Bump the aspire group with 4 updates

[dependabot]

Updated Aspire.AppHost.Sdk from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.AppHost.Sdk's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

• 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged — Aspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

• 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

• 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping

• 🚀 Bumped branding to 13.4.6 (#​18343)

---

Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

• 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
• 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
• 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

• 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

---

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

• 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
• 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

• 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

---

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

• 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

• 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

---

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Aspire.Hosting from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.Hosting's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

• 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged — Aspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

• 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

• 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping

• 🚀 Bumped branding to 13.4.6 (#​18343)

---

Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

• 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
• 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
• 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

• 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

---

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

• 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
• 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

• 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

---

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

• 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

• 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

---

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Aspire.Hosting.Testing from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.Testing's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

• 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged — Aspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

• 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

• 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping

• 🚀 Bumped branding to 13.4.6 (#​18343)

---

Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

• 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
• 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
• 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

• 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

---

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

• 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
• 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

• 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

---

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

• 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

• 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

---

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Microsoft.Extensions.Http.Resilience from 10.4.0 to 10.6.0.

Release notes

Sourced from Microsoft.Extensions.Http.Resilience's releases.

10.6.0

Version 10.6.0 stabilizes the response continuation token and background-response APIs in Microsoft.Extensions.AI.Abstractions. Most other AI work for May shipped in 10.5.1; this monthly release rolls those changes up alongside dependency updates and a small Resource Monitoring cleanup.

Experimental API Changes

Now Stable

• ResponseContinuationToken and background-response APIs are now stable (previously MEAI001) #​7512

What's Changed

AI

• Stabilize ResponseContinuationToken / background-response APIs #​7512 by @​jozkee (co-authored by @​Copilot)

Repository Infrastructure Updates

• Update version to 10.6.0 #​7458 by @​jeffhandley
• [main] Update dependencies from dotnet/arcade #​7451
• Bump follow-redirects from 1.15.11 to 1.16.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport #​7469
• Merge release/10.5 into main #​7470 by @​jeffhandley
• Bump microsoft.visualstudio.slngen.tool from 12.0.13 to 12.0.32 #​7484
• Bump postcss from 8.5.9 to 8.5.12 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7494
• Bump dotnet-reportgenerator-globaltool from 5.5.7 to 5.5.9 #​7504
• Rename release-notes skill to write-release-notes #​7511 by @​jeffhandley (co-authored by @​Copilot)

Acknowledgements

• @​wtgodbe @​tarekgh @​peterwald @​JeremyLikness @​eiriktsarpalis @​ericstj @​evgenyfedorov2 reviewed pull requests

Full Changelog: dotnet/extensions@v10.5.2...v10.6.0

10.5.2

This patch release ships a single fix to Microsoft.Extensions.VectorData.Abstractions, correcting StorageName resolution when external serialization is enabled. Microsoft.Extensions.VectorData.ConformanceTests, Microsoft.Extensions.AI.Abstractions, Microsoft.Extensions.AI, and Microsoft.Extensions.AI.OpenAI are published alongside it for version coherency — they contain no code changes from 10.5.1.

Packages in this release

Package	Version
Microsoft.Extensions.VectorData.Abstractions	10.5.2
Microsoft.Extensions.VectorData.ConformanceTests	10.5.2
Microsoft.Extensions.AI.Abstractions	10.5.2
Microsoft.Extensions.AI	10.5.2
Microsoft.Extensions.AI.OpenAI	10.5.2

What's Changed

Microsoft.Extensions.VectorData.Abstractions

• Minor fixes to MEVD.Abstractions: correct StorageName behavior when external serialization is enabled, and disable a warning for net462. (by @​roji in #​7475)

Full Changelog: dotnet/extensions@v10.5.1...v10.5.2

10.5.1

Version 10.5.1 of the Microsoft.Extensions.AI packages stabilizes CodeInterpreter, WebSearch, and ImageGeneration tool content types. The release adds new experimental tool search and OpenAI request policy hooks. And the OpenTelemetry gen-ai semantic conventions are updated to align with v1.41.

The 'aiagent-webapi' project template in Microsoft.Agents.AI.ProjectTemplates is updated to align with v1.3.0 of Agent Framework, updating the OpenTelemetry dependencies within the template projects as well.

Packages in this release

Package	Version
Microsoft.Extensions.AI	10.5.1
Microsoft.Extensions.AI.Abstractions	10.5.1
Microsoft.Extensions.AI.OpenAI	10.5.1
Microsoft.Extensions.AI.Templates	10.5.1-preview.3.26251.3
Microsoft.Agents.AI.ProjectTemplates	1.3.0-preview.1.26251.3

Experimental API Changes

Now Stable

The following types previously emitted the MEAI001 experimental diagnostic and are now stable.

• CodeInterpreter and WebSearch tool content types are now stable #​7493
  • CodeInterpreterToolCallContent
  • CodeInterpreterToolResultContent
  • WebSearchToolCallContent
  • WebSearchToolResultContent
• ImageGeneration tool content types and tool are now stable #​7476
  • ImageGenerationToolCallContent
  • ImageGenerationToolResultContent
  • HostedImageGenerationTool
  • ImageGenerationOptions
  • ImageGenerationResponseFormat (the Hosted enum value remains experimental)
  • IImageGenerator and the rest of the image generation infrastructure also remain experimental

New Experimental APIs

The following new APIs emit the MEAI001 experimental diagnostic.

• New experimental API: HostedToolSearchTool with DeferredTools for tool-search-driven deferred tool loading #​7471
• New experimental API: OpenAIRequestPolicies extension hook for appending System.ClientModel.PipelinePolicy instances to outgoing OpenAI requests #​7495

Breaking Changes to Experimental APIs

• WebSearchToolResultContent.Results was renamed to Outputs as part of the stabilization in #​7493, aligning with CodeInterpreterToolResultContent.Outputs. The original Results property was included in version 10.4.0 and 10.5.0; this is a binary breaking change and consumers need to update to consume the updated property.

  WebSearchToolResultContent content = ...;
  - IList<AIContent>? items = content.Results;
  + IList<AIContent>? items = content.Outputs;

... (truncated)

10.5.0

HTTP Logging Middleware APIs in Microsoft.AspNetCore.Diagnostics.Middleware are now stable. This release also transfers Microsoft.Extensions.VectorData.Abstractions and Microsoft.Extensions.VectorData.ConformanceTests from the Semantic Kernel repository into dotnet/extensions, jumping from 10.1.0 to 10.5.0 for consistent versioning. The release also delivers fixes across the AI libraries, AI Evaluation, and Service Discovery.

Breaking Changes

1. Rename VectorStoreVectorAttribute constructor parameter #​7460
   • The Dimensions parameter was renamed to dimensions (lowercase). This is a source-breaking change only — binary compatibility is preserved.
   • If you use the named argument syntax new VectorStoreVectorAttribute(Dimensions: 1536), update it to new VectorStoreVectorAttribute(dimensions: 1536).

Experimental API Changes

Now Stable

• HTTP Logging Middleware APIs are now stable (previously EXTEXP0013): AddHttpLogEnricher<T>, IHttpLogEnricher, and RequestHeadersLogEnricherOptions.HeadersDataClasses #​7380

What's Changed

AI

• Fix OpenAIResponsesChatClient to respect "store":false in responses #​7417 by @​stephentoub
• Fix InvalidOperationException in CoalesceWebSearchToolCallContent #​7419 by @​stephentoub
• Handle F# optional parameters in AIFunctionFactory schema generation #​7439 by @​eiriktsarpalis
• Fix ComputerCallResponseItem using Item.Id instead of CallId #​7446 by @​jozkee
• Fix HostedFileContent with image MIME type sent as input_file instead of input_image #​7438 by @​stephentoub (co-authored by @​copilot)
• Guard Activity.Current restore with null check in OpenTelemetry streaming clients #​7443 by @​stephentoub (co-authored by @​copilot)
• Enable stateless mode in remote MCP server template (released as v1.2.0 on 2026-04-01) #​7441 by @​jeffhandley

Vector Data

• Move Microsoft.Extensions.VectorData.Abstractions over from Semantic Kernel #​7434 by @​roji
• Rename VectorStoreVectorAttribute dimensions constructor parameter #​7460 by @​roji

AI Evaluation

• Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore #​7397 by @​peterwald
• Update brace-expansion for CVE-2026-33750 #​7457 by @​SamMonoRT

ASP.NET Core Extensions

• Removing experimental attribute from Http logging middleware #​7380 by @​mariamgerges

Service Discovery

• Implement RFC6761 reserved DNS names handling #​6924 by @​rzikm

Documentation Updates

• Remove per-library CHANGELOG.md files #​7413 by @​jeffhandley

Test Improvements

... (truncated)

10.4.1

This release of the Microsoft.Extensions.AI packages adds new experimental APIs for Realtime client sessions and Text-to-Speech, along with OpenTelemetry and middleware improvements.

Packages in this release

Package	Version
Microsoft.Extensions.AI.Abstractions	10.4.1
Microsoft.Extensions.AI	10.4.1
Microsoft.Extensions.AI.OpenAI	10.4.1

Experimental API Changes

New Experimental APIs

• New experimental API: Realtime Client Sessions #​7285 and #​7399
• New experimental API: Text-to-Speech Client #​7381

Changes to Experimental APIs

• Hosted File Download Stream: write-path methods now explicitly throw NotSupportedException #​7394

What's Changed

AI

• Add ITextToSpeechClient abstraction, middleware, and OpenAI implementation #​7381 by @​stephentoub
• Realtime Client Proposal #​7285 by @​tarekgh
• Add VoiceActivityDetection options to realtime session abstractions #​7399 by @​tarekgh
• Make UriContent mediaType parameter optional with inference from URI file extension #​7398 by @​stephentoub (co-authored by @​Copilot)
• Emit gen_ai.client.operation.exception via ILogger LoggerMessage on OpenTelemetry instrumentation classes #​7379 by @​stephentoub (co-authored by @​Copilot)
• Support invoke_workflow as an equivalent parent span to invoke_agent in FunctionInvokingChatClient #​7382 by @​stephentoub (co-authored by @​Copilot)
• Make HostedFileDownloadStream explicitly read-only #​7394 by @​stephentoub (co-authored by @​Copilot)

Documentation Updates

• Document JSON schema derivation for return types in AIFunctionFactory #​7400 by @​stephentoub (co-authored by @​Copilot)

Test Improvements

• Fix test warnings #​7369 by @​jozkee
• Add tests for JSON deserialization of serializable types #​7373 by @​stephentoub (co-authored by @​Copilot)

Repository Infrastructure Updates

• Update Package Validation Baseline to 10.4.0 #​7389 by @​jeffhandley (co-authored by @​Copilot)
• Update ModelContextProtocol libraries to version 1.0.0 #​7340 by @​stephentoub (co-authored by @​Copilot)

Acknowledgements

• @​eiriktsarpalis @​ericstj @​CodeBlanch @​lmolkova @​adamsitnik @​joperezr reviewed pull requests
  ... (truncated)

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.