Bump the all-actions group with 30 updates#301
Merged
mpaulosky merged 3 commits intoJul 5, 2026
Conversation
Bumps Aspire.Hosting.Redis from 13.4.2 to 13.4.6 Bumps Aspire.Hosting.Testing from 13.4.2 to 13.4.6 Bumps Aspire.MongoDB.Driver from 13.4.2 to 13.4.6 Bumps Aspire.StackExchange.Redis from 13.4.2 to 13.4.6 Bumps Auth0.AspNetCore.Authentication from 1.7.0 to 1.8.0 Bumps Auth0.ManagementApi from 8.4.0 to 8.6.0 Bumps gitversion.tool from 6.7.0 to 6.8.1 Bumps MediatR from 14.1.0 to 14.2.0 Bumps Microsoft.AspNetCore.Mvc.Testing from 10.0.8 to 10.0.9 Bumps Microsoft.AspNetCore.OpenApi from 10.0.8 to 10.0.9 Bumps Microsoft.AspNetCore.SignalR.Client from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.Configuration from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.Configuration.Abstractions from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.Configuration.Binder from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.DependencyInjection from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.DependencyInjection.Abstractions from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.Http.Resilience from 10.6.0 to 10.7.0 Bumps Microsoft.Extensions.Logging.Abstractions from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.Options from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.Options.ConfigurationExtensions from 10.0.8 to 10.0.9 Bumps Microsoft.Extensions.ServiceDiscovery from 10.6.0 to 10.7.0 Bumps Microsoft.NET.Test.Sdk from 18.6.0 to 18.7.0 Bumps Microsoft.Playwright from 1.60.0 to 1.61.0 Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.3 to 1.16.0 Bumps OpenTelemetry.Extensions.Hosting from 1.15.3 to 1.16.0 Bumps OpenTelemetry.Instrumentation.AspNetCore from 1.15.2 to 1.16.0 Bumps OpenTelemetry.Instrumentation.Http from 1.15.1 to 1.16.0 Bumps SixLabors.ImageSharp from 3.1.12 to 4.0.0 Bumps Testcontainers.MongoDb from 4.12.0 to 4.13.0 --- updated-dependencies: - dependency-name: Aspire.Hosting.Redis dependency-version: 13.4.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Aspire.Hosting.Testing dependency-version: 13.4.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Aspire.MongoDB.Driver dependency-version: 13.4.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Aspire.StackExchange.Redis dependency-version: 13.4.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Auth0.AspNetCore.Authentication dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: Auth0.ManagementApi dependency-version: 8.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: gitversion.tool dependency-version: 6.8.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: MediatR dependency-version: 14.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: Microsoft.AspNetCore.Mvc.Testing dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.AspNetCore.OpenApi dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.AspNetCore.SignalR.Client dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.Caching.StackExchangeRedis dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.Configuration dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.Configuration.Abstractions dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.Configuration.Binder dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.DependencyInjection dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.Http.Resilience dependency-version: 10.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: Microsoft.Extensions.Logging.Abstractions dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.Options dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.Options.ConfigurationExtensions dependency-version: 10.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions - dependency-name: Microsoft.Extensions.ServiceDiscovery dependency-version: 10.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: Microsoft.NET.Test.Sdk dependency-version: 18.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: Microsoft.Playwright dependency-version: 1.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: OpenTelemetry.Extensions.Hosting dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: OpenTelemetry.Instrumentation.AspNetCore dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: OpenTelemetry.Instrumentation.Http dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: SixLabors.ImageSharp dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: Testcontainers.MongoDb dependency-version: 4.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
🤖 Dependency Update PRThis PR was opened by dependabot[bot] and has been automatically labeled for Boromir (DevOps) to review. Labels applied:
|
mpaulosky
approved these changes
Jul 5, 2026
….6.0 breaking change - SixLabors.ImageSharp 4.0.0 requires a paid commercial license; pin to last free 3.1.12 release to unblock Build Solution / build (ubuntu-latest) / Analyze (csharp) checks. - Auth0.ManagementApi 8.6.0 (bumped alongside the actions group update) removed the UserDateSchema wrapper type; LastLogin is now DateTime? directly on GetUserResponseContent/UserResponseSchema. Update ParseLastLogin in UserManagementService accordingly. lint-markdown, lint-yaml, and markdownlint failures on this PR are pre-existing on dev (confirmed via recent dev push runs) and unrelated to this branch's diff, so left untouched per scope. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## dev #301 +/- ##
=======================================
Coverage 77.24% 77.25%
=======================================
Files 226 226
Lines 8574 8573 -1
Branches 1184 1183 -1
=======================================
Hits 6623 6623
Misses 1374 1374
+ Partials 577 576 -1
🚀 New features to boost your workflow:
|
- Strip trailing whitespace and extra blank lines in workflow YAML files, and add missing trailing newline to code-metrics.yml so yamllint (matching lint-yaml.yml CI config) passes with 0 errors. - Auto-fix markdownlint-cli2 violations (blank lines around lists/ headings/fences) across docs, prompts, and README files. - Add missing language hints to fenced code blocks (MD040), fix a heading-level skip (MD001), a missing blank line between adjacent lists (MD032), and a missing opening fence in xunit-integration.prompt.md (MD046). - Soft-wrap long single-line paragraphs exceeding the 400-character limit (MD013) in blog posts and research docs without changing their rendered content. markdownlint-cli2 and yamllint both now report 0 errors locally, mirroring lint-markdown.yml and lint-yaml.yml. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated Aspire.Hosting.Redis from 13.4.2 to 13.4.6.
