Skip to content

Bump the all-actions group with 30 updates#301

Merged
mpaulosky merged 3 commits into
devfrom
dependabot/nuget/dot-config/dev/all-actions-b0b4855e79
Jul 5, 2026
Merged

Bump the all-actions group with 30 updates#301
mpaulosky merged 3 commits into
devfrom
dependabot/nuget/dot-config/dev/all-actions-b0b4855e79

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Contributor

Updated Aspire.Hosting.Redis from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.Redis's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

  • 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

  • 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Aspire.Hosting.Testing from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.Testing's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

  • 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

  • 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Aspire.MongoDB.Driver from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.MongoDB.Driver's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

  • 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

  • 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Aspire.StackExchange.Redis from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.StackExchange.Redis's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

  • 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

  • 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Auth0.AspNetCore.Authentication from 1.7.0 to 1.8.0.

Release notes

Sourced from Auth0.AspNetCore.Authentication's releases.

1.8.0

Added

  • Multi-Resource Refresh Token (MRRT) support #​249, #​251 (kailash-b) - applications can now obtain access tokens for additional audiences and scopes on demand by exchanging the session's refresh token, without forcing the user through another interactive login.
    • New HttpContext.GetAccessTokenAsync(AccessTokenRequest) extension returns an access token for a requested audience and/or scope, served from the session cache when possible and otherwise via a refresh-token exchange.
    • Configure default scopes per audience with Auth0WebAppWithAccessTokenOptions.ScopeByAudience.
    • The new OnAccessTokenRefreshFailed event surfaces refresh failures, letting callers distinguish terminal failures (warranting re-login) from transient ones.
    • MFA challenge handling - when a refresh requires MFA, a new MfaRequiredException surfaces the challenge, and IAuthenticationApiClient (registered via WithAuthenticationApiClient()) lets the application complete OTP, OOB, or recovery-code grants and manage authenticators.
  • Configurable access-token expiration leeway #​247 (kailash-b) - new Auth0WebAppWithAccessTokenOptions.AccessTokenExpirationLeeway (TimeSpan, default 60s) controls how far ahead of expiry the SDK proactively refreshes the access token. Previously hard-coded to 60 seconds; the default preserves prior behavior. Applies to both primary and additional (MRRT) cached tokens, and only takes effect when UseRefreshTokens is enabled.
  • Configurable server-side session store #​246 (kailash-b) - new WithSessionStore method on Auth0WebAppAuthenticationBuilder stores the authentication session server-side (via ITicketStore) instead of in the cookie. It attaches the store to the SDK's own resolved cookie scheme, so it works even with a custom CookieAuthenticationScheme. Two overloads are provided: WithSessionStore<TStore>() (resolved from DI) and WithSessionStore(ITicketStore instance). Opt-in and additive; the default stateless cookie session is unchanged.

Fixed

  • Remove duplicate trailing slash from client_assertion audience #​236 (samjetski) - fixes a regression introduced in 1.7.0 (#​206) where the Private Key JWT client assertion aud claim was built as https://{tenant}// (double slash), causing Auth0's /oauth/token endpoint to reject the assertion with 401 invalid_client and leaving affected apps (any using ClientAssertionSecurityKey) in a callback loop.
  • Wire OnValidatePrincipal to the configured cookie scheme #​248 (kailash-b) - fixes a scheme mismatch where the access-token refresh hook was registered against the default "Cookies" scheme rather than the configured CookieAuthenticationScheme.

Security

  • Bump dependencies #​250 (kailash-b) - consolidates several Dependabot bumps (supersedes #​240, #​242, #​243, #​244): Microsoft.IdentityModel.Protocols.OpenIdConnect 8.18.0 → 8.19.1, Microsoft.AspNetCore.Mvc.Testing 10.0.8 → 10.0.9, Microsoft.AspNetCore.Mvc.ViewFeatures 2.3.10 → 2.3.11, System.Text.Encodings.Web 10.0.8 → 10.0.9.
  • Pin GitHub Actions to commit SHAs #​241 (jcchavezs) - pins all third-party actions in the workflow files to commit SHAs for improved supply-chain security and reproducibility.

1.7.1

Security

Commits viewable in compare view.

Updated Auth0.ManagementApi from 8.4.0 to 8.6.0.

Release notes

Sourced from Auth0.ManagementApi's releases.

