[release/13.4] Bump StreamJsonRpc to 2.25.29 to clear MessagePack NU1903#18204
Merged
Conversation
The aspire-starter template was emitting NU1903 for transitive MessagePack 2.5.192 (GHSA-hv8m-jj95-wg3x / CVE-2026-48109) because the shared StreamJsonRpc 2.22.23 dependency pulled it in. Updating StreamJsonRpc to 2.25.25 brings MessagePack 2.5.198, outside the advisory's vulnerable range. The advisory affects only MessagePack's LZ4 decompression path. We do not use MessagePackFormatter anywhere - all StreamJsonRpc sites use SystemTextJsonFormatter - and our JSON-RPC transports are local UDS under the user's home directory, so the underlying vulnerability was not reachable. This change is warning hygiene. Fixes #18153 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
StreamJsonRpc 2.25.25 still declares a transitive dep on MessagePack 2.5.198, which is inside the advisory's vulnerable range (< 2.5.302). Add a direct PackageReference on MessagePack to Aspire.Hosting so consumers (including generated AppHosts from 'aspire new aspire-starter') restore the patched version, and NU1903 is no longer emitted. This can be removed once StreamJsonRpc ships a release that depends on MessagePack >= 2.5.302. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
StreamJsonRpc 2.25.25 ships analyzers built against Roslyn 4.14, which breaks template tests that build generated AppHosts with the .NET 8 SDK (CSC error CS9057). The MessagePack 2.5.302 direct pin in Aspire.Hosting already overrides StreamJsonRpc 2.22.23's transitive MessagePack 2.5.192 in consumer projects, so the GHSA-hv8m-jj95-wg3x warning is silenced without needing the StreamJsonRpc bump. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
StreamJsonRpc 2.25.28 brings MessagePack 2.5.302 transitively, which is above the GHSA-hv8m-jj95-wg3x / CVE-2026-48109 vulnerable range. This lets us drop the direct MessagePack PackageReference (and PackageVersion) we added earlier as a workaround. StreamJsonRpc 2.25.x ships an analyzer built against Roslyn 4.14, which is newer than the Roslyn 4.11 in the .NET 8 SDK used by template tests to build generated AppHost projects (would trigger CSC error CS9057). We don't use the StreamJsonRpc analyzers anywhere in this assembly, so ExcludeAssets="analyzers" skips them. NuGet bakes the exclusion into the Aspire.Hosting nuspec so downstream consumers (AppHost projects) also skip the analyzer transitively. See microsoft/vs-streamjsonrpc#1459 for the upstream MessagePack bump. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ExcludeAssets in Aspire.Hosting alone is not enough: the .NET 8 SDK discovers analyzer DLLs in the NuGet cache by convention regardless of the project.assets.json exclude flags, and StreamJsonRpc.Analyzers.dll (Roslyn 4.14) fails to load under SDK 8's Roslyn 4.11 with CS9057. Add a target in Aspire.Hosting.AppHost.targets that runs before CoreCompile and removes any Analyzer item whose path contains 'StreamJsonRpc.Analyzers'. Aspire doesn't depend on any of the StreamJsonRpc analyzer diagnostics, so dropping them is safe. Verified locally: building a net8.0 AppHost with the .NET 8 SDK (Roslyn 4.11) no longer hits CS9057. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Aspire.Hosting.AppHost targets file only reaches direct AppHost consumers — but Aspire.Hosting.Testing also pulls StreamJsonRpc in transitively, and the test project (.aspire_xunitTests.csproj) hit the same CS9057 under .NET 8 SDK. Move the analyzer-strip target into Aspire.Hosting's buildTransitive/Aspire.Hosting.targets so every consumer of Aspire.Hosting (AppHost projects, test projects, etc.) automatically drops the StreamJsonRpc analyzer. Verified locally: a net8.0 test project that references Aspire.Hosting.Testing builds cleanly under the .NET 8 SDK. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
aspire-repo-bot
Bot
requested review from
JamesNK,
danegsta,
davidfowl,
karolz-ms and
mitchdenny
as code owners
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18204Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18204" |
Contributor
|
❓ CLI E2E Tests unknown — 112 passed, 0 failed, 2 unknown (commit View all recordings
📹 Recordings uploaded automatically from CI run #27521232193 |
This was referenced Jun 15, 2026
StreamJsonRpc 2.25.29 ships analyzers compiled against an older Roslyn that is compatible with the .NET 8 SDK (vs-streamjsonrpc#1463 / #1399), so the buildTransitive analyzer-strip target and the ExcludeAssets flag on the PackageReference are no longer needed. Mirrors the final state of #18155 on main. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mitchdenny
