deps(nuget): Bump Microsoft.Identity.Web from 4.8.0 to 4.9.0

[dependabot]

Updated Microsoft.Identity.Web from 4.8.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

• Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

• Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
• Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
• Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
• Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

Commits viewable in compare view.

---

This change is 

[dependabot]

Labels

The following labels could not be found: dependencies, nuget. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Unit Test Results

240 tests  ±0   240 ✅ ±0   5s ⏱️ -1s
  7 suites ±0     0 💤 ±0 
  7 files   ±0     0 ❌ ±0 

Results for commit fdc1be3. ± Comparison against base commit fcb8664.

♻️ This comment has been updated with latest results.

[PlagueHO]

CI Failure Triage

Dependency: Microsoft.Identity.Web 4.8.0 → 4.9.0

Failing check: Lint Markdown / Lint Markdown ❌

Triage: The markdown lint failure is unrelated to the dependency bump itself — the PR only modifies a single NuGet version pin in Directory.Packages.props. The markdownlint failure is likely caused by a markdown linting issue already present on main (or introduced by a concurrent change) being surfaced when the CI ran on this PR's branch. The build, test, and Bicep checks all passed.

Root cause: Flaky / pre-existing markdown lint violation — not caused by this dependency update.

Action required: Once the markdown lint issue on main is resolved and this PR is rebased, it should be ready to merge. Comment @dependabot rebase after the lint issue is fixed.

[PlagueHO]

CI Triage — Build Failing

This PR cannot be merged automatically because one required check is failing.

Failing Check

Check	Status
Lint Markdown / Lint Markdown	❌ failure

Analysis

This PR only changes a single line in Directory.Packages.props (bumping Microsoft.Identity.Web 4.8.0 → 4.9.0). The Markdown lint failure is not caused by this dependency change — it is a pre-existing markdown lint issue in the repository that must be resolved before this PR can be merged.

Recommended Action

1. Fix the Markdown lint violations on main (or in a separate PR).
2. Once the lint check passes, this PR should be safe to merge — all build and test checks are passing.

This triage was generated automatically by the Dependabot merge workflow.

[PlagueHO]

@copilot fix the failures after updating this package

[Copilot]

@copilot fix the failures after updating this package

Fixed the markdown lint failures in commit 7e91a26. The 5 errors were all in .copilot-tracking/research/subagents/2026-05-05/ files:

• MD040 (missing fenced code language): added text language to bare code blocks in api-endpoints-research.md and dr03-container-deployment-research.md
• MD028 (blank line inside blockquote): replaced empty lines between blockquote lines with > separators in mcp-auth-aspire-research.md

pnpm lint:md now passes with 0 errors locally.

[PlagueHO]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in commit fdc1be3. There was one content conflict in .copilot-tracking/research/subagents/2026-05-05/dr03-container-deployment-research.md — both this branch and main had added a language identifier to the same bare fenced code block (this branch used text, main used gitignore). Kept gitignore as the more semantically accurate choice. Directory.Packages.props merged cleanly, preserving both the Microsoft.Identity.Web 4.9.0 bump and the MSTest.TestFramework 4.2.2 update from main. Markdown lint still passes with 0 errors.

[github-actions]

Summary

Summary

Generated on:	05/06/2026 - 09:48:47
Parser:	MultiReport (14x Cobertura)
Assemblies:	4
Classes:	49
Files:	46
Line coverage:	54.9% (1714 of 3120)
Covered lines:	1714
Uncovered lines:	1406
Coverable lines:	3120
Total lines:	4775
Branch coverage:	45.9% (388 of 844)
Covered branches:	388
Total branches:	844
Method coverage:	Feature is only available for sponsors