Release notes
Sourced from Aspire.Hosting.Redis's releases.
13.4.6
What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in
--isolatedmode, and a MongoDB.Driver dependency update.🐛 Fixes
🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged —
Aspire.TypeSystemused a floating strong-nameAssemblyVersionthat changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing asNo code generator found for language: <lang>. TheAssemblyVersionis now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. (#18160,@sebastienros)🔌 Multiple AppHosts started with
--isolatedcollided on the resource service port — Both instances tried to bind to the same fixed port fromASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance.DashboardServiceHostnow binds to port 0 on loopback whenRandomizePortsis true (set by--isolated), letting the OS assign a unique port per instance. (#18341,@JamesNK)🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned
SharpCompresstransitive dependency and uses the correctedSnappiertransitive. Fixes #17981. (#18279,@Falco20019)🏷️ Housekeeping
Full Changelog: v13.4.5...v13.4.6
Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248
13.4.5
What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.
🐛 Fixes
MessagePackFormatteror LZ4 — all StreamJsonRpc calls useSystemTextJsonFormatterover local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of theAspire.Hostingpackage. (#18204,@mitchdenny)playwrightCliVersionvalues that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag likelatest, or av-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#18205,@mitchdenny)copilot-cli. (#18240,@damianedwards)🏷️ Housekeeping
@microsoft/aspire-clinpm package README to be TypeScript-only — updated examples to the currentts-startertemplate (apphost.mts/aspire.mjs), added a backing-services snippet showingaspire addfor PostgreSQL and Redis, and documentedaspire dashboard runas a standalone dashboard option. (#18221,@adamint)Full Changelog: v13.4.4...v13.4.5
Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e
13.4.4
What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent
ExcludeFromMcp()filtering across all CLI MCP tools.🐛 Fixes
@karolz-ms)ExcludeFromMcp()were not consistently filtered from CLI MCP tools — Resources with theresource.excludeFromMcpproperty were not excluded uniformly from all CLI MCP tool results.list_resources,list_console_logs,execute_resource_command,list_structured_logs,list_traces, andlist_trace_structured_logsall now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#18150,@JamesNK)🏷️ Housekeeping
@adamratzman)Full Changelog: v13.4.3...v13.4.4
Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029
13.4.3
What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.
🐛 Fixes
isProxied: falseorWithEndpointProxySupport(false). Proxyless container endpoints with only atargetPortspecified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960,@danegsta)🏷️ Housekeeping
Full Changelog: microsoft/aspire@v13.4.2...v13.4.3
Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9
Commits viewable in compare view.
Updated Aspire.Hosting.Testing from 13.4.2 to 13.4.6.
Release notes
Sourced from Aspire.Hosting.Testing's releases.