8.6.0

Breaking Changes

  • User date fields: CreatedAt, UpdatedAt, MultifactorLastModified, LastLogin, and LastPasswordReset on the user response types (GetUserResponseContent, CreateUserResponseContent, UpdateUserResponseContent, UserResponseSchema) are now plain DateTime? instead of the UserDateSchema union. The UserDateSchema type and its UserDateSchemaExtensions (ToDateTime) helpers have been removed — callers can drop .ToDateTime() and use the value directly #​1037 (fern-api[bot])
  • User identity IDs: The UserId property on UserIdentitySchema and DeleteUserIdentityResponseContentItem is now the UserId union type instead of string, allowing string or numeric user identifiers #​1037 (fern-api[bot])
  • Native Social Login: NativeSocialLogin on UpdateClientRequestContent is now Optional<NativeSocialLoginPatch?> (with new NativeSocialLoginPatch, NativeSocialLoginApplePatch, NativeSocialLoginFacebookPatch, and NativeSocialLoginGooglePatch types) to support partial PATCH semantics #​1037 (fern-api[bot])
  • FedCM Login: FedcmLogin on UpdateClientRequestContent is now Optional<FedCmLoginPatch?> (with new FedCmLoginPatch and FedCmLoginGooglePatch types) to support partial PATCH semantics #​1037 (fern-api[bot])

Added

  • Phone Provider Protection: Added AttackProtection.PhoneProviderProtection sub-client with GetAsync() and PatchAsync() to read and update the tenant's phone provider protection configuration, plus PatchPhoneProviderProtectionRequestContent, GetPhoneProviderProtectionResponseContent, PatchPhoneProviderProtectionResponseContent, and the PhoneProviderProtectionBackoffStrategyEnum (exponential/none) type #​1037 (fern-api[bot])
  • Cross-App Access: Added CrossAppAccessRequestingApp type (with Active) and a CrossAppAccessRequestingApp property to the OIDC and Okta connection request/response types (CreateConnectionRequestContentOidc, CreateConnectionRequestContentOkta, UpdateConnectionRequestContentOidc, UpdateConnectionRequestContentOkta, ConnectionResponseContentOidc, ConnectionResponseContentOkta, ConnectionForList, and the connection response types) #​1037 (fern-api[bot])
  • Token Vault Privileged Access: Added TokenVaultPrivilegedAccess property to client types — ClientTokenVaultPrivilegedAccessWithPublicKey (with Credentials and IpAllowlist) on CreateClientRequestContent, and ClientTokenVaultPrivilegedAccessWithCredentialId on UpdateClientRequestContent, Client, and the client response types #​1037 (fern-api[bot])
  • Email Templates: Added auth_email_by_code (AuthEmailByCode) value to EmailTemplateNameEnum #​1037 (fern-api[bot])

8.5.0

Added

  • Tenant Security Headers: Added SecurityHeaders (TenantSettingsNullableSecurityHeaders) property to UpdateTenantSettingsRequestContent, GetTenantSettingsResponseContent, and UpdateTenantSettingsResponseContent for configuring Content Security Policy and XSS protection at the tenant level #​1030 (fern-api[bot])
  • Content Security Policy: Added ContentSecurityPolicyConfig, CspPolicy, CspPolicyMode (enforcing/reporting), CspFlag (upgrade-insecure-requests/block-all-mixed-content), CspPolicyReporting, CspReportingInfrastructure, CspReportTo, and CspReportToEndpoint types to model CSP directives, flags, and reporting endpoints #​1030 (fern-api[bot])
  • XSS Protection: Added XssProtectionConfig and XssProtectionMode (block) types to configure the X-XSS-Protection response header #​1030 (fern-api[bot])
  • Tenant Settings: Added minute-granularity session lifetime fields SessionLifetimeInMinutes, IdleSessionLifetimeInMinutes, EphemeralSessionLifetimeInMinutes, and IdleEphemeralSessionLifetimeInMinutes on UpdateTenantSettingsRequestContent (each mutually exclusive with its hours-based counterpart) #​1030 (fern-api[bot])
  • Tenant Settings: Added IncludeSessionMetadataInTenantLogs (bool?) on tenant settings request/response types to include session metadata in slo and OIDC back-channel logout tenant logs #​1030 (fern-api[bot])
  • Connections: Added IdTokenSessionExpirySupported (bool?) property to ConnectionOptionsCommonOidc, ConnectionOptionsOidc, ConnectionOptionsOkta, ConnectionPropertiesOptions, and UpdateConnectionOptions #​1030 (fern-api[bot])
  • Client My Organization: Added InvitationLandingClientId property to ClientMyOrganizationPostConfiguration, ClientMyOrganizationPatchConfiguration, and ClientMyOrganizationResponseConfiguration #​1030 (fern-api[bot])
  • Enums: Added Experiment value to AculContextEnum, and Confirmation value to PromptGroupNameEnum and ScreenGroupNameEnum #​1030 (fern-api[bot])

