Skip to content

deps(nuget): Bump Microsoft.AspNetCore.Authentication.JwtBearer and 11 others#126

Merged
Ellerbach merged 1 commit into
mainfrom
dependabot/nuget/src/AzureAISearchSimulator.Api/microsoft-packages-3ed5dd37a8
May 7, 2026
Merged

deps(nuget): Bump Microsoft.AspNetCore.Authentication.JwtBearer and 11 others#126
Ellerbach merged 1 commit into
mainfrom
dependabot/nuget/src/AzureAISearchSimulator.Api/microsoft-packages-3ed5dd37a8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026
edited
Loading

Updated Microsoft.AspNetCore.Authentication.JwtBearer from 10.0.3 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.Authentication.JwtBearer's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Mvc.Testing from 10.0.3 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.Mvc.Testing's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.OpenApi from 10.0.3 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.OpenApi's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Extensions.Http at 10.0.7.

Release notes

Sourced from Microsoft.Extensions.Http's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Logging.Abstractions from 10.0.3 to 10.0.7.

Release notes

Sourced from Microsoft.Extensions.Logging.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Options from 10.0.3 to 10.0.7.

Release notes

Sourced from Microsoft.Extensions.Options's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Identity.Web from 4.4.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

  • Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@4.5.0...4.6.0

4.5.0

New features

  • Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

  • Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
  • Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

Commits viewable in compare view.

Updated Microsoft.IdentityModel.Protocols.OpenIdConnect from 8.16.0 to 8.18.0.

Release notes

Sourced from Microsoft.IdentityModel.Protocols.OpenIdConnect's releases.

8.18.0

New Features

  • Introduced a new interface IConfigurationEventHandlerContextAware<T> that provides context to the configuration event handler implementation, allowing it to optionally bypass a cache lookup. See PR #​3444.
  • Added Microsoft.IdentityModel.Dpop — a new package implementing DPoP (Demonstrating Proof-of-Possession) per RFC 9449. Provides both client-side and server-side proof validation with no System.Net.Http dependency. See PR #​3443.

8.17.0

Dependencies

  • Downgrade MicrosoftExtensionsLoggingAbstractionsVersion to 8.0.0 on .NET 10. See PR #​3435.

Commits viewable in compare view.

Updated Microsoft.IdentityModel.Tokens from 8.16.0 to 8.18.0.

Release notes

Sourced from Microsoft.IdentityModel.Tokens's releases.

8.18.0

New Features

  • Introduced a new interface IConfigurationEventHandlerContextAware<T> that provides context to the configuration event handler implementation, allowing it to optionally bypass a cache lookup. See PR #​3444.
  • Added Microsoft.IdentityModel.Dpop — a new package implementing DPoP (Demonstrating Proof-of-Possession) per RFC 9449. Provides both client-side and server-side proof validation with no System.Net.Http dependency. See PR #​3443.

8.17.0

Dependencies

  • Downgrade MicrosoftExtensionsLoggingAbstractionsVersion to 8.0.0 on .NET 10. See PR #​3435.

Commits viewable in compare view.

Pinned Microsoft.ML.OnnxRuntime at 1.25.1.

Release notes

Sourced from Microsoft.ML.OnnxRuntime's releases.

1.25.1

n.b. This changelog is LLM generated. Only the contributor listing has been verified.

ONNX Runtime Release 1.25.1

📢 Announcements & Breaking Changes

ONNX Op Updates

  • Enhanced ONNX operator support with new opset versions: Reshape (opset 25), Transpose (opset 24) (#​27752)

✨ New Features

📊 New ONNX Ops & Model Support

  • LinearAttention and CausalConvState operators for Qwen3.5 model support (#​27907)
  • RotaryEmbedding (RotEMB) and RMSNorm operators added (#​27752)
  • Linear Attention signature support (#​27842)

🌐 Web & JavaScript

WebGPU EP

  • Qwen3.5 model support on WebGPU execution provider (#​27996)
  • QMoE 1-token decode path optimization — fused operations to reduce GPU dispatches for improved performance (#​27998)

🐛 Bug Fixes

Core Runtime Fixes

  • Improved filesystem error messages during Linux device discovery for better debugging experience (#​27289)
  • Fixed missing include for SetRawDataInTensorProto in NVIDIA TensorRT RTX tests (#​28065)

🙏 Contributors

Thanks to our 7 contributors for this release:
@​guschmue, @​sanaa-hamel-microsoft, @​apsonawane, @​eserscor, @​ishwar-raut1, @​qjia7, @​theHamsta

Full Changelog: microsoft/onnxruntime@v1.25.0...v1.25.1

1.25.0

📢 Announcements & Breaking Changes

Build & Platform

  • C++20 is now required to build ONNX Runtime from source. Minimum toolchains: MSVC 19.29+, GCC 10+, Clang 10+. Users of prebuilt packages are unaffected. (#​27178)
  • CUDA minimum version raised to 12.0 — CUDA 11.x is no longer supported. Users pinned to CUDA 11.x should stay on ORT 1.24.x or upgrade their CUDA toolkit/driver. (#​27570)
  • ONNX upgraded to 1.21.0 (#​27601)
  • sympy is now an optional dependency for Python builds. (#​27200)

Execution Provider Changes

  • ArmNN EP has been removed. Users should remove any --use_armnn build flags and migrate to the MLAS/KleidiAI-backed CPU EP or QNN EP for Qualcomm hardware. (#​27447)

API Version

🔒 Security Fixes

  • Fixed potential integer truncation leading to heap out-of-bounds read/write (#​27544)
  • Addressed Pad Reflect vulnerability (#​27652)
  • Security fix for transpose optimizer (#​27555)
  • Upgraded minimatch 3.1.2 → 3.1.4 for CVE-2026-27904 (#​27667)
  • Hardened shell command handling for constant strings (#​27840)
  • Added validation of onnx::TensorProto data size before allocation (#​27547)
  • Cleaned up external data path validation (#​27539)
  • Fixed misaligned address reads for tensor attributes from raw data buffers (#​27312)
  • Fixed CPU Attention overflow issue (#​27822)
  • Fixed CPU LRN integer overflow issues (#​27886)
  • Additional input validation hardening:

✨ New Features

🔌 Execution Provider Plugin API & CUDA Plugin EP

... (truncated)

1.24.4

This is a patch release for ONNX Runtime 1.24, containing bug fixes and execution provider updates.

Bug Fixes

  • Core: Added PCI bus fallback for Linux GPU device discovery in containerized environments (e.g., AKS/Kubernetes) where nvidia-drm is not loaded but GPU PCI devices are still exposed via sysfs. (#​27591)
  • Plugin EP: Fixed null pointer dereference when iterating output spans in GetOutputIndex. (#​27644)
  • Plugin EP: Fixed bug that incorrectly assigned duplicate MetaDef IDs to fused nodes in different GraphViews (e.g., then/else branches of an If node), causing session creation to fail with a conflicting kernel error. (#​27666)

Execution Provider Updates

  • QNN EP: Enabled offline x64 compilation with memhandle IO type by deferring rpcmem library loading to inference time. (#​27479)
  • QNN EP: Reverted QNN SDK logging verbosity changes that caused segmentation faults on backend destruction. (#​27650)

Build and Infrastructure

  • Python: Updated python_requires from >=3.10 to >=3.11 to reflect dropped Python 3.10 support. (#​27354)
  • Build: Replaced __builtin_ia32_tpause with the compiler-portable _tpause intrinsic to fix cross-compiler portability issues between GCC and LLVM. (#​27607)

Full Changelog: v1.24.3...v1.24.4

Contributors

@​derdeljan-msft, @​adrianlizarraga, @​apwojcik, @​baijumeswani, @​edgchen1, @​mocknen, @​tianleiwu, @​XXXXRT666

1.24.3

This is a patch release for ONNX Runtime 1.24, containing bug fixes, security improvements, performance enhancements, and execution provider updates.

Security Fixes

  • Core: Fixed GatherCopyData integer truncation leading to heap out-of-bounds read/write. (#​27444)
  • Core: Fixed RoiAlign heap out-of-bounds read via unchecked batch_indices. (#​27543)
  • Core: Prevent heap OOB from maliciously crafted Lora Adapters. (#​27518)
  • Core: Fixed out-of-bounds access for Resize operation. (#​27419)

Bug Fixes

  • Core: Fixed GatherND division by zero when batch dimensions mismatch. (#​27090)
  • Core: Fixed validation for external data paths for models loaded from bytes. (#​27430)
  • Core: Fixed SkipLayerNorm fusion incorrectly applied when gamma/beta are not 1D. (#​27459)
  • Core: Fixed double-free in TRT EP custom op domain Release functions. (#​27471)
  • Core: Fixed QMoE CPU Operator. (#​27360)
  • Core: Fixed MatmulNBits prepacking scales. (#​27412)
  • Python: Fixed refcount bug in map input conversion that caused shutdown segfault. (#​27413)
  • NuGet: Fixed DllImportResolver. (#​27397)
  • NuGet: Added OrtEnv.DisableDllImportResolver to prevent fatal error on resolver conflict. (#​27535)

Performance Improvements

  • Core: QMoE CPU performance update (up to 4x on 4-bit). (#​27364)
  • Core: Fixed O(n²) model load time for TreeEnsemble with categorical feature chains. (#​27391)

Execution Provider Updates

  • NvTensorRtRtx EP:
    • Avoid repetitive creation of fp4/fp8 native-custom-op domains. (#​27192)
    • Added missing override specifiers to suppress warnings. (#​27288)
    • DQ→MatMulNBits fusion transformer. (#​27466)
  • WebGPU:
    • Used embedded WASM module in Blob URL workers when wasmBinary is provided. (#​27318)
    • Fixed usage of wasmBinary together with a blob URL for .mjs. (#​27411)
    • Removed the unhelpful "Unknown CPU vendor" warning. (#​27399)
    • Allows new memory info name for WebGPU. (#​27475)
  • MLAS:
    • Added DynamicQGemm function pointers and ukernel interface. (#​27403)
    • Fixed error where bytes is not assigned for dynamic qgemm pack b size. (#​27421)
  • VitisAI EP: Removed s_kernel_registry_vitisaiep.reset() in deinitialize_vitisai_ep(). (#​27295)
  • Plugin EPs: Added "library_path" metadata entry to OrtEpDevice instances for plugin and provider bridge EPs. (#​27522)

Build and Infrastructure

  • Pipelines:
    • Build Windows ARM64X binaries as part of packaging pipeline. (#​27316)
    • Moved JAR testing pipelines to canonical pipeline template. (#​27480)
  • Python: Enabled Python 3.14 CI and upgraded dependencies. (#​27401)
  • Build: Suppressed spurious Array Out of Bounds warnings produced by GCC 14.2 compiler on Linux builds. (#​27454)
  • Build: Fixed -Warray-bounds build error in MLAS on clang 17+. (#​27499)
  • Telemetry: Added/Updated telemetry events. (#​27356)
  • Config: Increased kMaxValueLength to 8192. (#​27521)

... (truncated)

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 18.3.0 to 18.5.1.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.5.1

What's Changed

Full Changelog: microsoft/vstest@v18.5.0...v18.5.1

18.5.0

⚠️ Unlisted on Nuget, because of #​15718

What's Changed

Full Changelog: microsoft/vstest@v18.4.0...v18.5.0

18.4.0

What's Changed

New Contributors

Full Changelog: microsoft/vstest@v18.3.0...v18.4.0

Commits viewable in compare view.

Updated System.IdentityModel.Tokens.Jwt from 8.16.0 to 8.18.0.

Release notes

Sourced from System.IdentityModel.Tokens.Jwt's releases.

8.18.0

New Features

  • Introduced a new interface IConfigurationEventHandlerContextAware<T> that provides context to the configuration event handler implementation, allowing it to optionally bypass a cache lookup. See PR #​3444.
  • Added Microsoft.IdentityModel.Dpop — a new package implementing DPoP (Demonstrating Proof-of-Possession) per RFC 9449. Provides both client-side and server-side proof validation with no System.Net.Http dependency. See PR #​3443.

8.17.0

Dependencies

  • Downgrade MicrosoftExtensionsLoggingAbstractionsVersion to 8.0.0 on .NET 10. See PR #​3435.

Commits viewable in compare view.

@dependabot dependabot Bot added dependencies For dependabot dotnet For .NET changes especially in the dependabot labels May 4, 2026
@dependabot dependabot Bot mentioned this pull request May 4, 2026
Closed
@dependabot
deps(nuget): Bump Microsoft.AspNetCore.Authentication.JwtBearer and 1…
c77c7bb 
…1 others

Bumps Microsoft.AspNetCore.Authentication.JwtBearer from 10.0.3 to 10.0.7
Bumps Microsoft.AspNetCore.Mvc.Testing from 10.0.3 to 10.0.7
Bumps Microsoft.AspNetCore.OpenApi from 10.0.3 to 10.0.7
Bumps Microsoft.Extensions.Http from 10.0.3 to 10.0.7
Bumps Microsoft.Extensions.Logging.Abstractions from 10.0.3 to 10.0.7
Bumps Microsoft.Extensions.Options from 10.0.3 to 10.0.7
Bumps Microsoft.Identity.Web from 4.4.0 to 4.9.0
Bumps Microsoft.IdentityModel.Protocols.OpenIdConnect from 8.16.0 to 8.18.0
Bumps Microsoft.IdentityModel.Tokens from 8.16.0 to 8.18.0
Bumps Microsoft.ML.OnnxRuntime from 1.24.2 to 1.25.1
Bumps Microsoft.NET.Test.Sdk from 18.3.0 to 18.5.1
Bumps System.IdentityModel.Tokens.Jwt from 8.16.0 to 8.18.0

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.Authentication.JwtBearer
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.AspNetCore.Mvc.Testing
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.AspNetCore.OpenApi
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.Extensions.Http
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.Extensions.Options
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.Extensions.Options
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-packages
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
- dependency-name: Microsoft.IdentityModel.Protocols.OpenIdConnect
  dependency-version: 8.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
- dependency-name: Microsoft.IdentityModel.Tokens
  dependency-version: 8.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
- dependency-name: Microsoft.ML.OnnxRuntime
  dependency-version: 1.25.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 8.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title deps(nuget): Bump the microsoft-packages group with 12 updates deps(nuget): Bump Microsoft.AspNetCore.Authentication.JwtBearer and 11 others May 7, 2026
@dependabot dependabot Bot force-pushed the dependabot/nuget/src/AzureAISearchSimulator.Api/microsoft-packages-3ed5dd37a8 branch from 07a25b4 to c77c7bb Compare May 7, 2026 19:28
@Ellerbach Ellerbach merged commit e321d3e into main May 7, 2026
4 checks passed
@Ellerbach Ellerbach deleted the dependabot/nuget/src/AzureAISearchSimulator.Api/microsoft-packages-3ed5dd37a8 branch May 7, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies For dependabot dotnet For .NET changes especially in the dependabot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ellerbach