13.4.6
What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in
--isolatedmode, and a MongoDB.Driver dependency update.🐛 Fixes
🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged —
Aspire.TypeSystemused a floating strong-nameAssemblyVersionthat changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing asNo code generator found for language: <lang>. TheAssemblyVersionis now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. (#18160,@sebastienros)🔌 Multiple AppHosts started with
--isolatedcollided on the resource service port — Both instances tried to bind to the same fixed port fromASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance.DashboardServiceHostnow binds to port 0 on loopback whenRandomizePortsis true (set by--isolated), letting the OS assign a unique port per instance. (#18341,@JamesNK)🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned
SharpCompresstransitive dependency and uses the correctedSnappiertransitive. Fixes #17981. (#18279,@Falco20019)🏷️ Housekeeping
Full Changelog: v13.4.5...v13.4.6
Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248
13.4.5
What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.
🐛 Fixes
MessagePackFormatteror LZ4 — all StreamJsonRpc calls useSystemTextJsonFormatterover local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of theAspire.Hostingpackage. (#18204,@mitchdenny)playwrightCliVersionvalues that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag likelatest, or av-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#18205,@mitchdenny)copilot-cli. (#18240,@damianedwards)🏷️ Housekeeping
@microsoft/aspire-clinpm package README to be TypeScript-only — updated examples to the currentts-startertemplate (apphost.mts/aspire.mjs), added a backing-services snippet showingaspire addfor PostgreSQL and Redis, and documentedaspire dashboard runas a standalone dashboard option. (#18221,@adamint)Full Changelog: v13.4.4...v13.4.5
Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e
13.4.4
What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent
ExcludeFromMcp()filtering across all CLI MCP tools.🐛 Fixes
@karolz-ms)ExcludeFromMcp()were not consistently filtered from CLI MCP tools — Resources with theresource.excludeFromMcpproperty were not excluded uniformly from all CLI MCP tool results.list_resources,list_console_logs,execute_resource_command,list_structured_logs,list_traces, andlist_trace_structured_logsall now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#18150,@JamesNK)🏷️ Housekeeping
@adamratzman)Full Changelog: v13.4.3...v13.4.4
Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029
13.4.3
What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.
🐛 Fixes
isProxied: falseorWithEndpointProxySupport(false). Proxyless container endpoints with only atargetPortspecified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960,@danegsta)🏷️ Housekeeping
Full Changelog: microsoft/aspire@v13.4.2...v13.4.3
Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9
Commits viewable in compare view.
Updated Aspire.MongoDB.Driver from 13.4.2 to 13.4.6.
Release notes
Sourced from Aspire.MongoDB.Driver's releases.
13.4.6
What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in
--isolatedmode, and a MongoDB.Driver dependency update.🐛 Fixes
🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged —
Aspire.TypeSystemused a floating strong-nameAssemblyVersionthat changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing asNo code generator found for language: <lang>. TheAssemblyVersionis now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. (#18160,@sebastienros)🔌 Multiple AppHosts started with
--isolatedcollided on the resource service port — Both instances tried to bind to the same fixed port fromASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance.DashboardServiceHostnow binds to port 0 on loopback whenRandomizePortsis true (set by--isolated), letting the OS assign a unique port per instance. (#18341,@JamesNK)🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned
SharpCompresstransitive dependency and uses the correctedSnappiertransitive. Fixes #17981. (#18279,@Falco20019)🏷️ Housekeeping
Full Changelog: v13.4.5...v13.4.6
Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248
13.4.5
What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.
🐛 Fixes
MessagePackFormatteror LZ4 — all StreamJsonRpc calls useSystemTextJsonFormatterover local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of theAspire.Hostingpackage. (#18204,@mitchdenny)playwrightCliVersionvalues that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag likelatest, or av-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#18205,@mitchdenny)copilot-cli. (#18240,@damianedwards)🏷️ Housekeeping
@microsoft/aspire-clinpm package README to be TypeScript-only — updated examples to the currentts-startertemplate (apphost.mts/aspire.mjs), added a backing-services snippet showingaspire addfor PostgreSQL and Redis, and documentedaspire dashboard runas a standalone dashboard option. (#18221,@adamint)Full Changelog: v13.4.4...v13.4.5
Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e
13.4.4
What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent
ExcludeFromMcp()filtering across all CLI MCP tools.🐛 Fixes
@karolz-ms)ExcludeFromMcp()were not consistently filtered from CLI MCP tools — Resources with theresource.excludeFromMcpproperty were not excluded uniformly from all CLI MCP tool results.list_resources,list_console_logs,execute_resource_command,list_structured_logs,list_traces, andlist_trace_structured_logsall now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#18150,@JamesNK)🏷️ Housekeeping
@adamratzman)Full Changelog: v13.4.3...v13.4.4
Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029
13.4.3
What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.
