775814d27db560dd6d](https://github.com/microsoft/aspire/commit/d7d0b6759ce4b936c76bc4775814d27db560dd6d)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26920328099/agentic_workflow) · ● 5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26920328099, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26920328099 --> ## 13.4.1 ## What's New in Aspire 13.4.1 Patch release for Aspire 13.4 with fixes for explicit-start resource lifecycle callbacks, Redis persistent container startup, proxyless endpoint allocation, and a duplicated `profiles` block in the empty C# AppHost template. ### 🐛 Fixes - ⏱️ **Explicit-start resources triggered lifecycle callbacks too early** — Session-scoped resources marked with `WithExplicitStart()` were having their execution configuration callbacks (environment variables, arguments, certificates) evaluated at AppHost startup instead of at manual start. This meant user-interaction callbacks such as `WithEnvironment(ctx => PromptForValueAsync(...))` were called before the user triggered the resource. DCP registration is now deferred until the user manually starts the resource; persistent explicit-start resources still register immediately but patch the existing DCP record to `Start = true` rather than deleting and recreating it. Fixes #17813. (#17825, backported via #17826, `@danegsta`) - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) - 🔌 **Proxyless container endpoint could hang when resolved before container creation** — Referencing a proxyless container endpoint in an environment variable callback (before the container port spec was finalized) could deadlock. An on-demand allocation path now commits the target port as the fallback host port in that case; once `BuildContainerPorts` runs, normal DCP dynamic port assignment takes over for any later resolution. (#17851, backported via #17859, `@danegsta`) - 📄 **Empty C# AppHost template emitted duplicate `profiles` block** — `aspire new aspire-empty` on 13.4 produced an `aspire.config.json` with a `profiles` block that duplicated the content already present in `apphost.run.json`, causing redundant launch configuration. The embedded template now contains only the required `appHost.path` binding; profile configuration lives exclusively in `apphost.run.json`. Fixes #17660. (#17781, backported via #17820, `@mitchdenny`) ### 🏷️ Housekeeping - 📦 Added Aspire CLI npm package to the release pipeline so the npm distribution is published as part of stable releases. (#17297, backported via #17766, `@adamint`) - 🚀 Bumped branding to 13.4.1 (#17819) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.0...v13.4.1* *Full commit: [cf985fa817dd5863e7f62eb74fa1725ab5069ed2](https://github.com/microsoft/aspire/commit/cf985fa817dd5863e7f62eb74fa1725ab5069ed2)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 1.0.40 > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 3.9M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26909313891, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26909313891 --> ## 13.4.0 # Aspire 13.4.0 Aspire 13.4 brings major improvements to Foundry hosted agents, the Aspire skills system, CLI reliability, and TypeScript AppHost stability — with cross-compute-environment deployment now working end-to-end and **TypeScript AppHost support — Aspire's polyglot story — reaching general availability (GA)**. ## Highlights - 🎉 **TypeScript AppHost is now GA** — First introduced as a preview in an earlier version of Aspire, the TypeScript AppHost — Aspire's polyglot story — has reached the quality bar for general availability and is now officially supported for production use alongside C#. As part of GA, the experimental markers on the Azure TypeScript AppHost (ATS) APIs have been removed and the ATS surface area is stable for 13.4. - 🤖 **Foundry hosted agents** — Protocol selection (`responses` / `invocations`) is now configurable from both C# and TypeScript AppHosts. Cross-compute-environment deployments (e.g., a Foundry hosted agent + an AKS consumer) now wire up correctly: endpoint resolution and the required **Azure AI User** RBAC role assignment on the Foundry account are generated automatically — no manual `az role assignment create` steps needed. - 🛠️ **Aspire skills catalog from bundle** — `aspire agent init` now drives its installable skill catalog from the bundle manifest, surfacing all six bundled skills (previously only three were visible). An embedded snapshot means the full catalog is available even in airgapped / disconnected environments. - 🔧 **CLI reliability** — Multiple CLI fixes: implicit-channel discovery restored, `aspire stop` no longer falsely reports failure on Unix, `aspire ps` no longer includes raw resource data (use `aspire describe` for detailed state), `aspire new` prefers the current CLI template version, friendly error for `aspire do --list-steps` without a step argument, and improved `--search` option description with documentation link. - ⌨️ **TypeScript AppHost** — Fixed a deadlock that occurred when lazy options callbacks invoked async methods; dev-localhost resource service URLs are now accepted for local development without extra configuration. - 📊 **Dashboard** — Summary log formatting improved for readability, `dotnet watch` dashboard auto-launch signal restored, and dynamic-port handling fixed for `DistributedApplicationTestingBuilder`. - ☸️ **Kubernetes** — The Helm CLI minimum version (≥ 4.2.0) is now validated before a Kubernetes deploy, giving a clear error instead of a cryptic failure. - ⚠️ **`Aspire.Hosting.Blazor` ships as preview in 13.4** — A packaging issue with the Blazor gateway scripts means the package is intentionally marked preview for this release. Full stable support is targeted for 13.5. ## ⚠️ Notable changes - `aspire ps` no longer includes raw resource data in its output. Use `aspire describe <resource>` to inspect detailed resource state. - Foundry hosted agent builder API shape updated — see [#17545](https://github.com/microsoft/aspire/pull/17545) and [#17669](https://github.com/microsoft/aspire/pull/17669) for the updated C# and TypeScript signatures. - `Aspire.Hosting.Blazor` is preview-versioned in 13.4 (`SuppressFinalPackageVersion=true`). A fix for the `addBlazorGateway` gateway script resolution error in TypeScript AppHosts is tracked in [#17685](https://github.com/microsoft/aspire/issues/17685). ## 📖 Learn more For the full details on everything in this release, check out the [What's new in Aspire 13.4](https://aspire.dev/whats-new/aspire-13-4/) documentation. Thank you to all the community contributors who helped make Aspire 13.4 possible! 💜 --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.3.5...v13.4.0* *Full commit: [becb48e2d61099e35ae336d527d3875e928d6594](https://github.com/microsoft/aspire/commit/becb48e2d61099e35ae336d527d3875e928d6594)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26779980139/agentic_workflow) · ● 6.5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26779980139, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26779980139 --> Commits viewable in [compare view](https://github.com/microsoft/aspire/compare/v13.3.5...v13.4.6). </details> Updated [Aspire.MongoDB.Driver](https://github.com/microsoft/aspire) from 13.3.5 to 13.4.6. <details> <summary>Release notes</summary> _Sourced from [Aspire.MongoDB.Driver's releases](https://github.com/microsoft/aspire/releases)._ ## 13.4.6 ## What's New in Aspire 13.4.6 Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in `--isolated` mode, and a MongoDB.Driver dependency update. ### 🐛 Fixes - 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK versions diverged** — `Aspire.TypeSystem` used a floating strong-name `AssemblyVersion` that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as `No code generator found for language: <lang>`. The `AssemblyVersion` is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. ([#18160](https://github.com/microsoft/aspire/pull/18160), `@sebastienros`) - 🔌 **Multiple AppHosts started with `--isolated` collided on the resource service port** — Both instances tried to bind to the same fixed port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address already in use" error on the second instance. `DashboardServiceHost` now binds to port 0 on loopback when `RandomizePorts` is true (set by `--isolated`), letting the OS assign a unique port per instance. ([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`) - 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned `SharpCompress` transitive dependency and uses the corrected `Snappier` transitive. Fixes #17981. ([#18279](https://github.com/microsoft/aspire/pull/18279), `@Falco20019`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.6 ([#18343](https://github.com/microsoft/aspire/pull/18343)) --- _Full Changelog: [v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_ _Full commit: [87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27855270514) · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.60, model: claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27855270514 --> ## 13.4.5 ## What's New in Aspire 13.4.5 Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry. ### 🐛 Fixes - 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use `SystemTextJsonFormatter` over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the `Aspire.Hosting` package. ([#18204](https://github.com/microsoft/aspire/pull/18204), `@mitchdenny`) - 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now fail fast with a clear diagnostic** — Previously an invalid override (range expression, dist-tag like `latest`, or a `v`-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. ([#18205](https://github.com/microsoft/aspire/pull/18205), `@mitchdenny`) - 🤖 **CLI telemetry now detects and reports the calling coding agent** — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as `copilot-cli`. ([#18240](https://github.com/microsoft/aspire/pull/18240), `@damianedwards`) ### 🏷️ Housekeeping - 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be TypeScript-only — updated examples to the current `ts-starter` template (`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing `aspire add` for PostgreSQL and Redis, and documented `aspire dashboard run` as a standalone dashboard option. ([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`) --- _Full Changelog: [v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_ _Full commit: [73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow) · ● 4.4M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27667814104 --> ## 13.4.4 ## What's New in Aspire 13.4.4 Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent `ExcludeFromMcp()` filtering across all CLI MCP tools. ### 🐛 Fixes * 🔌 **DCP requests could fail permanently when the connection dropped mid-request** — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. ([#18096](https://github.com/microsoft/aspire/pull/18096), `@karolz-ms`) * 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently filtered from CLI MCP tools** — Resources with the `resource.excludeFromMcp` property were not excluded uniformly from all CLI MCP tool results. `list_resources`, `list_console_logs`, `execute_resource_command`, `list_structured_logs`, `list_traces`, and `list_trace_structured_logs` all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. ([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`) ### 🏷️ Housekeeping * 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. ([#18093](https://github.com/microsoft/aspire/pull/18093), `@adamratzman`) * * * _Full Changelog: [v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_ _Full commit: [ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_ ## 13.4.3 ## What's New in Aspire 13.4.3 Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4. ### 🐛 Fixes - 🔌 **Persistent container endpoints had incorrect default behavior** — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless container endpoints with only a `targetPort` specified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960, `@danegsta`) ### 🏷️ Housekeeping - 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#17958) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3* *Full commit: [4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow) · ● 4.7M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27173824611 --> ## 13.4.2 ## What's New in Aspire 13.4.2 Patch release for Aspire 13.4 with a fix for Redis persistent container deadlock on startup when using TLS. ### 🐛 Fixes - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.2 (#17876) --- *Full Changelog: https://github.com/microsoft/aspire/compare/v13.4.1...v13.4.2* *Full commit: [d7d0b6759ce4b936c76bc4775814d27db56…
Updated [Aspire.Hosting.Redis](https://github.com/microsoft/aspire) from
13.4.2 to 13.4.6.
<details>
<summary>Release notes</summary>
_Sourced from [Aspire.Hosting.Redis's
releases](https://github.com/microsoft/aspire/releases)._
## 13.4.6
## What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.
### 🐛 Fixes
- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #18110 and #17910.
([#18160](https://github.com/microsoft/aspire/pull/18160),
`@sebastienros`)
- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`)
- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #17981.
([#18279](https://github.com/microsoft/aspire/pull/18279),
`@Falco20019`)
### 🏷️ Housekeeping
- 🚀 Bumped branding to 13.4.6
([#18343](https://github.com/microsoft/aspire/pull/18343))
---
_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_
_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->
## 13.4.5
## What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.
### 🐛 Fixes
- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#18204](https://github.com/microsoft/aspire/pull/18204),
`@mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#18205](https://github.com/microsoft/aspire/pull/18205),
`@mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#18240](https://github.com/microsoft/aspire/pull/18240),
`@damianedwards`)
### 🏷️ Housekeeping
- 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`)
---
_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_
_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->
## 13.4.4
## What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.
### 🐛 Fixes
* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#18096](https://github.com/microsoft/aspire/pull/18096),
`@karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`)
### 🏷️ Housekeeping
* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#18093](https://github.com/microsoft/aspire/pull/18093),
`@adamratzman`)
* * *
_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_
_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_
## 13.4.3
## What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.
### 🐛 Fixes
- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#17960, `@danegsta`)
### 🏷️ Housekeeping
- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#17958)
---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*
*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->
Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>
Updated [Aspire.Hosting.Testing](https://github.com/microsoft/aspire)
from 13.4.2 to 13.4.6.
<details>
<summary>Release notes</summary>
_Sourced from [Aspire.Hosting.Testing's
releases](https://github.com/microsoft/aspire/releases)._
## 13.4.6
## What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.
### 🐛 Fixes
- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #18110 and #17910.
([#18160](https://github.com/microsoft/aspire/pull/18160),
`@sebastienros`)
- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`)
- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #17981.
([#18279](https://github.com/microsoft/aspire/pull/18279),
`@Falco20019`)
### 🏷️ Housekeeping
- 🚀 Bumped branding to 13.4.6
([#18343](https://github.com/microsoft/aspire/pull/18343))
---
_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_
_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->
## 13.4.5
## What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.
### 🐛 Fixes
- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#18204](https://github.com/microsoft/aspire/pull/18204),
`@mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#18205](https://github.com/microsoft/aspire/pull/18205),
`@mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#18240](https://github.com/microsoft/aspire/pull/18240),
`@damianedwards`)
### 🏷️ Housekeeping
- 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`)
---
_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_
_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->
## 13.4.4
## What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.
### 🐛 Fixes
* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#18096](https://github.com/microsoft/aspire/pull/18096),
`@karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`)
### 🏷️ Housekeeping
* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#18093](https://github.com/microsoft/aspire/pull/18093),
`@adamratzman`)
* * *
_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_
_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_
## 13.4.3
## What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.
### 🐛 Fixes
- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#17960, `@danegsta`)
### 🏷️ Housekeeping
- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#17958)
---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*
*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->
Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>
Updated [Aspire.MongoDB.Driver](https://github.com/microsoft/aspire)
from 13.4.2 to 13.4.6.
<details>
<summary>Release notes</summary>
_Sourced from [Aspire.MongoDB.Driver's
releases](https://github.com/microsoft/aspire/releases)._
## 13.4.6
## What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.
### 🐛 Fixes
- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #18110 and #17910.
([#18160](https://github.com/microsoft/aspire/pull/18160),
`@sebastienros`)
- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`)
- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #17981.
([#18279](https://github.com/microsoft/aspire/pull/18279),
`@Falco20019`)
### 🏷️ Housekeeping
- 🚀 Bumped branding to 13.4.6
([#18343](https://github.com/microsoft/aspire/pull/18343))
---
_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_
_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->
## 13.4.5
## What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.
### 🐛 Fixes
- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#18204](https://github.com/microsoft/aspire/pull/18204),
`@mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#18205](https://github.com/microsoft/aspire/pull/18205),
`@mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#18240](https://github.com/microsoft/aspire/pull/18240),
`@damianedwards`)
### 🏷️ Housekeeping
- 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`)
---
_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_
_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->
## 13.4.4
## What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.
### 🐛 Fixes
* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#18096](https://github.com/microsoft/aspire/pull/18096),
`@karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`)
### 🏷️ Housekeeping
* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#18093](https://github.com/microsoft/aspire/pull/18093),
`@adamratzman`)
* * *
_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_
_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_
## 13.4.3
## What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.
### 🐛 Fixes
- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#17960, `@danegsta`)
### 🏷️ Housekeeping
- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#17958)
---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*
*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->
Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>
Updated
[Aspire.StackExchange.Redis](https://github.com/microsoft/aspire) from
13.4.2 to 13.4.6.
<details>
<summary>Release notes</summary>
_Sourced from [Aspire.StackExchange.Redis's
releases](https://github.com/microsoft/aspire/releases)._
## 13.4.6
## What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation
binding when CLI and SDK versions diverge, resource service port
collision in `--isolated` mode, and a MongoDB.Driver dependency update.
### 🐛 Fixes
- 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK
versions diverged** — `Aspire.TypeSystem` used a floating strong-name
`AssemblyVersion` that changed with every build. When the installed
Aspire CLI was built at a different version than the AppHost's SDK, the
CLR couldn't satisfy the strong-name bind and every code generator
(TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as
`No code generator found for language: <lang>`. The `AssemblyVersion` is
now frozen at a stable constant so any compatible CLI/SDK pair on 13.4
binds successfully. Relates to #18110 and #17910.
([#18160](https://github.com/microsoft/aspire/pull/18160),
`@sebastienros`)
- 🔌 **Multiple AppHosts started with `--isolated` collided on the
resource service port** — Both instances tried to bind to the same fixed
port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address
already in use" error on the second instance. `DashboardServiceHost` now
binds to port 0 on loopback when `RandomizePorts` is true (set by
`--isolated`), letting the OS assign a unique port per instance.
([#18341](https://github.com/microsoft/aspire/pull/18341), `@JamesNK`)
- 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned
`SharpCompress` transitive dependency and uses the corrected `Snappier`
transitive. Fixes #17981.
([#18279](https://github.com/microsoft/aspire/pull/18279),
`@Falco20019`)
### 🏷️ Housekeeping
- 🚀 Bumped branding to 13.4.6
([#18343](https://github.com/microsoft/aspire/pull/18343))
---
_Full Changelog:
[v13.4.5...v13.4.6](https://github.com/microsoft/aspire/compare/v13.4.5...v13.4.6)_
_Full commit:
[87fe259e4fc244c599019a7b1304c85a1488f248](https://github.com/microsoft/aspire/commit/87fe259e4fc244c599019a7b1304c85a1488f248)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27855270514) ·
131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.60, model:
claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27855270514 -->
## 13.4.5
## What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security
advisory, tightening CLI validation for Playwright configuration, and
adding coding-agent detection to CLI telemetry.
### 🐛 Fixes
- 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack
GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive
MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell
within the advisory's vulnerable LZ4 decompression range. Aspire does
not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use
`SystemTextJsonFormatter` over local Unix sockets — so the vulnerability
was not reachable in practice. The bump clears the NU1903 warning for
consumers of the `Aspire.Hosting` package.
([#18204](https://github.com/microsoft/aspire/pull/18204),
`@mitchdenny`)
- 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now
fail fast with a clear diagnostic** — Previously an invalid override
(range expression, dist-tag like `latest`, or a `v`-prefixed string)
would surface as a generic npm resolution failure. The value is now
validated with strict SemVer parsing at startup; an error naming the
configuration key and the offending value is emitted immediately.