changed the title
JamesNK
approved these changes
Jun 16, 2026
davidfowl
approved these changes
Jun 16, 2026
joperezr
approved these changes
Jun 16, 2026
This was referenced Jun 17, 2026
renebentes
pushed a commit
to renebentes/3054
that referenced
this pull request
Jun 25, 2026
Updated [Aspire.Hosting.AppHost](https://github.com/microsoft/aspire) from 13.4.4 to 13.4.6. <details> <summary>Release notes</summary> _Sourced from [Aspire.Hosting.AppHost's releases](https://github.com/microsoft/aspire/releases)._ ## 13.4.6 ## What's New in Aspire 13.4.6 Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in `--isolated` mode, and a MongoDB.Driver dependency update. ### 🐛 Fixes - 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK versions diverged** — `Aspire.TypeSystem` used a floating strong-name `AssemblyVersion` that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as `No code generator found for language: <lang>`. The `AssemblyVersion` is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. ([#18160](microsoft/aspire#18160), `@sebastienros`) - 🔌 **Multiple AppHosts started with `--isolated` collided on the resource service port** — Both instances tried to bind to the same fixed port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address already in use" error on the second instance. `DashboardServiceHost` now binds to port 0 on loopback when `RandomizePorts` is true (set by `--isolated`), letting the OS assign a unique port per instance. ([#18341](microsoft/aspire#18341), `@JamesNK`) - 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned `SharpCompress` transitive dependency and uses the corrected `Snappier` transitive. Fixes #17981. ([#18279](microsoft/aspire#18279), `@Falco20019`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.6 ([#18343](microsoft/aspire#18343)) --- _Full Changelog: [v13.4.5...v13.4.6](microsoft/aspire@v13.4.5...v13.4.6)_ _Full commit: [87fe259e4fc244c599019a7b1304c85a1488f248](microsoft/aspire@87fe259e4fc244c599019a7b1304c85a1488f248)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27855270514) · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.60, model: claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27855270514 --> ## 13.4.5 ## What's New in Aspire 13.4.5 Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry. ### 🐛 Fixes - 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use `SystemTextJsonFormatter` over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the `Aspire.Hosting` package. ([#18204](microsoft/aspire#18204), `@mitchdenny`) - 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now fail fast with a clear diagnostic** — Previously an invalid override (range expression, dist-tag like `latest`, or a `v`-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. ([#18205](microsoft/aspire#18205), `@mitchdenny`) - 🤖 **CLI telemetry now detects and reports the calling coding agent** — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as `copilot-cli`. ([#18240](microsoft/aspire#18240), `@damianedwards`) ### 🏷️ Housekeeping - 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be TypeScript-only — updated examples to the current `ts-starter` template (`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing `aspire add` for PostgreSQL and Redis, and documented `aspire dashboard run` as a standalone dashboard option. ([#18221](microsoft/aspire#18221), `@adamint`) --- _Full Changelog: [v13.4.4...v13.4.5](microsoft/aspire@v13.4.4...v13.4.5)_ _Full commit: [73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](microsoft/aspire@73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow) · ● 4.4M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27667814104 --> Commits viewable in [compare view](microsoft/aspire@v13.4.4-release...v13.4.6). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
renebentes
pushed a commit
to renebentes/3054
that referenced
this pull request
Jun 25, 2026
