Skip to content

Bump Microsoft.Identity.Web and 2 others#42

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/src/MX.TalkWithTiles.CoreEngine.Tests/nuget-4c1300299d
Closed

Bump Microsoft.Identity.Web and 2 others#42
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/src/MX.TalkWithTiles.CoreEngine.Tests/nuget-4c1300299d

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 3, 2026
edited
Loading

Updated Microsoft.Identity.Web from 4.8.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

Commits viewable in compare view.

Updated Microsoft.Identity.Web.UI from 4.8.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web.UI's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 18.4.0 to 18.5.1.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.5.1

What's Changed

Full Changelog: microsoft/vstest@v18.5.0...v18.5.1

18.5.0

⚠️ Unlisted on Nuget, because of #​15718

What's Changed

Full Changelog: microsoft/vstest@v18.4.0...v18.5.0

Commits viewable in compare view.

@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels May 3, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 5 package(s) with unknown licenses.
See the Details below.

License Issues

src/MX.TalkWithTiles.CoreEngine.Tests/MX.TalkWithTiles.CoreEngine.Tests.csproj

PackageVersionLicenseIssue Type
Microsoft.NET.Test.Sdk18.5.1NullUnknown License

src/MX.TalkWithTiles.Scrabble.Tests/MX.TalkWithTiles.Scrabble.Tests.csproj

PackageVersionLicenseIssue Type
Microsoft.NET.Test.Sdk18.5.1NullUnknown License

src/MX.TalkWithTiles.Web.Tests/MX.TalkWithTiles.Web.Tests.csproj

PackageVersionLicenseIssue Type
Microsoft.NET.Test.Sdk18.5.1NullUnknown License

src/MX.TalkWithTiles.Web/MX.TalkWithTiles.Web.csproj

PackageVersionLicenseIssue Type
Microsoft.Identity.Web4.9.0NullUnknown License
Microsoft.Identity.Web.UI4.9.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
nuget/Microsoft.NET.Test.Sdk 18.5.1 🟢 4.3
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 6Found 18/26 approved changesets -- score normalized to 6
Maintained🟢 1030 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Binary-Artifacts⚠️ 0binaries present in source code
Branch-Protection⚠️ 2branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
nuget/Microsoft.NET.Test.Sdk 18.5.1 🟢 4.3
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 6Found 18/26 approved changesets -- score normalized to 6
Maintained🟢 1030 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Binary-Artifacts⚠️ 0binaries present in source code
Branch-Protection⚠️ 2branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
nuget/Microsoft.NET.Test.Sdk 18.5.1 🟢 4.3
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 6Found 18/26 approved changesets -- score normalized to 6
Maintained🟢 1030 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Binary-Artifacts⚠️ 0binaries present in source code
Branch-Protection⚠️ 2branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
nuget/Microsoft.Identity.Web 4.9.0 UnknownUnknown
nuget/Microsoft.Identity.Web.UI 4.9.0 UnknownUnknown

Scanned Files

  • src/MX.TalkWithTiles.CoreEngine.Tests/MX.TalkWithTiles.CoreEngine.Tests.csproj
  • src/MX.TalkWithTiles.Scrabble.Tests/MX.TalkWithTiles.Scrabble.Tests.csproj
  • src/MX.TalkWithTiles.Web.Tests/MX.TalkWithTiles.Web.Tests.csproj
  • src/MX.TalkWithTiles.Web/MX.TalkWithTiles.Web.csproj

@github-actions github-actions Bot enabled auto-merge (squash) May 3, 2026 04:07
@dependabot dependabot Bot temporarily deployed to Development May 3, 2026 04:08 Inactive
@dependabot dependabot Bot temporarily deployed to Development May 3, 2026 04:08 Inactive
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026
edited
Loading

Superseded — A newer run has replaced this result.
Superseded — A newer run has replaced this result.

🏗️ Terraform Plan

🌍 Environment: dev

✅ Validate — Passed

✅ Plan

Count
➕ Add 21
📋 Resource Details
Action Resource
➕ Create azuread_application.web
➕ Create azuread_application_password.web
➕ Create azuread_service_principal.web
➕ Create azurerm_app_service_certificate_binding.primary
➕ Create azurerm_app_service_custom_hostname_binding.primary
➕ Create azurerm_app_service_managed_certificate.primary
➕ Create azurerm_application_insights.ai
➕ Create azurerm_dns_cname_record.web_app
➕ Create azurerm_dns_txt_record.app_service_verification
➕ Create azurerm_linux_web_app.app
➕ Create azurerm_role_assignment.web_table_data_contributor
➕ Create azurerm_storage_account.data
➕ Create azurerm_storage_table.tables["contacts"]
➕ Create azurerm_storage_table.tables["gameinvites"]
➕ Create azurerm_storage_table.tables["scrabble"]
➕ Create azurerm_storage_table.tables["scrabbleindex"]
➕ Create azurerm_storage_table.tables["scrabbletiles"]
➕ Create random_id.environment_id
➕ Create random_id.storage
➕ Create time_rotating.thirty_days
➕ Create time_sleep.wait_for_hostname_binding

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026
edited
Loading

Superseded — A newer run has replaced this result.

🏗️ Terraform Plan

🌍 Environment: dev

✅ Validate — Passed

✅ Plan

Count
➕ Add 21
📋 Resource Details
Action Resource
➕ Create azuread_application.web
➕ Create azuread_application_password.web
➕ Create azuread_service_principal.web
➕ Create azurerm_app_service_certificate_binding.primary
➕ Create azurerm_app_service_custom_hostname_binding.primary
➕ Create azurerm_app_service_managed_certificate.primary
➕ Create azurerm_application_insights.ai
➕ Create azurerm_dns_cname_record.web_app
➕ Create azurerm_dns_txt_record.app_service_verification
➕ Create azurerm_linux_web_app.app
➕ Create azurerm_role_assignment.web_table_data_contributor
➕ Create azurerm_storage_account.data
➕ Create azurerm_storage_table.tables["contacts"]
➕ Create azurerm_storage_table.tables["gameinvites"]
➕ Create azurerm_storage_table.tables["scrabble"]
➕ Create azurerm_storage_table.tables["scrabbleindex"]
➕ Create azurerm_storage_table.tables["scrabbletiles"]
➕ Create random_id.environment_id
➕ Create random_id.storage
➕ Create time_rotating.thirty_days
➕ Create time_sleep.wait_for_hostname_binding

@dependabot
Bump Microsoft.Identity.Web and 2 others
6f8cfc8 
Bumps Microsoft.Identity.Web from 4.8.0 to 4.9.0
Bumps Microsoft.Identity.Web.UI from 4.8.0 to 4.9.0
Bumps Microsoft.NET.Test.Sdk from 18.4.0 to 18.5.1

---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Microsoft.Identity.Web.UI
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump the nuget group with 3 updates Bump Microsoft.Identity.Web and 2 others May 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/nuget/src/MX.TalkWithTiles.CoreEngine.Tests/nuget-4c1300299d branch from 3eff920 to 6f8cfc8 Compare May 10, 2026 04:07
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 10, 2026

Superseded by #46.

@dependabot dependabot Bot closed this May 10, 2026
auto-merge was automatically disabled May 10, 2026 04:08

Pull request was closed

@dependabot dependabot Bot deleted the dependabot/nuget/src/MX.TalkWithTiles.CoreEngine.Tests/nuget-4c1300299d branch May 10, 2026 04:08
@dependabot dependabot Bot temporarily deployed to Development May 10, 2026 04:08 Inactive
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2026

🏗️ Terraform Plan

🌍 Environment: dev

✅ Validate — Passed

✅ Plan

Count
➕ Add 21
📋 Resource Details
Action Resource
➕ Create azuread_application.web
➕ Create azuread_application_password.web
➕ Create azuread_service_principal.web
➕ Create azurerm_app_service_certificate_binding.primary
➕ Create azurerm_app_service_custom_hostname_binding.primary
➕ Create azurerm_app_service_managed_certificate.primary
➕ Create azurerm_application_insights.ai
➕ Create azurerm_dns_cname_record.web_app
➕ Create azurerm_dns_txt_record.app_service_verification
➕ Create azurerm_linux_web_app.app
➕ Create azurerm_role_assignment.web_table_data_contributor
➕ Create azurerm_storage_account.data
➕ Create azurerm_storage_table.tables["contacts"]
➕ Create azurerm_storage_table.tables["gameinvites"]
➕ Create azurerm_storage_table.tables["scrabble"]
➕ Create azurerm_storage_table.tables["scrabbleindex"]
➕ Create azurerm_storage_table.tables["scrabbletiles"]
➕ Create random_id.environment_id
➕ Create random_id.storage
➕ Create time_rotating.thirty_days
➕ Create time_sleep.wait_for_hostname_binding

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 10, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@frasermolyneux frasermolyneux

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@frasermolyneux