([#18205](https://github.com/microsoft/aspire/pull/18205),
`@mitchdenny`)
- 🤖 **CLI telemetry now detects and reports the calling coding agent** —
When the Aspire CLI is invoked from inside a known coding agent
environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent
name is included in the main CLI telemetry event. GitHub Copilot CLI is
specifically identified as `copilot-cli`.
([#18240](https://github.com/microsoft/aspire/pull/18240),
`@damianedwards`)
### 🏷️ Housekeeping
- 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be
TypeScript-only — updated examples to the current `ts-starter` template
(`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing
`aspire add` for PostgreSQL and Redis, and documented `aspire dashboard
run` as a standalone dashboard option.
([#18221](https://github.com/microsoft/aspire/pull/18221), `@adamint`)
---
_Full Changelog:
[v13.4.4...v13.4.5](https://github.com/microsoft/aspire/compare/v13.4.4...v13.4.5)_
_Full commit:
[73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](https://github.com/microsoft/aspire/commit/73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow)
· ● 4.4M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27667814104 -->
## 13.4.4
## What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability
during request execution and consistent `ExcludeFromMcp()` filtering
across all CLI MCP tools.
### 🐛 Fixes
* 🔌 **DCP requests could fail permanently when the connection dropped
mid-request** — If the underlying DCP channel closed while a request was
in flight, the error was surfaced directly instead of being retried.
Reconnection is now attempted as part of the DCP request retry path so
transient disconnections recover automatically without surfacing errors.
([#18096](https://github.com/microsoft/aspire/pull/18096),
`@karolz-ms`)
* 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently
filtered from CLI MCP tools** — Resources with the
`resource.excludeFromMcp` property were not excluded uniformly from all
CLI MCP tool results. `list_resources`, `list_console_logs`,
`execute_resource_command`, `list_structured_logs`, `list_traces`, and
`list_trace_structured_logs` all now honor the exclusion, preventing
excluded resources and their telemetry from appearing in agent context.
([#18150](https://github.com/microsoft/aspire/pull/18150), `@JamesNK`)
### 🏷️ Housekeeping
* 📦 Improved npm CLI package metadata and hardened npm publish
validation in the release pipeline.
([#18093](https://github.com/microsoft/aspire/pull/18093),
`@adamratzman`)
* * *
_Full Changelog:
[v13.4.3...v13.4.4](https://github.com/microsoft/aspire/compare/v13.4.3...v13.4.4)_
_Full commit:
[ccc566c5ab3285c9beb8f38ede34734bb477c029](https://github.com/microsoft/aspire/commit/ccc566c5ab3285c9beb8f38ede34734bb477c029)_
## 13.4.3
## What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container
endpoint allocation regressions introduced in 13.4.
### 🐛 Fixes
- 🔌 **Persistent container endpoints had incorrect default behavior** —
Persistent containers were defaulting to proxyless endpoint behavior
instead of the proxied behavior used by normal containers. This caused
integrations that depend on endpoint allocation before resource startup
(such as the KeyVault emulator) to fail. Persistent containers now
default to proxied endpoints matching normal container behavior; opt out
with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless
container endpoints with only a `targetPort` specified now also resolve
immediately to that port instead of waiting for delayed allocation.
(#17960, `@danegsta`)
### 🏷️ Housekeeping
- 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and
updated manifest tags (#17958)
---
*Full Changelog:
https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.3*
*Full commit:
[4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](https://github.com/microsoft/aspire/commit/4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)*
> Generated by [Generate release notes for a new stable Aspire
release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow)
· ● 4.7M
<!-- gh-aw-agentic-workflow: Generate release notes for a new stable
Aspire release, engine: copilot, version: 1.0.40, model:
claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate,
run: https://github.com/microsoft/aspire/actions/runs/27173824611 -->
Commits viewable in [compare
view](https://github.com/microsoft/aspire/compare/v13.4.2...v13.4.6).
</details>
Updated
[Auth0.AspNetCore.Authentication](https://github.com/auth0/auth0-aspnetcore-authentication)
from 1.7.0 to 1.8.0.
<details>
<summary>Release notes</summary>
_Sourced from [Auth0.AspNetCore.Authentication's
releases](https://github.com/auth0/auth0-aspnetcore-authentication/releases)._
## 1.8.0
**Added**
- **Multi-Resource Refresh Token (MRRT) support**
[\#249](https://github.com/auth0/auth0-aspnetcore-authentication/pull/249),
[\#251](https://github.com/auth0/auth0-aspnetcore-authentication/pull/251)
([kailash-b](https://github.com/kailash-b)) - applications can now
obtain access tokens for additional audiences and scopes on demand by
exchanging the session's refresh token, without forcing the user through
another interactive login.
- New `HttpContext.GetAccessTokenAsync(AccessTokenRequest)` extension
returns an access token for a requested audience and/or scope, served
from the session cache when possible and otherwise via a refresh-token
exchange.
- Configure default scopes per audience with
`Auth0WebAppWithAccessTokenOptions.ScopeByAudience`.
- The new `OnAccessTokenRefreshFailed` event surfaces refresh failures,
letting callers distinguish terminal failures (warranting re-login) from
transient ones.
- **MFA challenge handling** - when a refresh requires MFA, a new
`MfaRequiredException` surfaces the challenge, and
`IAuthenticationApiClient` (registered via
`WithAuthenticationApiClient()`) lets the application complete OTP, OOB,
or recovery-code grants and manage authenticators.
- **Configurable access-token expiration leeway**
[\#247](https://github.com/auth0/auth0-aspnetcore-authentication/pull/247)
([kailash-b](https://github.com/kailash-b)) - new
`Auth0WebAppWithAccessTokenOptions.AccessTokenExpirationLeeway`
(`TimeSpan`, default 60s) controls how far ahead of expiry the SDK
proactively refreshes the access token. Previously hard-coded to 60
seconds; the default preserves prior behavior. Applies to both primary
and additional (MRRT) cached tokens, and only takes effect when
`UseRefreshTokens` is enabled.