Updated [Aspire.Hosting.PostgreSQL](https://github.com/microsoft/aspire) from 13.3.5 to 13.4.6. <details> <summary>Release notes</summary> _Sourced from [Aspire.Hosting.PostgreSQL's releases](https://github.com/microsoft/aspire/releases)._ ## 13.4.6 ## What's New in Aspire 13.4.6 Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in `--isolated` mode, and a MongoDB.Driver dependency update. ### 🐛 Fixes - 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK versions diverged** — `Aspire.TypeSystem` used a floating strong-name `AssemblyVersion` that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as `No code generator found for language: <lang>`. The `AssemblyVersion` is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. ([#18160](microsoft/aspire#18160), `@sebastienros`) - 🔌 **Multiple AppHosts started with `--isolated` collided on the resource service port** — Both instances tried to bind to the same fixed port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address already in use" error on the second instance. `DashboardServiceHost` now binds to port 0 on loopback when `RandomizePorts` is true (set by `--isolated`), letting the OS assign a unique port per instance. ([#18341](microsoft/aspire#18341), `@JamesNK`) - 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned `SharpCompress` transitive dependency and uses the corrected `Snappier` transitive. Fixes #17981. ([#18279](microsoft/aspire#18279), `@Falco20019`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.6 ([#18343](microsoft/aspire#18343)) --- _Full Changelog: [v13.4.5...v13.4.6](microsoft/aspire@v13.4.5...v13.4.6)_ _Full commit: [87fe259e4fc244c599019a7b1304c85a1488f248](microsoft/aspire@87fe259e4fc244c599019a7b1304c85a1488f248)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27855270514) · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.60, model: claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27855270514 --> ## 13.4.5 ## What's New in Aspire 13.4.5 Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry. ### 🐛 Fixes - 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use `SystemTextJsonFormatter` over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the `Aspire.Hosting` package. ([#18204](microsoft/aspire#18204), `@mitchdenny`) - 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now fail fast with a clear diagnostic** — Previously an invalid override (range expression, dist-tag like `latest`, or a `v`-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. ([#18205](microsoft/aspire#18205), `@mitchdenny`) - 🤖 **CLI telemetry now detects and reports the calling coding agent** — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as `copilot-cli`. ([#18240](microsoft/aspire#18240), `@damianedwards`) ### 🏷️ Housekeeping - 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be TypeScript-only — updated examples to the current `ts-starter` template (`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing `aspire add` for PostgreSQL and Redis, and documented `aspire dashboard run` as a standalone dashboard option. ([#18221](microsoft/aspire#18221), `@adamint`) --- _Full Changelog: [v13.4.4...v13.4.5](microsoft/aspire@v13.4.4...v13.4.5)_ _Full commit: [73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](microsoft/aspire@73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow) · ● 4.4M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27667814104 --> ## 13.4.4 ## What's New in Aspire 13.4.4 Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent `ExcludeFromMcp()` filtering across all CLI MCP tools. ### 🐛 Fixes * 🔌 **DCP requests could fail permanently when the connection dropped mid-request** — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. ([#18096](microsoft/aspire#18096), `@karolz-ms`) * 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently filtered from CLI MCP tools** — Resources with the `resource.excludeFromMcp` property were not excluded uniformly from all CLI MCP tool results. `list_resources`, `list_console_logs`, `execute_resource_command`, `list_structured_logs`, `list_traces`, and `list_trace_structured_logs` all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. ([#18150](microsoft/aspire#18150), `@JamesNK`) ### 🏷️ Housekeeping * 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. ([#18093](microsoft/aspire#18093), `@adamratzman`) * * * _Full Changelog: [v13.4.3...v13.4.4](microsoft/aspire@v13.4.3...v13.4.4)_ _Full commit: [ccc566c5ab3285c9beb8f38ede34734bb477c029](microsoft/aspire@ccc566c5ab3285c9beb8f38ede34734bb477c029)_ ## 13.4.3 ## What's New in Aspire 13.4.3 Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4. ### 🐛 Fixes - 🔌 **Persistent container endpoints had incorrect default behavior** — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless container endpoints with only a `targetPort` specified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960, `@danegsta`) ### 🏷️ Housekeeping - 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#17958) --- *Full Changelog: microsoft/aspire@v13.4.2...v13.4.3* *Full commit: [4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](microsoft/aspire@4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow) · ● 4.7M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27173824611 --> ## 13.4.2 ## What's New in Aspire 13.4.2 Patch release for Aspire 13.4 with a fix for Redis persistent container deadlock on startup when using TLS. ### 🐛 Fixes - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.2 (#17876) --- *Full Changelog: microsoft/aspire@v13.4.1...v13.4.2* *Full commit: [d7d0b6759ce4b936c76bc4775814d27db560dd6d](microsoft/aspire@d7d0b6759ce4b936c76bc4775814d27db560dd6d)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26920328099/agentic_workflow) · ● 5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26920328099, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26920328099 --> ## 13.4.1 ## What's New in Aspire 13.4.1 Patch release for Aspire 13.4 with fixes for explicit-start resource lifecycle callbacks, Redis persistent container startup, proxyless endpoint allocation, and a duplicated `profiles` block in the empty C# AppHost template. ### 🐛 Fixes - ⏱️ **Explicit-start resources triggered lifecycle callbacks too early** — Session-scoped resources marked with `WithExplicitStart()` were having their execution configuration callbacks (environment variables, arguments, certificates) evaluated at AppHost startup instead of at manual start. This meant user-interaction callbacks such as `WithEnvironment(ctx => PromptForValueAsync(...))` were called before the user triggered the resource. DCP registration is now deferred until the user manually starts the resource; persistent explicit-start resources still register immediately but patch the existing DCP record to `Start = true` rather than deleting and recreating it. Fixes #17813. (#17825, backported via #17826, `@danegsta`) - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) - 🔌 **Proxyless container endpoint could hang when resolved before container creation** — Referencing a proxyless container endpoint in an environment variable callback (before the container port spec was finalized) could deadlock. An on-demand allocation path now commits the target port as the fallback host port in that case; once `BuildContainerPorts` runs, normal DCP dynamic port assignment takes over for any later resolution. (#17851, backported via #17859, `@danegsta`) - 📄 **Empty C# AppHost template emitted duplicate `profiles` block** — `aspire new aspire-empty` on 13.4 produced an `aspire.config.json` with a `profiles` block that duplicated the content already present in `apphost.run.json`, causing redundant launch configuration. The embedded template now contains only the required `appHost.path` binding; profile configuration lives exclusively in `apphost.run.json`. Fixes #17660. (#17781, backported via #17820, `@mitchdenny`) ### 🏷️ Housekeeping - 📦 Added Aspire CLI npm package to the release pipeline so the npm distribution is published as part of stable releases. (#17297, backported via #17766, `@adamint`) - 🚀 Bumped branding to 13.4.1 (#17819) --- *Full Changelog: microsoft/aspire@v13.4.0...v13.4.1* *Full commit: [cf985fa817dd5863e7f62eb74fa1725ab5069ed2](microsoft/aspire@cf985fa817dd5863e7f62eb74fa1725ab5069ed2)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 1.0.40 > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 3.9M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26909313891, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26909313891 --> ## 13.4.0 # Aspire 13.4.0 Aspire 13.4 brings major improvements to Foundry hosted agents, the Aspire skills system, CLI reliability, and TypeScript AppHost stability — with cross-compute-environment deployment now working end-to-end and **TypeScript AppHost support — Aspire's polyglot story — reaching general availability (GA)**. ## Highlights - 🎉 **TypeScript AppHost is now GA** — First introduced as a preview in an earlier version of Aspire, the TypeScript AppHost — Aspire's polyglot story — has reached the quality bar for general availability and is now officially supported for production use alongside C#. As part of GA, the experimental markers on the Azure TypeScript AppHost (ATS) APIs have been removed and the ATS surface area is stable for 13.4. - 🤖 **Foundry hosted agents** — Protocol selection (`responses` / `invocations`) is now configurable from both C# and TypeScript AppHosts. Cross-compute-environment deployments (e.g., a Foundry hosted agent + an AKS consumer) now wire up correctly: endpoint resolution and the required **Azure AI