🐛 Fixes
isProxied: falseorWithEndpointProxySupport(false). Proxyless container endpoints with only atargetPortspecified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960,@danegsta)🏷️ Housekeeping
Full Changelog: microsoft/aspire@v13.4.2...v13.4.3
Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9
Commits viewable in compare view.
Updated Aspire.StackExchange.Redis from 13.4.2 to 13.4.6.
Release notes
Sourced from Aspire.StackExchange.Redis's releases.
13.4.6
What's New in Aspire 13.4.6
Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in
--isolatedmode, and a MongoDB.Driver dependency update.🐛 Fixes
🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged —
Aspire.TypeSystemused a floating strong-nameAssemblyVersionthat changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing asNo code generator found for language: <lang>. TheAssemblyVersionis now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. (#18160,@sebastienros)🔌 Multiple AppHosts started with
--isolatedcollided on the resource service port — Both instances tried to bind to the same fixed port fromASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance.DashboardServiceHostnow binds to port 0 on loopback whenRandomizePortsis true (set by--isolated), letting the OS assign a unique port per instance. (#18341,@JamesNK)🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned
SharpCompresstransitive dependency and uses the correctedSnappiertransitive. Fixes #17981. (#18279,@Falco20019)🏷️ Housekeeping
Full Changelog: v13.4.5...v13.4.6
Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248
13.4.5
What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.
🐛 Fixes
MessagePackFormatteror LZ4 — all StreamJsonRpc calls useSystemTextJsonFormatterover local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of theAspire.Hostingpackage. (#18204,@mitchdenny)playwrightCliVersionvalues that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag likelatest, or av-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#18205,@mitchdenny)copilot-cli. (#18240,@damianedwards)🏷️ Housekeeping
@microsoft/aspire-clinpm package README to be TypeScript-only — updated examples to the currentts-startertemplate (apphost.mts/aspire.mjs), added a backing-services snippet showingaspire addfor PostgreSQL and Redis, and documentedaspire dashboard runas a standalone dashboard option. (#18221,@adamint)Full Changelog: v13.4.4...v13.4.5
Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e
13.4.4
What's New in Aspire 13.4.4
Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent
ExcludeFromMcp()filtering across all CLI MCP tools.🐛 Fixes
@karolz-ms)ExcludeFromMcp()were not consistently filtered from CLI MCP tools — Resources with theresource.excludeFromMcpproperty were not excluded uniformly from all CLI MCP tool results.list_resources,list_console_logs,execute_resource_command,list_structured_logs,list_traces, andlist_trace_structured_logsall now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#18150,@JamesNK)🏷️ Housekeeping
@adamratzman)Full Changelog: v13.4.3...v13.4.4
Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029
13.4.3
What's New in Aspire 13.4.3
Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.
🐛 Fixes
isProxied: falseorWithEndpointProxySupport(false). Proxyless container endpoints with only atargetPortspecified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960,@danegsta)🏷️ Housekeeping
Full Changelog: microsoft/aspire@v13.4.2...v13.4.3
Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9
Commits viewable in compare view.
Updated Auth0.AspNetCore.Authentication from 1.7.0 to 1.8.0.
Release notes
Sourced from Auth0.AspNetCore.Authentication's releases.