- **Configurable server-side session store**
[\#246](https://github.com/auth0/auth0-aspnetcore-authentication/pull/246)
([kailash-b](https://github.com/kailash-b)) - new `WithSessionStore`
method on `Auth0WebAppAuthenticationBuilder` stores the authentication
session server-side (via `ITicketStore`) instead of in the cookie. It
attaches the store to the SDK's own resolved cookie scheme, so it works
even with a custom `CookieAuthenticationScheme`. Two overloads are
provided: `WithSessionStore<TStore>()` (resolved from DI) and
`WithSessionStore(ITicketStore instance)`. Opt-in and additive; the
default stateless cookie session is unchanged.
**Fixed**
- **Remove duplicate trailing slash from `client_assertion` audience**
[\#236](https://github.com/auth0/auth0-aspnetcore-authentication/pull/236)
([samjetski](https://github.com/samjetski)) - fixes a regression
introduced in 1.7.0 (#206) where the Private Key JWT client assertion
`aud` claim was built as `https://{tenant}//` (double slash), causing
Auth0's `/oauth/token` endpoint to reject the assertion with `401
invalid_client` and leaving affected apps (any using
`ClientAssertionSecurityKey`) in a callback loop.
- **Wire `OnValidatePrincipal` to the configured cookie scheme**
[\#248](https://github.com/auth0/auth0-aspnetcore-authentication/pull/248)
([kailash-b](https://github.com/kailash-b)) - fixes a scheme mismatch
where the access-token refresh hook was registered against the default
`"Cookies"` scheme rather than the configured
`CookieAuthenticationScheme`.
**Security**
- **Bump dependencies**
[\#250](https://github.com/auth0/auth0-aspnetcore-authentication/pull/250)
([kailash-b](https://github.com/kailash-b)) - consolidates several
Dependabot bumps (supersedes #240, #242, #243, #244):
`Microsoft.IdentityModel.Protocols.OpenIdConnect` 8.18.0 → 8.19.1,
`Microsoft.AspNetCore.Mvc.Testing` 10.0.8 → 10.0.9,
`Microsoft.AspNetCore.Mvc.ViewFeatures` 2.3.10 → 2.3.11,
`System.Text.Encodings.Web` 10.0.8 → 10.0.9.
- **Pin GitHub Actions to commit SHAs**
[\#241](https://github.com/auth0/auth0-aspnetcore-authentication/pull/241)
([jcchavezs](https://github.com/jcchavezs)) - pins all third-party
actions in the workflow files to commit SHAs for improved supply-chain
security and reproducibility.
## 1.7.1
**Security**
- chore: Upgrade dependencies
[\#237](https://github.com/auth0/auth0-aspnetcore-authentication/pull/237)
([kailash-b](https://github.com/kailash-b))
- chore(deps): Bump System.Text.Encodings.Web from 10.0.6 to 10.0.7
[\#228](https://github.com/auth0/auth0-aspnetcore-authentication/pull/228)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.AspNetCore.Mvc.Testing from 10.0.6 to
10.0.7
[\#227](https://github.com/auth0/auth0-aspnetcore-authentication/pull/227)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.NET.Test.Sdk from 18.4.0 to 18.5.1
[\#229](https://github.com/auth0/auth0-aspnetcore-authentication/pull/229)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.IdentityModel.Protocols.OpenIdConnect from
8.17.0 to 8.18.0
[\#230](https://github.com/auth0/auth0-aspnetcore-authentication/pull/230)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump System.Text.Encodings.Web from 10.0.5 to 10.0.6
[\#225](https://github.com/auth0/auth0-aspnetcore-authentication/pull/225)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.AspNetCore.Mvc.Testing from 10.0.5 to
10.0.6
[\#224](https://github.com/auth0/auth0-aspnetcore-authentication/pull/224)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.NET.Test.Sdk from 18.3.0 to 18.4.0
[\#222](https://github.com/auth0/auth0-aspnetcore-authentication/pull/222)
([dependabot[bot]](https://github.com/apps/dependabot))
- chore(deps): Bump Microsoft.IdentityModel.Protocols.OpenIdConnect from
8.16.0 to 8.17.0
[\#221](https://github.com/auth0/auth0-aspnetcore-authentication/pull/221)
([dependabot[bot]](https://github.com/apps/dependabot))
Commits viewable in [compare
view](https://github.com/auth0/auth0-aspnetcore-authentication/compare/1.7.0...1.8.0).
</details>
Updated [Auth0.ManagementApi](https://github.com/auth0/auth0.net) from
8.4.0 to 8.6.0.
<details>
<summary>Release notes</summary>
_Sourced from [Auth0.ManagementApi's
releases](https://github.com/auth0/auth0.net/releases)._
## 8.6.0
**Breaking Changes**
- User date fields: `CreatedAt`, `UpdatedAt`, `MultifactorLastModified`,
`LastLogin`, and `LastPasswordReset` on the user response types
(`GetUserResponseContent`, `CreateUserResponseContent`,
`UpdateUserResponseContent`, `UserResponseSchema`) are now plain
`DateTime?` instead of the `UserDateSchema` union. The `UserDateSchema`
type and its `UserDateSchemaExtensions` (`ToDateTime`) helpers have been
removed — callers can drop `.ToDateTime()` and use the value directly
[\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- User identity IDs: The `UserId` property on `UserIdentitySchema` and
`DeleteUserIdentityResponseContentItem` is now the `UserId` union type
instead of `string`, allowing string or numeric user identifiers
[\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Native Social Login: `NativeSocialLogin` on
`UpdateClientRequestContent` is now `Optional<NativeSocialLoginPatch?>`
(with new `NativeSocialLoginPatch`, `NativeSocialLoginApplePatch`,
`NativeSocialLoginFacebookPatch`, and `NativeSocialLoginGooglePatch`
types) to support partial PATCH semantics
[\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- FedCM Login: `FedcmLogin` on `UpdateClientRequestContent` is now
`Optional<FedCmLoginPatch?>` (with new `FedCmLoginPatch` and
`FedCmLoginGooglePatch` types) to support partial PATCH semantics
[\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
**Added**
- Phone Provider Protection: Added
`AttackProtection.PhoneProviderProtection` sub-client with `GetAsync()`
and `PatchAsync()` to read and update the tenant's phone provider
protection configuration, plus
`PatchPhoneProviderProtectionRequestContent`,
`GetPhoneProviderProtectionResponseContent`,
`PatchPhoneProviderProtectionResponseContent`, and the
`PhoneProviderProtectionBackoffStrategyEnum` (`exponential`/`none`) type
[\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Cross-App Access: Added `CrossAppAccessRequestingApp` type (with
`Active`) and a `CrossAppAccessRequestingApp` property to the OIDC and
Okta connection request/response types
(`CreateConnectionRequestContentOidc`,
`CreateConnectionRequestContentOkta`,
`UpdateConnectionRequestContentOidc`,
`UpdateConnectionRequestContentOkta`, `ConnectionResponseContentOidc`,
`ConnectionResponseContentOkta`, `ConnectionForList`, and the connection
response types) [\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Token Vault Privileged Access: Added `TokenVaultPrivilegedAccess`
property to client types —
`ClientTokenVaultPrivilegedAccessWithPublicKey` (with `Credentials` and
`IpAllowlist`) on `CreateClientRequestContent`, and
`ClientTokenVaultPrivilegedAccessWithCredentialId` on
`UpdateClientRequestContent`, `Client`, and the client response types
[\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
- Email Templates: Added `auth_email_by_code` (`AuthEmailByCode`) value
to `EmailTemplateNameEnum`
[\#1037](https://github.com/auth0/auth0.net/pull/1037)
([fern-api[bot]](https://github.com/apps/fern-api))
## 8.5.0
**Added**
- Tenant Security Headers: Added `SecurityHeaders`
(`TenantSettingsNullableSecurityHeaders`) property to
`UpdateTenantSettingsRequestContent`,
`GetTenantSettingsResponseContent`, and
`UpdateTenantSettingsResponseContent` for configuring Content Security
Policy and XSS protection at the tenant level
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Content Security Policy: Added `ContentSecurityPolicyConfig`,
`CspPolicy`, `CspPolicyMode` (`enforcing`/`reporting`), `CspFlag`
(`upgrade-insecure-requests`/`block-all-mixed-content`),
`CspPolicyReporting`, `CspReportingInfrastructure`, `CspReportTo`, and
`CspReportToEndpoint` types to model CSP directives, flags, and
reporting endpoints
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- XSS Protection: Added `XssProtectionConfig` and `XssProtectionMode`
(`block`) types to configure the `X-XSS-Protection` response header
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Tenant Settings: Added minute-granularity session lifetime fields
`SessionLifetimeInMinutes`, `IdleSessionLifetimeInMinutes`,
`EphemeralSessionLifetimeInMinutes`, and
`IdleEphemeralSessionLifetimeInMinutes` on
`UpdateTenantSettingsRequestContent` (each mutually exclusive with its
hours-based counterpart)
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Tenant Settings: Added `IncludeSessionMetadataInTenantLogs` (`bool?`)
on tenant settings request/response types to include session metadata in
`slo` and OIDC back-channel logout tenant logs
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Connections: Added `IdTokenSessionExpirySupported` (`bool?`) property
to `ConnectionOptionsCommonOidc`, `ConnectionOptionsOidc`,
`ConnectionOptionsOkta`, `ConnectionPropertiesOptions`, and
`UpdateConnectionOptions`
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Client My Organization: Added `InvitationLandingClientId` property to
`ClientMyOrganizationPostConfiguration`,
`ClientMyOrganizationPatchConfiguration`, and
`ClientMyOrganizationResponseConfiguration`
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Enums: Added `Experiment` value to `AculContextEnum`, and
`Confirmation` value to `PromptGroupNameEnum` and `ScreenGroupNameEnum`
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
**Removed**
- Branding Identifiers: Removed the `Identifiers` property (and the
`BrandingIdentifiers` / `UpdateBrandingIdentifiers` types) from
`UpdateBrandingRequestContent`, `GetBrandingResponseContent`, and
`UpdateBrandingResponseContent`. **Breaking change**
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Branding Phone Enums: Removed the `BrandingPhoneMaskingEnum`,
`UpdateBrandingPhoneMaskingEnum`, and
`UpdateBrandingPhoneFormattingEnum` types. **Breaking change**
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
**Changed**
- Phone Templates: The `Id` property on `PhoneTemplate`,
`GetPhoneTemplateResponseContent`, `CreatePhoneTemplateResponseContent`,
`UpdatePhoneTemplateResponseContent`, and
`ResetPhoneTemplateResponseContent` is now optional/nullable (`string?`)
instead of `required`. **Breaking change**
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
- Refresh Tokens: Clarified `RevokeRefreshTokensRequestContent.ClientId`
semantics — it must be paired with `UserId` and can be narrowed further
with `Audience`, rather than revoking all of a client's tokens
[\#1030](https://github.com/auth0/auth0.net/pull/1030)
([fern-api[bot]](https://github.com/apps/fern-api))
Commits viewable in [compare
view](https://github.com/auth0/auth0.net/compare/mgmt-8.4.0...mgmt-8.6.0).
</details>
Updated [gitversion.tool](https://github.com/GitTools/GitVersion) from
6.7.0 to 6.8.1.
<details>
<summary>Release notes</summary>
_Sourced from [gitversion.tool's
releases](https://github.com/GitTools/GitVersion/releases)._
## 6.8.1
As part of this release we had [18
commits](https://github.com/GitTools/GitVersion/compare/6.8.0...6.8.1)
which resulted in [9
issues](https://github.com/GitTools/GitVersion/milestone/87?closed=1)
being closed.
__Bug__
- [__!5005__](https://github.com/GitTools/GitVersion/pull/5005) ci: fix
homebrew publish — drop --fork-org (gittools-bot is a user) by
[arturcic](https://github.com/arturcic)
__Dependencies__
- [__!5006__](https://github.com/GitTools/GitVersion/pull/5006)
build(deps): bump devcontainers/dotnet from `da953a3` to `be5bd89` in
/.devcontainer by [dependabot[bot]](https://github.com/apps/dependabot)
- [__!5015__](https://github.com/GitTools/GitVersion/pull/5015)
chore(deps): consolidate Dependabot config and enable devcontainer
feature updates by [arturcic](https://github.com/arturcic)
- [__!5016__](https://github.com/GitTools/GitVersion/pull/5016) (build
deps): bump the codeql group across 1 directory with 3 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!5020__](https://github.com/GitTools/GitVersion/pull/5020) (deps):
Bump the microsoft group with 3 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
__Improvements__
- [__!5004__](https://github.com/GitTools/GitVersion/pull/5004) ci:
replace homebrew bump action with brew bump-formula-pr by
[arturcic](https://github.com/arturcic)
- [__#5007__](https://github.com/GitTools/GitVersion/issues/5007)
[ISSUE]: GitLab CI: Merge Request pipelines use source branch instead of
CI_MERGE_REQUEST_REF_PATH by
[JDanRibeiro](https://github.com/JDanRibeiro) resolved in
[__!5008__](https://github.com/GitTools/GitVersion/pull/5008) by
[JDanRibeiro](https://github.com/JDanRibeiro)
- [__#5009__](https://github.com/GitTools/GitVersion/issues/5009)
[ISSUE]: Using environment variable with label can produce Semver
incompatible labels by
[robertcoltheart](https://github.com/robertcoltheart) resolved in
[__!5010__](https://github.com/GitTools/GitVersion/pull/5010) by
[robertcoltheart](https://github.com/robertcoltheart)
__Contributors__
4 contributors made this release possible.
<a href="/arturcic"><img
src="https://avatars.githubusercontent.com/u/1760506?v=4" alt="arturcic"
height="32" width="32"/></a> <a
href="/apps/dependabot"><img
src="https://avatars.githubusercontent.com/in/29110?v=4"
alt="dependabot[bot]" height="32" width="32"/></a> <a
href="/JDanRibeiro"><img
src="https://avatars.githubusercontent.com/u/86156563?v=4"
alt="JDanRibeiro" height="32" width="32"/></a> <a
href="/robertcoltheart"><img
src="https://avatars.githubusercontent.com/u/13191652?v=4"
alt="robertcoltheart" height="32" width="32"/></a>
## 6.8.0
As part of this release we had [248
commits](https://github.com/GitTools/GitVersion/compare/6.7.0...6.8.0)
which resulted in [86
issues](https://github.com/GitTools/GitVersion/milestone/86?closed=1)
being closed.
__Bug__
- [__#4976__](https://github.com/GitTools/GitVersion/issues/4976)
[ISSUE]: {BranchName} format strings for label not working by
[moppa](https://github.com/moppa) resolved in
[__!4977__](https://github.com/GitTools/GitVersion/pull/4977) by
[robertcoltheart](https://github.com/robertcoltheart)
__Dependencies__
- [__!4893__](https://github.com/GitTools/GitVersion/pull/4893) (build
deps): Bump mislav/bump-homebrew-formula-action from 3 to 4 in
/.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4894__](https://github.com/GitTools/GitVersion/pull/4894) (deps):
Bump coverlet.MTP from 8.0.0 to 8.0.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4896__](https://github.com/GitTools/GitVersion/pull/4896) (deps):
Bump Scriban from 7.0.0 to 7.0.3 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4897__](https://github.com/GitTools/GitVersion/pull/4897) (docs
deps): Bump picomatch from 2.3.1 to 2.3.2 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4900__](https://github.com/GitTools/GitVersion/pull/4900) (deps):
Bump Scriban from 7.0.3 to 7.0.5 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4902__](https://github.com/GitTools/GitVersion/pull/4902) (build
deps): Bump codecov/codecov-action from 5 to 6 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4903__](https://github.com/GitTools/GitVersion/pull/4903) (deps):
Bump Scriban from 7.0.5 to 7.0.6 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4908__](https://github.com/GitTools/GitVersion/pull/4908) (deps):
Bump JsonSchema.Net.Generation from 7.1.3 to 7.2.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4909__](https://github.com/GitTools/GitVersion/pull/4909) (deps):
Bump the microsoft group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4911__](https://github.com/GitTools/GitVersion/pull/4911) (build
deps): Bump gittools/cicd from 1 to 2 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4913__](https://github.com/GitTools/GitVersion/pull/4913) (deps):
Bump Scriban from 7.0.6 to 7.1.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4914__](https://github.com/GitTools/GitVersion/pull/4914) (deps):
Bump System.IO.Abstractions from 22.1.0 to 22.1.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4915__](https://github.com/GitTools/GitVersion/pull/4915) (deps):
Bump JsonSchema.Net.Generation from 7.2.0 to 7.3.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4916__](https://github.com/GitTools/GitVersion/pull/4916) (deps):
Bump JsonSchema.Net.Generation from 7.2.0 to 7.3.4 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4917__](https://github.com/GitTools/GitVersion/pull/4917) (deps):
Bump JsonSchema.Net.Generation from 7.2.0 to 7.3.6 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4919__](https://github.com/GitTools/GitVersion/pull/4919) (sdk):
Bump dotnet-sdk from 10.0.201 to 10.0.202 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4920__](https://github.com/GitTools/GitVersion/pull/4920) (deps):
Bump the microsoft group with 11 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4921__](https://github.com/GitTools/GitVersion/pull/4921) (deps):
Bump NUnit3TestAdapter from 6.1.0 to 6.2.0 by
[arturcic](https://github.com/arturcic)
- [__!4922__](https://github.com/GitTools/GitVersion/pull/4922) (sdk):
Bump dotnet-sdk from 10.0.202 to 10.0.203 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4923__](https://github.com/GitTools/GitVersion/pull/4923) (deps):
Bump coverlet.MTP from 8.0.1 to 10.0.0 by
[arturcic](https://github.com/arturcic)
- [__!4924__](https://github.com/GitTools/GitVersion/pull/4924) (deps):
Bump the microsoft group with 12 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4925__](https://github.com/GitTools/GitVersion/pull/4925) (deps):
Bump SharpYaml from 3.4.0 to 3.7.0 by
[arturcic](https://github.com/arturcic)
- [__!4926__](https://github.com/GitTools/GitVersion/pull/4926) (deps):
Bump the microsoft group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4928__](https://github.com/GitTools/GitVersion/pull/4928) (deps):
Bump the analyzers group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4929__](https://github.com/GitTools/GitVersion/pull/4929) (deps):
Bump NUnit from 4.5.1 to 4.6.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4930__](https://github.com/GitTools/GitVersion/pull/4930) (build
deps): Bump test-summary/action from 2.4 to 2.6 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4931__](https://github.com/GitTools/GitVersion/pull/4931) (deps):
Bump Cake.Incubator from 10.0.0 to 11.0.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4934__](https://github.com/GitTools/GitVersion/pull/4934) (build
deps): Bump gittools/cicd from 2 to 5 in /.github/workflows by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4935__](https://github.com/GitTools/GitVersion/pull/4935) (deps):
Bump the microsoft group with 8 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4936__](https://github.com/GitTools/GitVersion/pull/4936) (sdk):
Bump dotnet-sdk from 10.0.203 to 10.0.300 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4937__](https://github.com/GitTools/GitVersion/pull/4937) (deps):
Bump the microsoft group with 4 updates by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4938__](https://github.com/GitTools/GitVersion/pull/4938) (deps):
Bump Scriban from 7.1.0 to 7.2.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4939__](https://github.com/GitTools/GitVersion/pull/4939) (deps):
Bump NUnit from 4.5.1 to 4.6.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4941__](https://github.com/GitTools/GitVersion/pull/4941) (deps):
Bump SharpYaml from 3.7.0 to 3.7.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4942__](https://github.com/GitTools/GitVersion/pull/4942) (deps):
Bump JsonSchema.Net.Generation from 7.3.6 to 7.3.7 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4943__](https://github.com/GitTools/GitVersion/pull/4943) (deps):
Bump coverlet.MTP from 10.0.0 to 10.0.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4945__](https://github.com/GitTools/GitVersion/pull/4945) (deps):
Bump NUnit from 4.6.0 to 4.6.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4946__](https://github.com/GitTools/GitVersion/pull/4946) (deps):
Bump NUnit from 4.6.0 to 4.6.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4948__](https://github.com/GitTools/GitVersion/pull/4948) (deps):
Bump the microsoft group with 1 update by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4949__](https://github.com/GitTools/GitVersion/pull/4949) (deps):
Bump Cake.Frosting from 6.1.0 to 6.2.0 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4950__](https://github.com/GitTools/GitVersion/pull/4950) (deps):
Bump JsonSchema.Net.Generation from 7.3.7 to 7.3.8 by
[dependabot[bot]](https://github.com/apps/dependabot)
- [__!4951__](https://github.com/GitTools/GitVersion/pull/4951) (deps):
Bump Scriban from 7.2.0 to 7.2.1 by
[dependabot[bot]](https://github.com/apps/dependabot)
... (truncated)
Commits viewable in [compare
view](https://github.com/GitTools/GitVersion/compare/6.7.0...6.8.1).
</details>
Updated [MediatR](https://github.com/LuckyPennySoftware/MediatR) from
14.1.0 to 14.2.0.
<details>
<summary>Release notes</summary>
_Sourced from [MediatR's
releases](https://github.com/LuckyPennySoftware/MediatR/releases)._
## 14.2.0
## What's Changed
* Fix license validation deadlock when called from sync context by
@jbogard in https://github.com/LuckyPennySoftware/MediatR/pull/1165
* Reporting test results by @jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1166
* Attach NuGet packages and SBOM to GitHub Release by @jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1169
* Treat blank license key as unconfigured (#1170) by @jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1171
* ci: publish fork-PR test reports via workflow_run by @jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1173
* Run license validation off the Mediator construction path by @jbogard
in https://github.com/LuckyPennySoftware/MediatR/pull/1174
* Support license key via environment variable fallback by @jbogard in
https://github.com/LuckyPennySoftware/MediatR/pull/1175
**Full Changelog**:
https://github.com/LuckyPennySoftware/MediatR/compare/v14.1.0...v14.2.0
Commits viewable in [compare
view](https://github.com/LuckyPennySoftware/MediatR/compare/v14.1.0...v14.2.0).
</details>
Updated
[Microsoft.AspNetCore.Mvc.Testing](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.
<details>
<summary>Release notes</summary>
_Sourced from [Microsoft.AspNetCore.Mvc.Testing's
releases](https://github.com/dotnet/dotnet/releases)._
No release notes found for this version range.
Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>
Updated [Microsoft.AspNetCore.OpenApi](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.
<details>
<summary>Release notes</summary>
_Sourced from [Microsoft.AspNetCore.OpenApi's
releases](https://github.com/dotnet/dotnet/releases)._
No release notes found for this version range.
Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>
Updated
[Microsoft.AspNetCore.SignalR.Client](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.
<details>
<summary>Release notes</summary>
_Sourced from [Microsoft.AspNetCore.SignalR.Client's
releases](https://github.com/dotnet/dotnet/releases)._
No release notes found for this version range.
Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>
Updated
[Microsoft.Extensions.Caching.StackExchangeRedis](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.
<details>
<summary>Release notes</summary>
_Sourced from [Microsoft.Extensions.Caching.StackExchangeRedis's
releases](https://github.com/dotnet/dotnet/releases)._
No release notes found for this version range.
Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>
Updated
[Microsoft.Extensions.Configuration](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.
<details>
<summary>Release notes</summary>
_Sourced from [Microsoft.Extensions.Configuration's
releases](https://github.com/dotnet/dotnet/releases)._
No release notes found for this version range.
Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>
Updated
[Microsoft.Extensions.Configuration.Abstractions](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.
<details>
<summary>Release notes</summary>
_Sourced from [Microsoft.Extensions.Configuration.Abstractions's
releases](https://github.com/dotnet/dotnet/releases)._
No release notes found for this version range.
Commits viewable in [compare
view](https://github.com/dotnet/dotnet/commits).
</details>
Updated
[Microsoft.Extensions.Configuration.Binder](https://github.com/dotnet/dotnet)
from 10.0.8 to 10.0.9.
<details>
<summary>Release notes</summary>
_Sourced from [Microsoft.Extensions.Configuration.Binder…
Backport of the internal fix for strict SemVer validation of playwrightCliVersion.