User** RBAC role assignment on the Foundry account are generated automatically — no manual `az role assignment create` steps needed. - 🛠️ **Aspire skills catalog from bundle** — `aspire agent init` now drives its installable skill catalog from the bundle manifest, surfacing all six bundled skills (previously only three were visible). An embedded snapshot means the full catalog is available even in airgapped / disconnected environments. - 🔧 **CLI reliability** — Multiple CLI fixes: implicit-channel discovery restored, `aspire stop` no longer falsely reports failure on Unix, `aspire ps` no longer includes raw resource data (use `aspire describe` for detailed state), `aspire new` prefers the current CLI template version, friendly error for `aspire do --list-steps` without a step argument, and improved `--search` option description with documentation link. - ⌨️ **TypeScript AppHost** — Fixed a deadlock that occurred when lazy options callbacks invoked async methods; dev-localhost resource service URLs are now accepted for local development without extra configuration. - 📊 **Dashboard** — Summary log formatting improved for readability, `dotnet watch` dashboard auto-launch signal restored, and dynamic-port handling fixed for `DistributedApplicationTestingBuilder`. - ☸️ **Kubernetes** — The Helm CLI minimum version (≥ 4.2.0) is now validated before a Kubernetes deploy, giving a clear error instead of a cryptic failure. -⚠️ **`Aspire.Hosting.Blazor` ships as preview in 13.4** — A packaging issue with the Blazor gateway scripts means the package is intentionally marked preview for this release. Full stable support is targeted for 13.5. ##⚠️ Notable changes - `aspire ps` no longer includes raw resource data in its output. Use `aspire describe <resource>` to inspect detailed resource state. - Foundry hosted agent builder API shape updated — see [#17545](microsoft/aspire#17545) and [#17669](microsoft/aspire#17669) for the updated C# and TypeScript signatures. - `Aspire.Hosting.Blazor` is preview-versioned in 13.4 (`SuppressFinalPackageVersion=true`). A fix for the `addBlazorGateway` gateway script resolution error in TypeScript AppHosts is tracked in [#17685](microsoft/aspire#17685). ## 📖 Learn more For the full details on everything in this release, check out the [What's new in Aspire 13.4](https://aspire.dev/whats-new/aspire-13-4/) documentation. Thank you to all the community contributors who helped make Aspire 13.4 possible! 💜 --- *Full Changelog: microsoft/aspire@v13.3.5...v13.4.0* *Full commit: [becb48e2d61099e35ae336d527d3875e928d6594](microsoft/aspire@becb48e2d61099e35ae336d527d3875e928d6594)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26779980139/agentic_workflow) · ● 6.5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26779980139, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26779980139 --> Commits viewable in [compare view](microsoft/aspire@v13.3.5...v13.4.6). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
renebentes
pushed a commit
to renebentes/3054
that referenced
this pull request
Jun 25, 2026
…to 13.4.6 (#208) Updated [Aspire.Npgsql.EntityFrameworkCore.PostgreSQL](https://github.com/microsoft/aspire) from 13.3.5 to 13.4.6. <details> <summary>Release notes</summary> _Sourced from [Aspire.Npgsql.EntityFrameworkCore.PostgreSQL's releases](https://github.com/microsoft/aspire/releases)._ ## 13.4.6 ## What's New in Aspire 13.4.6 Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in `--isolated` mode, and a MongoDB.Driver dependency update. ### 🐛 Fixes - 🔗 **Polyglot AppHost code generation silently failed when CLI and SDK versions diverged** — `Aspire.TypeSystem` used a floating strong-name `AssemblyVersion` that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as `No code generator found for language: <lang>`. The `AssemblyVersion` is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #18110 and #17910. ([#18160](microsoft/aspire#18160), `@sebastienros`) - 🔌 **Multiple AppHosts started with `--isolated` collided on the resource service port** — Both instances tried to bind to the same fixed port from `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL`, causing an "address already in use" error on the second instance. `DashboardServiceHost` now binds to port 0 on loopback when `RandomizePorts` is true (set by `--isolated`), letting the OS assign a unique port per instance. ([#18341](microsoft/aspire#18341), `@JamesNK`) - 🍃 **MongoDB.Driver updated to 3.9.0** — Removes a wrongly pinned `SharpCompress` transitive dependency and uses the corrected `Snappier` transitive. Fixes #17981. ([#18279](microsoft/aspire#18279), `@Falco20019`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.6 ([#18343](microsoft/aspire#18343)) --- _Full Changelog: [v13.4.5...v13.4.6](microsoft/aspire@v13.4.5...v13.4.6)_ _Full commit: [87fe259e4fc244c599019a7b1304c85a1488f248](microsoft/aspire@87fe259e4fc244c599019a7b1304c85a1488f248)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27855270514) · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.60, model: claude-sonnet-4.6, id: 27855270514, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27855270514 --> ## 13.4.5 ## What's New in Aspire 13.4.5 Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry. ### 🐛 Fixes - 🛡️ **Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory** — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use `MessagePackFormatter` or LZ4 — all StreamJsonRpc calls use `SystemTextJsonFormatter` over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the `Aspire.Hosting` package. ([#18204](microsoft/aspire#18204), `@mitchdenny`) - 🎭 **`playwrightCliVersion` values that are not valid SemVer 2.0 now fail fast with a clear diagnostic** — Previously an invalid override (range expression, dist-tag like `latest`, or a `v`-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. ([#18205](microsoft/aspire#18205), `@mitchdenny`) - 🤖 **CLI telemetry now detects and reports the calling coding agent** — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as `copilot-cli`. ([#18240](microsoft/aspire#18240), `@damianedwards`) ### 🏷️ Housekeeping - 📄 Refreshed the `@microsoft/aspire-cli` npm package README to be TypeScript-only — updated examples to the current `ts-starter` template (`apphost.mts` / `aspire.mjs`), added a backing-services snippet showing `aspire add` for PostgreSQL and Redis, and documented `aspire dashboard run` as a standalone dashboard option. ([#18221](microsoft/aspire#18221), `@adamint`) --- _Full Changelog: [v13.4.4...v13.4.5](microsoft/aspire@v13.4.4...v13.4.5)_ _Full commit: [73114e86c64aeb9f3f3c7da8e37df1ae4281b27e](microsoft/aspire@73114e86c64aeb9f3f3c7da8e37df1ae4281b27e)_ > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27667814104/agentic_workflow) · ● 4.4M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27667814104, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27667814104 --> ## 13.4.4 ## What's New in Aspire 13.4.4 Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent `ExcludeFromMcp()` filtering across all CLI MCP tools. ### 🐛 Fixes * 🔌 **DCP requests could fail permanently when the connection dropped mid-request** — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. ([#18096](microsoft/aspire#18096), `@karolz-ms`) * 🔍 **Resources marked with `ExcludeFromMcp()` were not consistently filtered from CLI MCP tools** — Resources with the `resource.excludeFromMcp` property were not excluded uniformly from all CLI MCP tool results. `list_resources`, `list_console_logs`, `execute_resource_command`, `list_structured_logs`, `list_traces`, and `list_trace_structured_logs` all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. ([#18150](microsoft/aspire#18150), `@JamesNK`) ### 🏷️ Housekeeping * 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. ([#18093](microsoft/aspire#18093), `@adamratzman`) * * * _Full Changelog: [v13.4.3...v13.4.4](microsoft/aspire@v13.4.3...v13.4.4)_ _Full commit: [ccc566c5ab3285c9beb8f38ede34734bb477c029](microsoft/aspire@ccc566c5ab3285c9beb8f38ede34734bb477c029)_ ## 13.4.3 ## What's New in Aspire 13.4.3 Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4. ### 🐛 Fixes - 🔌 **Persistent container endpoints had incorrect default behavior** — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with `isProxied: false` or `WithEndpointProxySupport(false)`. Proxyless container endpoints with only a `targetPort` specified now also resolve immediately to that port instead of waiting for delayed allocation. (#17960, `@danegsta`) ### 🏷️ Housekeeping - 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#17958) --- *Full Changelog: microsoft/aspire@v13.4.2...v13.4.3* *Full commit: [4f218933552e18ff2874d1b6d5dc3fe671e3b6d9](microsoft/aspire@4f218933552e18ff2874d1b6d5dc3fe671e3b6d9)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/27173824611/agentic_workflow) · ● 4.7M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 27173824611, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/27173824611 --> ## 13.4.2 ## What's New in Aspire 13.4.2 Patch release for Aspire 13.4 with a fix