Removed

  • Branding Identifiers: Removed the Identifiers property (and the BrandingIdentifiers / UpdateBrandingIdentifiers types) from UpdateBrandingRequestContent, GetBrandingResponseContent, and UpdateBrandingResponseContent. Breaking change #​1030 (fern-api[bot])
  • Branding Phone Enums: Removed the BrandingPhoneMaskingEnum, UpdateBrandingPhoneMaskingEnum, and UpdateBrandingPhoneFormattingEnum types. Breaking change #​1030 (fern-api[bot])

Changed

  • Phone Templates: The Id property on PhoneTemplate, GetPhoneTemplateResponseContent, CreatePhoneTemplateResponseContent, UpdatePhoneTemplateResponseContent, and ResetPhoneTemplateResponseContent is now optional/nullable (string?) instead of required. Breaking change #​1030 (fern-api[bot])
  • Refresh Tokens: Clarified RevokeRefreshTokensRequestContent.ClientId semantics — it must be paired with UserId and can be narrowed further with Audience, rather than revoking all of a client's tokens #​1030 (fern-api[bot])

Commits viewable in compare view.

Updated gitversion.tool from 6.7.0 to 6.8.1.

Release notes

Sourced from gitversion.tool's releases.

6.8.1

As part of this release we had 18 commits which resulted in 9 issues being closed.

Bug

  • !5005 ci: fix homebrew publish — drop --fork-org (gittools-bot is a user) by arturcic

Dependencies

  • !5006 build(deps): bump devcontainers/dotnet from da953a3 to be5bd89 in /.devcontainer by dependabot[bot]
  • !5015 chore(deps): consolidate Dependabot config and enable devcontainer feature updates by arturcic
  • !5016 (build deps): bump the codeql group across 1 directory with 3 updates by dependabot[bot]
  • !5020 (deps): Bump the microsoft group with 3 updates by dependabot[bot]

Improvements

Contributors

4 contributors made this release possible.

arturcic dependabot[bot] JDanRibeiro robertcoltheart

6.8.0

As part of this release we had 248 commits which resulted in 86 issues being closed.

Bug

Dependencies

Commits viewable in compare view.

Updated MediatR from 14.1.0 to 14.2.0.

Release notes

Sourced from MediatR's releases.

14.2.0

What's Changed

Full Changelog: LuckyPennySoftware/MediatR@v14.1.0...v14.2.0

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Mvc.Testing from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.AspNetCore.Mvc.Testing's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.OpenApi from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.AspNetCore.OpenApi's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.SignalR.Client from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.AspNetCore.SignalR.Client's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.Extensions.Caching.StackExchangeRedis's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Configuration from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.Extensions.Configuration's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Configuration.Abstractions from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.Extensions.Configuration.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Configuration.Binder from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.Extensions.Configuration.Binder's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.DependencyInjection from 10.0.8 to 10.0.9.

Release notes

Sourced from Microsoft.Extensions.DependencyInjection's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated [Microsoft.Extensions.DependencyInjection.Abstractions](https://github.com/dotnet...

Description has been truncated

Dependabot will resolve any conflicts with th...

Description has been truncated

Bumps Aspire.Hosting.Redis from 13.4.2 to 13.4.6
Bumps Aspire.Hosting.Testing from 13.4.2 to 13.4.6
Bumps Aspire.MongoDB.Driver from 13.4.2 to 13.4.6
Bumps Aspire.StackExchange.Redis from 13.4.2 to 13.4.6
Bumps Auth0.AspNetCore.Authentication from 1.7.0 to 1.8.0
Bumps Auth0.ManagementApi from 8.4.0 to 8.6.0
Bumps gitversion.tool from 6.7.0 to 6.8.1
Bumps MediatR from 14.1.0 to 14.2.0
Bumps Microsoft.AspNetCore.Mvc.Testing from 10.0.8 to 10.0.9
Bumps Microsoft.AspNetCore.OpenApi from 10.0.8 to 10.0.9
Bumps Microsoft.AspNetCore.SignalR.Client from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Configuration from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Configuration.Abstractions from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Configuration.Binder from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.DependencyInjection from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.DependencyInjection.Abstractions from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Http.Resilience from 10.6.0 to 10.7.0
Bumps Microsoft.Extensions.Logging.Abstractions from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Options from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Options.ConfigurationExtensions from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.ServiceDiscovery from 10.6.0 to 10.7.0
Bumps Microsoft.NET.Test.Sdk from 18.6.0 to 18.7.0
Bumps Microsoft.Playwright from 1.60.0 to 1.61.0
Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.3 to 1.16.0
Bumps OpenTelemetry.Extensions.Hosting from 1.15.3 to 1.16.0
Bumps OpenTelemetry.Instrumentation.AspNetCore from 1.15.2 to 1.16.0
Bumps OpenTelemetry.Instrumentation.Http from 1.15.1 to 1.16.0
Bumps SixLabors.ImageSharp from 3.1.12 to 4.0.0
Bumps Testcontainers.MongoDb from 4.12.0 to 4.13.0

