Skip to content

Bump Microsoft.Identity.Web and Microsoft.Identity.Web.UI#55

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/src/MX.TravelItinerary.Web/nuget-e9b2dc1c11
Closed

Bump Microsoft.Identity.Web and Microsoft.Identity.Web.UI#55
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/src/MX.TravelItinerary.Web/nuget-e9b2dc1c11

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Updated Microsoft.Identity.Web from 4.8.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

Commits viewable in compare view.

Updated Microsoft.Identity.Web.UI from 4.8.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web.UI's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

Commits viewable in compare view.

@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels May 3, 2026
@github-actions github-actions Bot enabled auto-merge (squash) May 3, 2026 03:48
@github-actions

github-actions Bot commented May 3, 2026
edited
Loading

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

src/MX.TravelItinerary.Web/MX.TravelItinerary.Web.csproj

PackageVersionLicenseIssue Type
Microsoft.Identity.Web4.9.0NullUnknown License
Microsoft.Identity.Web.UI4.9.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
nuget/Microsoft.Identity.Web 4.9.0 UnknownUnknown
nuget/Microsoft.Identity.Web.UI 4.9.0 UnknownUnknown

Scanned Files

  • src/MX.TravelItinerary.Web/MX.TravelItinerary.Web.csproj

@dependabot dependabot Bot temporarily deployed to Development May 3, 2026 03:49 Inactive
@dependabot dependabot Bot temporarily deployed to Development May 3, 2026 03:49 Inactive
@github-actions

github-actions Bot commented May 3, 2026
edited
Loading

Copy link
Copy Markdown
Superseded — A newer run has replaced this result.

🏗️ Terraform Plan

🌍 Environment: dev

✅ Validate — Passed

✅ Plan

Count
➕ Add 28
📋 Resource Details
Action Resource
➕ Create azuread_application.web
➕ Create azuread_application_password.web
➕ Create azuread_service_principal.web
➕ Create azurerm_app_service_certificate_binding.primary
➕ Create azurerm_app_service_custom_hostname_binding.primary
➕ Create azurerm_app_service_managed_certificate.primary
➕ Create azurerm_application_insights.ai
➕ Create azurerm_dns_cname_record.web_app
➕ Create azurerm_dns_txt_record.app_service_verification
➕ Create azurerm_key_vault.kv
➕ Create azurerm_key_vault_secret.google_maps_api_key
➕ Create azurerm_linux_web_app.app
➕ Create azurerm_role_assignment.deploy_kv_secrets_officer
➕ Create azurerm_role_assignment.web_app_kv_secrets_user
➕ Create azurerm_role_assignment.web_table_data_contributor
➕ Create azurerm_storage_account.data
➕ Create azurerm_storage_table.tables["bookings"]
➕ Create azurerm_storage_table.tables["itinerary_entries"]
➕ Create azurerm_storage_table.tables["saved_share_links"]
➕ Create azurerm_storage_table.tables["share_links"]
➕ Create azurerm_storage_table.tables["trip_access"]
➕ Create azurerm_storage_table.tables["trips"]
➕ Create google_apikeys_key.maps
➕ Create random_id.environment_id
➕ Create random_id.maps_key
➕ Create random_id.storage
➕ Create time_rotating.thirty_days
➕ Create time_sleep.wait_for_hostname_binding

@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown

🏗️ Terraform Plan

🌍 Environment: dev

✅ Validate — Passed

✅ Plan

Count
➕ Add 28
📋 Resource Details
Action Resource
➕ Create azuread_application.web
➕ Create azuread_application_password.web
➕ Create azuread_service_principal.web
➕ Create azurerm_app_service_certificate_binding.primary
➕ Create azurerm_app_service_custom_hostname_binding.primary
➕ Create azurerm_app_service_managed_certificate.primary
➕ Create azurerm_application_insights.ai
➕ Create azurerm_dns_cname_record.web_app
➕ Create azurerm_dns_txt_record.app_service_verification
➕ Create azurerm_key_vault.kv
➕ Create azurerm_key_vault_secret.google_maps_api_key
➕ Create azurerm_linux_web_app.app
➕ Create azurerm_role_assignment.deploy_kv_secrets_officer
➕ Create azurerm_role_assignment.web_app_kv_secrets_user
➕ Create azurerm_role_assignment.web_table_data_contributor
➕ Create azurerm_storage_account.data
➕ Create azurerm_storage_table.tables["bookings"]
➕ Create azurerm_storage_table.tables["itinerary_entries"]
➕ Create azurerm_storage_table.tables["saved_share_links"]
➕ Create azurerm_storage_table.tables["share_links"]
➕ Create azurerm_storage_table.tables["trip_access"]
➕ Create azurerm_storage_table.tables["trips"]
➕ Create google_apikeys_key.maps
➕ Create random_id.environment_id
➕ Create random_id.maps_key
➕ Create random_id.storage
➕ Create time_rotating.thirty_days
➕ Create time_sleep.wait_for_hostname_binding

@dependabot
Bump Microsoft.Identity.Web and Microsoft.Identity.Web.UI
8d96759 
Bumps Microsoft.Identity.Web from 4.8.0 to 4.9.0
Bumps Microsoft.Identity.Web.UI from 4.8.0 to 4.9.0

---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Microsoft.Identity.Web.UI
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump the nuget group with 2 updates Bump Microsoft.Identity.Web and Microsoft.Identity.Web.UI May 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/nuget/src/MX.TravelItinerary.Web/nuget-e9b2dc1c11 branch from 9cd5597 to 8d96759 Compare May 10, 2026 03:48
@dependabot @github

dependabot Bot commented on behalf of github May 10, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #58.

@dependabot dependabot Bot closed this May 10, 2026
auto-merge was automatically disabled May 10, 2026 03:49

Pull request was closed

@dependabot dependabot Bot deleted the dependabot/nuget/src/MX.TravelItinerary.Web/nuget-e9b2dc1c11 branch May 10, 2026 03:49
@sonarqubecloud

sonarqubecloud Bot commented May 10, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@frasermolyneux frasermolyneux

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@frasermolyneux