Coverage

PromptBabbler.Api - 66.3%

Name	Line	Branch
PromptBabbler.Api	66.3%	51.3%
Program	0%	0%
PromptBabbler.Api.Controllers.BabbleController	96.4%	83%
PromptBabbler.Api.Controllers.ConfigController	100%
PromptBabbler.Api.Controllers.GeneratedPromptController	100%	100%
PromptBabbler.Api.Controllers.PromptTemplateController	71.4%	46.5%
PromptBabbler.Api.Controllers.TranscriptionWebSocketController	69%	55.2%
PromptBabbler.Api.Controllers.UserController	0%	0%
PromptBabbler.Api.Extensions.ClaimsPrincipalExtensions	100%	50%
PromptBabbler.Api.HealthChecks.AiFoundryHealthCheck	100%	100%
PromptBabbler.Api.HealthChecks.CosmosDbHealthCheck	100%	100%
PromptBabbler.Api.HealthChecks.ManagedIdentityHealthCheck	0%
PromptBabbler.Api.Middleware.AccessCodeMiddleware	100%	93.7%

PromptBabbler.Domain - 100%

Name	Line	Branch
PromptBabbler.Domain	100%	****
PromptBabbler.Domain.Interfaces.TranscriptionSession	100%
PromptBabbler.Domain.Models.BabbleSearchResult	100%
PromptBabbler.Domain.Models.TemplateValidationResult	100%
PromptBabbler.Domain.Models.UserSettings	100%

PromptBabbler.Infrastructure - 55.4%

Name	Line	Branch
PromptBabbler.Infrastructure	55.4%	48.5%
PromptBabbler.Infrastructure.DependencyInjection	0%	0%
PromptBabbler.Infrastructure.Services.AzureFastTranscriptionService	100%	100%
PromptBabbler.Infrastructure.Services.AzureOpenAiPromptGenerationService	0%	0%
PromptBabbler.Infrastructure.Services.AzureSpeechTranscriptionService	0%	0%
PromptBabbler.Infrastructure.Services.BabbleService	94.5%	100%
PromptBabbler.Infrastructure.Services.BuiltInTemplateSeedingService	98.5%	71.4%
PromptBabbler.Infrastructure.Services.CosmosBabbleRepository	22.4%	3.5%
PromptBabbler.Infrastructure.Services.CosmosBabbleRepository.VectorSearchRe sultItem	0%
PromptBabbler.Infrastructure.Services.CosmosGeneratedPromptRepository	38.3%	12.5%
PromptBabbler.Infrastructure.Services.CosmosPromptTemplateRepository	30.3%	25%
PromptBabbler.Infrastructure.Services.CosmosUserRepository	95.8%
PromptBabbler.Infrastructure.Services.CosmosVectorContainerInitializationSe rvice	0%	0%
PromptBabbler.Infrastructure.Services.EmbeddingService	90%	75%
PromptBabbler.Infrastructure.Services.GeneratedPromptService	100%	100%
PromptBabbler.Infrastructure.Services.PromptBuilder	100%	100%
PromptBabbler.Infrastructure.Services.PromptTemplateService	100%	83.3%
PromptBabbler.Infrastructure.Services.TemplateValidationService	94.9%	93.7%
PromptBabbler.Infrastructure.Services.TranscriptionClientWrapper	0%	0%
PromptBabbler.Infrastructure.Services.UserService	100%	91.6%
System.Text.RegularExpressions.Generated	73.9%	48.8%
System.Text.RegularExpressions.Generated.RunnerFactory
System.Text.RegularExpressions.Generated.RunnerFactory.Runner

PromptBabbler.McpServer - 3.5%

Name	Line	Branch
PromptBabbler.McpServer	3.5%	2.8%
Program	0%	0%
PromptBabbler.McpServer.Client.ApiAuthDelegatingHandler	0%	0%
PromptBabbler.McpServer.Client.ApiAuthOptions	0%
PromptBabbler.McpServer.Client.PromptBabblerApiClient	0%	0%
PromptBabbler.McpServer.HealthChecks.PromptBabblerApiHealthCheck	100%	100%
PromptBabbler.McpServer.McpAccessCodeMiddleware	0%	0%
PromptBabbler.McpServer.Prompts.TemplateReviewPrompt	0%
PromptBabbler.McpServer.Resources.TemplateResources	0%	0%
PromptBabbler.McpServer.Tools.BabbleTools	0%	0%
PromptBabbler.McpServer.Tools.GeneratedPromptTools	0%	0%
PromptBabbler.McpServer.Tools.PromptTemplateTools	0%	0%

[PlagueHO]