for Redis persistent container deadlock on startup when using TLS. ### 🐛 Fixes - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) ### 🏷️ Housekeeping - 🚀 Bumped branding to 13.4.2 (#17876) --- *Full Changelog: microsoft/aspire@v13.4.1...v13.4.2* *Full commit: [d7d0b6759ce4b936c76bc4775814d27db560dd6d](microsoft/aspire@d7d0b6759ce4b936c76bc4775814d27db560dd6d)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26920328099/agentic_workflow) · ● 5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26920328099, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26920328099 --> ## 13.4.1 ## What's New in Aspire 13.4.1 Patch release for Aspire 13.4 with fixes for explicit-start resource lifecycle callbacks, Redis persistent container startup, proxyless endpoint allocation, and a duplicated `profiles` block in the empty C# AppHost template. ### 🐛 Fixes - ⏱️ **Explicit-start resources triggered lifecycle callbacks too early** — Session-scoped resources marked with `WithExplicitStart()` were having their execution configuration callbacks (environment variables, arguments, certificates) evaluated at AppHost startup instead of at manual start. This meant user-interaction callbacks such as `WithEnvironment(ctx => PromptForValueAsync(...))` were called before the user triggered the resource. DCP registration is now deferred until the user manually starts the resource; persistent explicit-start resources still register immediately but patch the existing DCP record to `Start = true` rather than deleting and recreating it. Fixes #17813. (#17825, backported via #17826, `@danegsta`) - 🔴 **Redis with `WithLifetime(ContainerLifetime.Persistent)` could deadlock on startup** — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #17822. (#17827, backported via #17850, `@danegsta`) - 🔌 **Proxyless container endpoint could hang when resolved before container creation** — Referencing a proxyless container endpoint in an environment variable callback (before the container port spec was finalized) could deadlock. An on-demand allocation path now commits the target port as the fallback host port in that case; once `BuildContainerPorts` runs, normal DCP dynamic port assignment takes over for any later resolution. (#17851, backported via #17859, `@danegsta`) - 📄 **Empty C# AppHost template emitted duplicate `profiles` block** — `aspire new aspire-empty` on 13.4 produced an `aspire.config.json` with a `profiles` block that duplicated the content already present in `apphost.run.json`, causing redundant launch configuration. The embedded template now contains only the required `appHost.path` binding; profile configuration lives exclusively in `apphost.run.json`. Fixes #17660. (#17781, backported via #17820, `@mitchdenny`) ### 🏷️ Housekeeping - 📦 Added Aspire CLI npm package to the release pipeline so the npm distribution is published as part of stable releases. (#17297, backported via #17766, `@adamint`) - 🚀 Bumped branding to 13.4.1 (#17819) --- *Full Changelog: microsoft/aspire@v13.4.0...v13.4.1* *Full commit: [cf985fa817dd5863e7f62eb74fa1725ab5069ed2](microsoft/aspire@cf985fa817dd5863e7f62eb74fa1725ab5069ed2)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 1.0.40 > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26909313891/agentic_workflow) · ● 3.9M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26909313891, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26909313891 --> ## 13.4.0 # Aspire 13.4.0 Aspire 13.4 brings major improvements to Foundry hosted agents, the Aspire skills system, CLI reliability, and TypeScript AppHost stability — with cross-compute-environment deployment now working end-to-end and **TypeScript AppHost support — Aspire's polyglot story — reaching general availability (GA)**. ## Highlights - 🎉 **TypeScript AppHost is now GA** — First introduced as a preview in an earlier version of Aspire, the TypeScript AppHost — Aspire's polyglot story — has reached the quality bar for general availability and is now officially supported for production use alongside C#. As part of GA, the experimental markers on the Azure TypeScript AppHost (ATS) APIs have been removed and the ATS surface area is stable for 13.4. - 🤖 **Foundry hosted agents** — Protocol selection (`responses` / `invocations`) is now configurable from both C# and TypeScript AppHosts. Cross-compute-environment deployments (e.g., a Foundry hosted agent + an AKS consumer) now wire up correctly: endpoint resolution and the required **Azure AI User** RBAC role assignment on the Foundry account are generated automatically — no manual `az role assignment create` steps needed. - 🛠️ **Aspire skills catalog from bundle** — `aspire agent init` now drives its installable skill catalog from the bundle manifest, surfacing all six bundled skills (previously only three were visible). An embedded snapshot means the full catalog is available even in airgapped / disconnected environments. - 🔧 **CLI reliability** — Multiple CLI fixes: implicit-channel discovery restored, `aspire stop` no longer falsely reports failure on Unix, `aspire ps` no longer includes raw resource data (use `aspire describe` for detailed state), `aspire new` prefers the current CLI template version, friendly error for `aspire do --list-steps` without a step argument, and improved `--search` option description with documentation link. - ⌨️ **TypeScript AppHost** — Fixed a deadlock that occurred when lazy options callbacks invoked async methods; dev-localhost resource service URLs are now accepted for local development without extra configuration. - 📊 **Dashboard** — Summary log formatting improved for readability, `dotnet watch` dashboard auto-launch signal restored, and dynamic-port handling fixed for `DistributedApplicationTestingBuilder`. - ☸️ **Kubernetes** — The Helm CLI minimum version (≥ 4.2.0) is now validated before a Kubernetes deploy, giving a clear error instead of a cryptic failure. -⚠️ **`Aspire.Hosting.Blazor` ships as preview in 13.4** — A packaging issue with the Blazor gateway scripts means the package is intentionally marked preview for this release. Full stable support is targeted for 13.5. ##⚠️ Notable changes - `aspire ps` no longer includes raw resource data in its output. Use `aspire describe <resource>` to inspect detailed resource state. - Foundry hosted agent builder API shape updated — see [#17545](microsoft/aspire#17545) and [#17669](microsoft/aspire#17669) for the updated C# and TypeScript signatures. - `Aspire.Hosting.Blazor` is preview-versioned in 13.4 (`SuppressFinalPackageVersion=true`). A fix for the `addBlazorGateway` gateway script resolution error in TypeScript AppHosts is tracked in [#17685](microsoft/aspire#17685). ## 📖 Learn more For the full details on everything in this release, check out the [What's new in Aspire 13.4](https://aspire.dev/whats-new/aspire-13-4/) documentation. Thank you to all the community contributors who helped make Aspire 13.4 possible! 💜 --- *Full Changelog: microsoft/aspire@v13.3.5...v13.4.0* *Full commit: [becb48e2d61099e35ae336d527d3875e928d6594](microsoft/aspire@becb48e2d61099e35ae336d527d3875e928d6594)* > Generated by [Generate release notes for a new stable Aspire release](https://github.com/microsoft/aspire/actions/runs/26779980139/agentic_workflow) · ● 6.5M <!-- gh-aw-agentic-workflow: Generate release notes for a new stable Aspire release, engine: copilot, version: 1.0.40, model: claude-sonnet-4.6, id: 26779980139, workflow_id: release-notes-generate, run: https://github.com/microsoft/aspire/actions/runs/26779980139 --> Commits viewable in [compare view](microsoft/aspire@v13.3.5...v13.4.6). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 25, 2026
Open
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #18155 to release/13.4
/cc @mitchdenny
Customer Impact
Customers running
dotnet new aspire-startersee anNU1903warning that the transitiveMessagePack 2.5.192package has a known high severity vulnerability (GHSA-hv8m-jj95-wg3x / CVE-2026-48109). Aspire is not directly exposed (no MessagePack code paths reached at runtime; JsonRpc traffic uses System.Text.Json over local Unix domain sockets), but the warning is surfaced to every Aspire user on package restore and is noisy enough that customers think they need to act on it.Testing
Validated by the full CI suite on #18155, including the template tests (
templates-*jobs across xUnit / NUnit / MSTest / "new up and build" matrices) which exercisedotnet new aspire-starterand build the generated AppHost projects under both the current and previous SDKs. TheNU1903warning is gone in the generated projects after the bump.Risk
Very low. The change is a transitive dependency bump in
Aspire.Hosting(StreamJsonRpc 2.22.23 -> 2.25.29) plus aDirectory.Packages.propsversion update. StreamJsonRpc public surface remained backwards compatible and the analyzer-Roslyn-compatibility regression that bit2.25.25-2.25.28is fixed in2.25.29(vs-streamjsonrpc#1463 / #1399), so no MSBuild workaround is required.Regression?
No. The MessagePack advisory was published after 13.4 snapped; this is the first cut at it.