1.8.0
Added
HttpContext.GetAccessTokenAsync(AccessTokenRequest)extension returns an access token for a requested audience and/or scope, served from the session cache when possible and otherwise via a refresh-token exchange.Auth0WebAppWithAccessTokenOptions.ScopeByAudience.OnAccessTokenRefreshFailedevent surfaces refresh failures, letting callers distinguish terminal failures (warranting re-login) from transient ones.MfaRequiredExceptionsurfaces the challenge, andIAuthenticationApiClient(registered viaWithAuthenticationApiClient()) lets the application complete OTP, OOB, or recovery-code grants and manage authenticators.Auth0WebAppWithAccessTokenOptions.AccessTokenExpirationLeeway(TimeSpan, default 60s) controls how far ahead of expiry the SDK proactively refreshes the access token. Previously hard-coded to 60 seconds; the default preserves prior behavior. Applies to both primary and additional (MRRT) cached tokens, and only takes effect whenUseRefreshTokensis enabled.WithSessionStoremethod onAuth0WebAppAuthenticationBuilderstores the authentication session server-side (viaITicketStore) instead of in the cookie. It attaches the store to the SDK's own resolved cookie scheme, so it works even with a customCookieAuthenticationScheme. Two overloads are provided:WithSessionStore<TStore>()(resolved from DI) andWithSessionStore(ITicketStore instance). Opt-in and additive; the default stateless cookie session is unchanged.Fixed
client_assertionaudience #236 (samjetski) - fixes a regression introduced in 1.7.0 (#206) where the Private Key JWT client assertionaudclaim was built ashttps://{tenant}//(double slash), causing Auth0's/oauth/tokenendpoint to reject the assertion with401 invalid_clientand leaving affected apps (any usingClientAssertionSecurityKey) in a callback loop.OnValidatePrincipalto the configured cookie scheme #248 (kailash-b) - fixes a scheme mismatch where the access-token refresh hook was registered against the default"Cookies"scheme rather than the configuredCookieAuthenticationScheme.Security
Microsoft.IdentityModel.Protocols.OpenIdConnect8.18.0 → 8.19.1,Microsoft.AspNetCore.Mvc.Testing10.0.8 → 10.0.9,Microsoft.AspNetCore.Mvc.ViewFeatures2.3.10 → 2.3.11,System.Text.Encodings.Web10.0.8 → 10.0.9.1.7.1
Security
Commits viewable in compare view.
Updated Auth0.ManagementApi from 8.4.0 to 8.6.0.
Release notes
Sourced from Auth0.ManagementApi's releases.
8.6.0
Breaking Changes
CreatedAt,UpdatedAt,MultifactorLastModified,LastLogin, andLastPasswordReseton the user response types (GetUserResponseContent,CreateUserResponseContent,UpdateUserResponseContent,UserResponseSchema) are now plainDateTime?instead of theUserDateSchemaunion. TheUserDateSchematype and itsUserDateSchemaExtensions(ToDateTime) helpers have been removed — callers can drop.ToDateTime()and use the value directly #1037 (fern-api[bot])UserIdproperty onUserIdentitySchemaandDeleteUserIdentityResponseContentItemis now theUserIdunion type instead ofstring, allowing string or numeric user identifiers #1037 (fern-api[bot])NativeSocialLoginonUpdateClientRequestContentis nowOptional<NativeSocialLoginPatch?>(with newNativeSocialLoginPatch,NativeSocialLoginApplePatch,NativeSocialLoginFacebookPatch, andNativeSocialLoginGooglePatchtypes) to support partial PATCH semantics #1037 (fern-api[bot])FedcmLoginonUpdateClientRequestContentis nowOptional<FedCmLoginPatch?>(with newFedCmLoginPatchandFedCmLoginGooglePatchtypes) to support partial PATCH semantics #1037 (fern-api[bot])Added
AttackProtection.PhoneProviderProtectionsub-client withGetAsync()andPatchAsync()to read and update the tenant's phone provider protection configuration, plusPatchPhoneProviderProtectionRequestContent,GetPhoneProviderProtectionResponseContent,PatchPhoneProviderProtectionResponseContent, and thePhoneProviderProtectionBackoffStrategyEnum(exponential/none) type #1037 (fern-api[bot])CrossAppAccessRequestingApptype (withActive) and aCrossAppAccessRequestingAppproperty to the OIDC and Okta connection request/response types (CreateConnectionRequestContentOidc,CreateConnectionRequestContentOkta,UpdateConnectionRequestContentOidc,UpdateConnectionRequestContentOkta,ConnectionResponseContentOidc,ConnectionResponseContentOkta,ConnectionForList, and the connection response types) #1037 (fern-api[bot])TokenVaultPrivilegedAccessproperty to client types —ClientTokenVaultPrivilegedAccessWithPublicKey(withCredentialsandIpAllowlist) onCreateClientRequestContent, andClientTokenVaultPrivilegedAccessWithCredentialIdonUpdateClientRequestContent,Client, and the client response types #1037 (fern-api[bot])auth_email_by_code(AuthEmailByCode) value toEmailTemplateNameEnum#1037 (fern-api[bot])8.5.0
Added
SecurityHeaders(TenantSettingsNullableSecurityHeaders) property toUpdateTenantSettingsRequestContent,GetTenantSettingsResponseContent, andUpdateTenantSettingsResponseContentfor configuring Content Security Policy and XSS protection at the tenant level #1030 (fern-api[bot])ContentSecurityPolicyConfig,CspPolicy,CspPolicyMode(enforcing/reporting),CspFlag(upgrade-insecure-requests/block-all-mixed-content),CspPolicyReporting,CspReportingInfrastructure,CspReportTo, andCspReportToEndpointtypes to model CSP directives, flags, and reporting endpoints #1030 (fern-api[bot])XssProtectionConfigandXssProtectionMode(block) types to configure theX-XSS-Protectionresponse header #1030 (fern-api[bot])SessionLifetimeInMinutes,IdleSessionLifetimeInMinutes,EphemeralSessionLifetimeInMinutes, andIdleEphemeralSessionLifetimeInMinutesonUpdateTenantSettingsRequestContent(each mutually exclusive with its hours-based counterpart) #1030 (fern-api[bot])IncludeSessionMetadataInTenantLogs(bool?) on tenant settings request/response types to include session metadata insloand OIDC back-channel logout tenant logs #1030 (fern-api[bot])IdTokenSessionExpirySupported(bool?) property toConnectionOptionsCommonOidc,ConnectionOptionsOidc,ConnectionOptionsOkta,ConnectionPropertiesOptions, andUpdateConnectionOptions#1030 (fern-api[bot])InvitationLandingClientIdproperty toClientMyOrganizationPostConfiguration,ClientMyOrganizationPatchConfiguration, andClientMyOrganizationResponseConfiguration#1030 (fern-api[bot])Experimentvalue toAculContextEnum, andConfirmationvalue toPromptGroupNameEnumandScreenGroupNameEnum#1030 (fern-api[bot])Removed
Identifiersproperty (and theBrandingIdentifiers/UpdateBrandingIdentifierstypes) fromUpdateBrandingRequestContent,GetBrandingResponseContent, andUpdateBrandingResponseContent. Breaking change #1030 (fern-api[bot])BrandingPhoneMaskingEnum,UpdateBrandingPhoneMaskingEnum, andUpdateBrandingPhoneFormattingEnumtypes. Breaking change #1030 (fern-api[bot])Changed
Idproperty onPhoneTemplate,GetPhoneTemplateResponseContent,CreatePhoneTemplateResponseContent,UpdatePhoneTemplateResponseContent, andResetPhoneTemplateResponseContentis now optional/nullable (string?) instead ofrequired. Breaking change #1030 (fern-api[bot])RevokeRefreshTokensRequestContent.ClientIdsemantics — it must be paired withUserIdand can be narrowed further withAudience, rather than revoking all of a client's tokens #1030 (fern-api[bot])Commits viewable in compare view.
Updated gitversion.tool from 6.7.0 to 6.8.1.
Release notes
Sourced from gitversion.tool's releases.
6.8.1
As part of this release we had 18 commits which resulted in 9 issues being closed.
Bug
Dependencies
da953a3tobe5bd89in /.devcontainer by dependabot[bot]Improvements
Contributors
4 contributors made this release possible.
6.8.0
As part of this release we had 248 commits which resulted in 86 issues being closed.
Bug
Dependencies
... (truncated)
Commits viewable in compare view.
Updated MediatR from 14.1.0 to 14.2.0.
Release notes
Sourced from MediatR's releases.
14.2.0
What's Changed
Full Changelog: LuckyPennySoftware/MediatR@v14.1.0...v14.2.0
Commits viewable in compare view.
Updated Microsoft.AspNetCore.Mvc.Testing from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.AspNetCore.Mvc.Testing's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated Microsoft.AspNetCore.OpenApi from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.AspNetCore.OpenApi's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated Microsoft.AspNetCore.SignalR.Client from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.AspNetCore.SignalR.Client's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.Extensions.Caching.StackExchangeRedis's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated Microsoft.Extensions.Configuration from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.Extensions.Configuration's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated Microsoft.Extensions.Configuration.Abstractions from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.Extensions.Configuration.Abstractions's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated Microsoft.Extensions.Configuration.Binder from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.Extensions.Configuration.Binder's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated Microsoft.Extensions.DependencyInjection from 10.0.8 to 10.0.9.
Release notes
Sourced from Microsoft.Extensions.DependencyInjection's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated [Microsoft.Extensions.DependencyInjection.Abstractions](https://github.com/dotnet...
Description has been truncated
Dependabot will resolve any conflicts with th...
Description has been truncated