---
updated-dependencies:
- dependency-name: Aspire.Hosting.Redis
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Aspire.Hosting.Testing
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Aspire.MongoDB.Driver
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Aspire.StackExchange.Redis
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Auth0.AspNetCore.Authentication
  dependency-version: 1.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: Auth0.ManagementApi
  dependency-version: 8.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: gitversion.tool
  dependency-version: 6.8.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: MediatR
  dependency-version: 14.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: Microsoft.AspNetCore.Mvc.Testing
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.AspNetCore.OpenApi
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.AspNetCore.SignalR.Client
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Caching.StackExchangeRedis
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Configuration
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Configuration.Abstractions
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Configuration.Binder
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.DependencyInjection
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Http.Resilience
  dependency-version: 10.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Options
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.Options.ConfigurationExtensions
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: Microsoft.Extensions.ServiceDiscovery
  dependency-version: 10.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: Microsoft.Playwright
  dependency-version: 1.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: OpenTelemetry.Extensions.Hosting
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: OpenTelemetry.Instrumentation.AspNetCore
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: OpenTelemetry.Instrumentation.Http
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: SixLabors.ImageSharp
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: Testcontainers.MongoDb
  dependency-version: 4.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 5, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: nuget. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from mpaulosky as a code owner July 5, 2026 16:20
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 5, 2026
@github-actions github-actions Bot added squad Squad triage inbox — Lead will assign to a member squad:boromir Assigned to Boromir (DevOps) labels Jul 5, 2026
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

🤖 Dependency Update PR

This PR was opened by dependabot[bot] and has been automatically labeled for Boromir (DevOps) to review.

Labels applied:

  • squad:boromir — Assigned to DevOps for dependency updates
  • squad — In triage queue

Dependency and infrastructure updates are owned by the DevOps team.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

Test Results Summary

2 328 tests  ±0   2 328 ✅ ±0   1m 25s ⏱️ -1s
    9 suites ±0       0 💤 ±0 
    9 files   ±0       0 ❌ ±0 

Results for commit b459366. ± Comparison against base commit 0cb3573.

♻️ This comment has been updated with latest results.

….6.0 breaking change

- SixLabors.ImageSharp 4.0.0 requires a paid commercial license; pin to
  last free 3.1.12 release to unblock Build Solution / build (ubuntu-latest)
  / Analyze (csharp) checks.
- Auth0.ManagementApi 8.6.0 (bumped alongside the actions group update)
  removed the UserDateSchema wrapper type; LastLogin is now DateTime?
  directly on GetUserResponseContent/UserResponseSchema. Update
  ParseLastLogin in UserManagementService accordingly.

lint-markdown, lint-yaml, and markdownlint failures on this PR are
pre-existing on dev (confirmed via recent dev push runs) and unrelated
to this branch's diff, so left untouched per scope.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 77.25%. Comparing base (0cb3573) to head (b459366).

Files with missing lines Patch % Lines
.../Web/Features/Admin/Users/UserManagementService.cs 0.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##              dev     #301   +/-   ##
=======================================
  Coverage   77.24%   77.25%           
=======================================
  Files         226      226           
  Lines        8574     8573    -1     
  Branches     1184     1183    -1     
=======================================
  Hits         6623     6623           
  Misses       1374     1374           
+ Partials      577      576    -1     
Files with missing lines Coverage Δ
.../Web/Features/Admin/Users/UserManagementService.cs 53.01% <0.00%> (+0.21%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

- Strip trailing whitespace and extra blank lines in workflow YAML
  files, and add missing trailing newline to code-metrics.yml so
  yamllint (matching lint-yaml.yml CI config) passes with 0 errors.
- Auto-fix markdownlint-cli2 violations (blank lines around lists/
  headings/fences) across docs, prompts, and README files.
- Add missing language hints to fenced code blocks (MD040), fix a
  heading-level skip (MD001), a missing blank line between adjacent
  lists (MD032), and a missing opening fence in
  xunit-integration.prompt.md (MD046).
- Soft-wrap long single-line paragraphs exceeding the 400-character
  limit (MD013) in blog posts and research docs without changing
  their rendered content.

markdownlint-cli2 and yamllint both now report 0 errors locally,
mirroring lint-markdown.yml and lint-yaml.yml.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mpaulosky mpaulosky merged commit 5f9e0f5 into dev Jul 5, 2026
22 of 24 checks passed
@mpaulosky mpaulosky deleted the dependabot/nuget/dot-config/dev/all-actions-b0b4855e79 branch July 5, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file squad:boromir Assigned to Boromir (DevOps) squad Squad triage inbox — Lead will assign to a member

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant