Skip to content

chore(nuget): Bump the microsoft group with 7 updates#106

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/microsoft-e0e66249e2
Open

chore(nuget): Bump the microsoft group with 7 updates#106
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/microsoft-e0e66249e2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Updated Microsoft.Azure.Cosmos from 3.56.0 to 3.60.0.

Release notes

Sourced from Microsoft.Azure.Cosmos's releases.

3.60.0

See changelog for details.

NuGet: https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.60.0

3.60.0-preview.0

Added

  • 5804 SemanticReranking: Adds Configurable Request Timeout

Fixed

  • 5783 Container: Fixes SemanticRerankAsync TypeLoadException in derived classes

This preview release also includes all changes from 3.59.0.

See full changelog: https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/changelog.md#​3600-preview0

3.59.0

3.59.0 - 2026-4-24

Features Added

  • 5579 Change Feed Processor: Adds Lease container export support
  • 5709 Performance: Adds caching for URL-encoded AAD authorization signature
  • 5731 DNS dot-suffix: Adds TCP DNS dot-suffix for Direct mode to avoid Kubernetes ndots latency
  • 5755 Exceptionless: Adds enabling exception less 400 status code
  • 5756 Exceptionless: Adds enabling exception less 404/1002 status code
  • 5757 Exceptionless: Adds enabling exception less 403
  • 5779 Direct: Adds Direct package version bump to 3.42.4
  • 5786 Region Availability: Adds missing regions from Direct 3.42.4
  • 5788 Socket Handler: Adds HTTP/2 PING keep-alive to detect broken connections in pool

Bugs Fixed

  • 5553 NativeDLLs: Fixes Conditionally include win-x64 native DLLs based on RuntimeIdentifier
  • 5588 LINQ: Fixes memory leak from Expression.Compile() in all call sites
  • 5617 ChangeFeedProcessor: Fixes first-change skip during initial startup by anchoring StartTime
  • 5636 CosmosClientBuilder: Fixes self-referencing loop in GetSerializedConfiguration with STJ TypeInfoResolver
  • 5748 Routing: Fixes GetOverlappingRanges CPU overhead from repeated JSON deserialization
  • 5807 ChangeFeedProcessor: Fixes lease de-duplication for /partitionKey-partitioned lease containers
  • 5778 DocumentClient: Fixes Potential Memory Leak By Properly Disposing GlobalPartitionEndpointManagerCore. This bug left the circuit breaker failback loop running indefinitely, leaking Task.Delay timers.

3.59.0-preview.0

3.59.0-preview.0 - 2026-3-20

Added

  • 5502 VectorIndex Policy: Adds Support for QuantizerType in IndexingPolicy
  • 5634 Semantic Reranking: Adds response body in semantic reranking error responses
  • 5685 Read Consistency Strategy: Adds Read Consistency Strategy option for read requests
  • 5447 Per Partition Automatic Failover: Adds Hub Region Processing Only While Routing Requests Failed with 404/1002 for single master accounts
  • 5551 HPK: Adds internal CosmosClientOptions flag UseLengthAwareRangeComparer for length aware range comparer rollout
  • 5582 Query: Adds ability to choose global vs local/focused statistics for FullTextScore
  • 5610 Refactors N-Region Synchronous Commit feature to use IServiceConfigurationReaderVNext interface.
  • 5693 ThinClient Integration: Adds Enable Multiple Http2 connection on SocketsHttpHandler
  • 5614 ThinClient Integration: Adds support for QueryPlan in thinclient mode

Fixed

  • 5597 CosmosClient: Fixes ObjectDisposedException message when client is disposed during request
  • 5613 CrossRegionHedgingAvailabilityStrategy: Fixes ArgumentNullException race condition in hedging cancellation
  • 5650 Batch: Fixes null ErrorMessage when promoting status from MultiStatus response
  • 5651 Serializer: Fixes unsafe stream cast in FromStream
  • 5697 ResourceThrottleRetryPolicy: Fixes cumulativeRetryDelay tracking when x-ms-retry-after-ms header is absent

3.58.0

3.58.0 - 2026-3-20

Added

  • 5447 Per Partition Automatic Failover: Adds Hub Region Processing Only While Routing Requests Failed with 404/1002 for single master accounts
  • 5551 HPK: Adds internal CosmosClientOptions flag UseLengthAwareRangeComparer for length aware range comparer rollout
  • 5582 Query: Adds ability to choose global vs local/focused statistics for FullTextScore
  • 5610 Refactors N-Region Synchronous Commit feature to use IServiceConfigurationReaderVNext interface.
  • 5693 ThinClient Integration: Adds Enable Multiple Http2 connection on SocketsHttpHandler
  • 5614 ThinClient Integration: Adds support for QueryPlan in thinclient mode

Fixed

  • 5597 CosmosClient: Fixes ObjectDisposedException message when client is disposed during request
  • 5613 CrossRegionHedgingAvailabilityStrategy: Fixes ArgumentNullException race condition in hedging cancellation
  • 5650 Batch: Fixes null ErrorMessage when promoting status from MultiStatus response
  • 5651 Serializer: Fixes unsafe stream cast in FromStream
  • 5697 ResourceThrottleRetryPolicy: Fixes cumulativeRetryDelay tracking when x-ms-retry-after-ms header is absent

3.58.0-preview.0

3.58.0-preview.0 - 2026-1-15

Added

  • 5511 Tracing: Adds tracing improvements for pkrange refresh calls
  • 5515 [FullTextPolicy]: Adds tests for full text policy multi-language support.
  • 5529 [Thin Client Integration]: Adds support for store procedure in thinclient mode.
  • 5535 [Thin Client Integration]: Adds thinclient header for refresh account data requests.

Fixed

  • 5512 ChangeFeed: Fixes crts field being nullable
  • 5517 SystemTextSerializer: Fixes serialization to preserve polymorphic serialization when base type is marked [JsonPolymorphic]
  • 5498 Query: Fixes hybrid search query plan optimization to be enabled by default
  • 5543 Query: Fixes GetItemQueryIterator to honor the supplied (optional) FeedRange
  • 5541 Upsert/Batch: Fixes bug where RequestOptions are not honored for Upsert requests in Bulk Mode
  • 5544 Query : Fixes LINQ API to support builtin functions - ARRAY_CONTAINS_ALL and ARRAY_CONTAINS_ANY

3.58.0-preivew.1

3.58.0-preview.1 - 2026-2-20

Fixed

  • 5613 CrossRegionHedgingAvailabilityStrategy: Fixes ArgumentNullException race condition in hedging cancellation

3.57.1

3.57.1 - 2026-2-20

Fixed

  • 5613 CrossRegionHedgingAvailabilityStrategy: Fixes ArgumentNullException race condition in hedging cancellation

3.57.0

3.57.0 - 2026-1-15

Added

  • 5511 Tracing: Adds tracing improvements for pkrange refresh calls
  • 5515 [FullTextPolicy]: Adds tests for full text policy multi-language support.
  • 5529 [Thin Client Integration]: Adds support for store procedure in thinclient mode.
  • 5535 [Thin Client Integration]: Adds thinclient header for refresh account data requests.

Fixed

  • 5512 ChangeFeed: Fixes crts field being nullable
  • 5517 SystemTextSerializer: Fixes serialization to preserve polymorphic serialization when base type is marked [JsonPolymorphic]
  • 5498 Query: Fixes hybrid search query plan optimization to be enabled by default
  • 5543 Query: Fixes GetItemQueryIterator to honor the supplied (optional) FeedRange
  • 5541 Upsert/Batch: Fixes bug where RequestOptions are not honored for Upsert requests in Bulk Mode
  • 5544 Query : Fixes LINQ API to support builtin functions - ARRAY_CONTAINS_ALL and ARRAY_CONTAINS_ANY

3.57.0-preview.1

3.57.0-preview.1 - 2025-12-16

Fixed

  • 5528 Semantic Reranking: Refactors RerankResult.Document to return string type

3.57.0-preview.0

3.57.0-preview.0 - 2025-11-25

Added

  • 5445 Semantic Rerank: Adds Semantic Rerank API

Commits viewable in compare view.

Updated Microsoft.Azure.Functions.Worker from 2.51.0 to 2.52.0.

Release notes

Sourced from Microsoft.Azure.Functions.Worker's releases.

2.52.0

What's Changed

Microsoft.Azure.Functions.Worker (metapackage) 2.52.0

  • Update Microsoft.Azure.Functions.Worker.Core to 2.52.0
  • Update Microsoft.Azure.Functions.Worker.Grpc to 2.52.0

Microsoft.Azure.Functions.Worker.Core 2.52.0

  • Add support for propagating trace context tags from worker to host (#​3303)
  • Add support for propagating OpenTelemetry Baggage to the worker. Requires use with the OpenTelemetry Extension to work end to end (#​3319).

Microsoft.Azure.Functions.Worker.Grpc 2.52.0

  • Update protobuf version to v1.12.0-protofile and add support for propagating tags from the worker to the functions host (#​3303).
  • Update protobuf version to v1.13.0-protofile to add support for propagating OpenTelemetry baggage to the worker (#​3319).

Commits viewable in compare view.

Updated Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues from 5.5.3 to 5.5.4.

Release notes

Sourced from Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Graph from 5.100.0 to 6.1.0.

Release notes

Sourced from Microsoft.Graph's releases.

6.1.0

6.1.0 (2026-05-20)

Features

Bug Fixes

  • ItemWithPath now throws instead of generating malformed URLs with nullish path values (#​3072) (a22256b)

6.0.3

6.0.3 (2026-05-14)

Build System

6.0.2

6.0.2 (2026-05-14)

Build System

6.0.1

6.0.1 (2026-05-13)

Build System

6.0.0

6.0.0 (2026-05-12)

⚠ BREAKING CHANGES

  • deps: update microsoft-graph-core to 4.x
  • Dropped net5.0 target framework. The SDK now targets netstandard2.0, netstandard2.1, net8.0, and net10.0. Consumers targeting net5.0 must upgrade to net8.0 or later.

Features

  • generation: update request builders and models (295bde7)
  • update target frameworks to net8.0 and net10.0, drop net5.0 (#​3096) (a383774)

Miscellaneous Chores

  • deps: update microsoft-graph-core to 4.x (f05de16)

5.105.0

5.105.0 (2026-04-24)

Features

  • generation: update request builders and models (143504b)

5.104.0

5.104.0 (2026-04-16)

Features

  • generation: update request builders and models (bacd780)

5.103.0

5.103.0 (2026-02-19)

Features

  • generation: update request builders and models (bf1a051)

5.102.0

5.102.0 (2026-02-05)

Features

5.101.0

5.101.0 (2026-01-22)

Features

Commits viewable in compare view.

Updated Microsoft.Identity.Web from 4.3.0 to 4.10.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.10.0

New features

  • Add WithExtraBodyParameters fluent API for attaching extra body parameters to token acquisition requests. See #​3819.
  • Add IConfidentialClientApplicationProvider extensibility interface and CachePartitionKey support for silent token acquisition. See #​3822.

Bug fixes

  • Redirect URI sanitization in authorization scenarios; centralize redirect URI validation in a shared helper. See #​3825.
  • Reject dSTS-shaped Authority values with a clearer exception, steering users to use Instance + TenantId instead. See #​3805.
  • Improve regex handling and adding length/timeout safeguards for SameSite User Agent. See #​3811.

Behavior changes

  • B2C OpenID Connect event handler: LRU cache for issuer address. Issuer address lookups in the B2C OIDC event handler are now cached with an LRU cache, improving performance for repeated lookups. See #​3821.

Dependencies updates

  • Update MSAL.NET to 4.84.1. See #​3822.
  • Pin Microsoft.Kiota.Abstractions to 1.22.0 for GraphServiceClient. See #​3817.
  • Bump uuid and @​azure/msal-node in SidecarAdapter TypeScript test app. See #​3826.
  • Bump qs in SidecarAdapter TypeScript test app. See #​3829.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

  • Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@4.5.0...4.6.0

4.5.0

New features

  • Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

  • Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
  • Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

4.4.0

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

New Contributors

4.4.0-preview.1

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

Commits viewable in compare view.

Updated Microsoft.Identity.Web.GraphServiceClient from 4.3.0 to 4.10.0.

Release notes

Sourced from Microsoft.Identity.Web.GraphServiceClient's releases.

4.10.0

New features

  • Add WithExtraBodyParameters fluent API for attaching extra body parameters to token acquisition requests. See #​3819.
  • Add IConfidentialClientApplicationProvider extensibility interface and CachePartitionKey support for silent token acquisition. See #​3822.

Bug fixes

  • Redirect URI sanitization in authorization scenarios; centralize redirect URI validation in a shared helper. See #​3825.
  • Reject dSTS-shaped Authority values with a clearer exception, steering users to use Instance + TenantId instead. See #​3805.
  • Improve regex handling and adding length/timeout safeguards for SameSite User Agent. See #​3811.

Behavior changes

  • B2C OpenID Connect event handler: LRU cache for issuer address. Issuer address lookups in the B2C OIDC event handler are now cached with an LRU cache, improving performance for repeated lookups. See #​3821.

Dependencies updates

  • Update MSAL.NET to 4.84.1. See #​3822.
  • Pin Microsoft.Kiota.Abstractions to 1.22.0 for GraphServiceClient. See #​3817.
  • Bump uuid and @​azure/msal-node in SidecarAdapter TypeScript test app. See #​3826.
  • Bump qs in SidecarAdapter TypeScript test app. See #​3829.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

  • Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@4.5.0...4.6.0

4.5.0

New features

  • Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

  • Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
  • Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

4.4.0

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

New Contributors

4.4.0-preview.1

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 18.0.1 to 18.6.0.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.6.0

What's Changed

Changes to tests and infra

18.5.1

What's Changed

Full Changelog: microsoft/vstest@v18.5.0...v18.5.1

18.5.0

⚠️ Unlisted on Nuget, because of #​15718

What's Changed

Full Changelog: microsoft/vstest@v18.4.0...v18.5.0

18.4.0

What's Changed

Description has been truncated

@dependabot
chore(nuget): Bump the microsoft group with 7 updates
c084b8d 
Bumps Microsoft.Azure.Cosmos from 3.56.0 to 3.60.0
Bumps Microsoft.Azure.Functions.Worker from 2.51.0 to 2.52.0
Bumps Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues from 5.5.3 to 5.5.4
Bumps Microsoft.Graph from 5.100.0 to 6.1.0
Bumps Microsoft.Identity.Web from 4.3.0 to 4.10.0
Bumps Microsoft.Identity.Web.GraphServiceClient from 4.3.0 to 4.10.0
Bumps Microsoft.NET.Test.Sdk from 18.0.1 to 18.6.0

---
updated-dependencies:
- dependency-name: Microsoft.Azure.Cosmos
  dependency-version: 3.60.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft
- dependency-name: Microsoft.Azure.Functions.Worker
  dependency-version: 2.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft
- dependency-name: Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues
  dependency-version: 5.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.Graph
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: microsoft
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft
- dependency-name: Microsoft.Identity.Web.GraphServiceClient
  dependency-version: 4.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Jun 1, 2026

Labels

The following labels could not be found: nuget. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from adthom as a code owner June 1, 2026 19:11
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 1, 2026
@dependabot dependabot Bot requested a review from Justw-MSFT as a code owner June 1, 2026 19:11
@dependabot dependabot Bot mentioned this pull request Jun 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adthom adthom Awaiting requested review from adthom adthom is a code owner

@Justw-MSFT Justw-MSFT Awaiting requested review from Justw-MSFT Justw-MSFT is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants