Skip to content

chore(deps): bump Aspire.Hosting.PostgreSQL and 11 others#48

Merged
mkasperczyk90 merged 3 commits into
mainfrom
dependabot/nuget/dotnet-6ef2f09298
Jul 1, 2026
Merged

chore(deps): bump Aspire.Hosting.PostgreSQL and 11 others#48
mkasperczyk90 merged 3 commits into
mainfrom
dependabot/nuget/dotnet-6ef2f09298

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Updated Aspire.Hosting.PostgreSQL from 13.4.3 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.PostgreSQL's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated Aspire.Hosting.RabbitMQ from 13.4.3 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.RabbitMQ's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated Aspire.Npgsql.EntityFrameworkCore.PostgreSQL from 13.4.3 to 13.4.6.

Release notes

Sourced from Aspire.Npgsql.EntityFrameworkCore.PostgreSQL's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated coverlet.collector from 6.0.2 to 10.0.1.

Release notes

Sourced from coverlet.collector's releases.

10.0.1

Improvements

Fixed

  • Fix inconsistent paths in cobertura reports #​1723
  • Fix when using "is" with "and" in pattern matching, branch coverage is lower than normal #​1313
  • Fix Coverlet flagging a branch for an async functions finally block where none exists #​1337
  • Fix Coverlet Tracker Missing CompilerGeneratedAttribute #​1828

Maintenance

  • Add architecture docs and diagrams for all integrations #​1927
  • Update NuGet packages and .NET SDK versions #​1933

Diff between 10.0.0 and 10.0.1

10.0.0

Improvements

  • Unique Report Filenames (coverlet.MTP and AzDO) #​1866
  • Add --coverlet-file-prefix option for unique report files #​1869
  • Introduce .NET 10 support #​1823

Fixed

  • Fix [BUG] Wrong branch rate on IAsyncEnumerable for generic type #​1836
  • Fix [BUG] Missing Coverage after moving to MTP #​1843
  • Fix [BUG] No coverage reported when targeting .NET Framework with 8.0.1 #​1842
  • Fix [BUG] Behavior changes between MTP and Legacy (msbuild) #​1878
  • Fix [BUG] Coverlet.MTP - Unable to load coverlet.mtp.appsettings.json #​1880
  • Fix [BUG] Coverlet.Collector produces empty report when Mediator.SourceGenerator is referenced #​1718 by https://github.com/yusyd
  • Fix [BUG] Crash during instrumentation (Methods using LibraryImport/DllImport have no body) #​1762

Maintenance

  • Add comprehensive async method tests and documentation for issue #​1864
  • Replace Tmds.ExecFunction Package in coverlet.core.coverage.tests #​1833
  • Add net9.0 and net10.0 targets #​1822

Diff between 8.0.1 and 10.0.0

8.0.1

Fixed

  • Fix [BUG] TypeInitializationException when targeting .NET Framework #​1818
  • Fix [BUG] coverlet.MTP build fails with CS0400 due to developmentDependency=true #​1827

Improvements

  • Additional improvements needed for .NET Framework instrumentation type import #​1825

Diff between 8.0.0 and 8.0.1

8.0.0

Special Thanks: A huge thank you to @​Bertk for driving the majority of the work in this release! 🎉

Fixed

Improvements

  • Coverlet MTP extension feature #​1788
  • Generate SBOM for nuget packages #​1752
  • Use multi targets projects for coverlet.collector, coverlet.msbuild.tasks packages #​1742
  • Use .NET 8.0 target framework for coverlet.core and remove Newtonsoft.Json #​1733
  • Use latest System.CommandLine version #​1660
  • Upgraded minimum required .NET SDK and runtime to .NET 8.0 LTS (Long Term Support) (Breaking Change)
  • Use xunit.v3 for tests and example code

Diff between 6.0.4 and 8.0.0

6.0.4

Fixed

  • Fix empty coverage report when using include and exclude filters #​1726

Diff between 6.0.3 and 6.0.4

6.0.3

Fixed

Improvements

  • Cache the regex used in InstrumentationHelper #​1693
  • Enable dotnetTool integration tests for linux #​660

Diff between 6.0.2 and 6.0.3

Commits viewable in compare view.

Pinned Microsoft.Extensions.Http.Resilience at 10.7.0.

Release notes

Sourced from Microsoft.Extensions.Http.Resilience's releases.

10.7.0

v10.7.0 graduates the Microsoft.Extensions.Diagnostics.ResourceMonitoring.Kubernetes package to stable. The package registers a Kubernetes-aware ResourceQuotaProvider that reads the pod's CPU and memory requests and limits and exposes them to Microsoft.Extensions.Diagnostics.ResourceMonitoring as baseline and maximum quotas, which then feed the request and limit dimensions of the published resource utilization metrics. The companion ResourceQuota and ResourceQuotaProvider types in Microsoft.Extensions.Diagnostics.ResourceMonitoring graduate to stable in the same change so that consumers can implement custom quota providers without taking an experimental dependency.

On the AI side, Microsoft.Extensions.AI.OpenAI moves to OpenAI 2.11.0 and fixes a deserialization bug in ToolJson.AdditionalProperties so that JSON Schema additionalProperties values shaped as sub-schema objects (for example {"type":"string"}) are preserved instead of throwing during deserialization. HostedFileContent.SizeInBytes and HostedFileContent.CreatedAt graduate to stable since both values are consistently available across hosted-file providers, while Purpose and Scope remain experimental as provider-shaped vocabulary. FunctionInvokingChatClient drops a backward-compat path that auto-marked ToolApprovalResponseContent entries with InformationalOnly: true; consumers that need to continue accepting sessions serialized before #​7468 can use the sample ApprovalHistoryNormalizingChatClient middleware added in the test project.

Experimental API Changes

Now Stable

  • Microsoft.Extensions.Diagnostics.ResourceMonitoring.Kubernetes package is now stable #​7253
  • Resource Monitoring ResourceQuota and ResourceQuotaProvider APIs are now stable (previously EXTEXP0008) #​7253
  • HostedFileContent.SizeInBytes and HostedFileContent.CreatedAt are now stable (previously MEAI001) #​7513

What's Changed

AI

  • Graduate HostedFileContent.SizeInBytes and HostedFileContent.CreatedAt #​7513 by @​jozkee (co-authored by @​Copilot)
  • Remove backward-compat InformationalOnly case from FICC; suggest middleware workaround #​7538 by @​jozkee (co-authored by @​Copilot)
  • Upgrade OpenAI package from 2.10.0 to 2.11.0 #​7544 by @​jozkee (co-authored by @​Copilot)
  • Fix ToolJson.AdditionalProperties to accept sub-schema objects #​7546 by @​jozkee (co-authored by @​Copilot)

Diagnostics, Health Checks, and Resource Monitoring

  • Move Microsoft.Extensions.Diagnostics.ResourceMonitoring.Kubernetes to stable #​7253 by @​amadeuszl (co-authored by @​Copilot)

Repository Infrastructure Updates

  • [main] Update dependencies from dotnet/arcade #​7521
  • Bump dotnet-reportgenerator-globaltool from 5.5.9 to 5.5.10 #​7522
  • Bump dotnet-coverage from 18.6.2 to 18.7.0 #​7530
  • Bump PowerShell from 7.6.1 to 7.6.2 #​7531
  • Bump qs from 6.15.1 to 6.15.2 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7532
  • [main] Update dependencies from dotnet/arcade #​7534
  • Bump tmp from 0.2.5 to 0.2.6 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7537

Acknowledgements

  • @​ericstj submitted issue #​7509 (resolved by #​7544)
  • @​scottt732 submitted issue #​7540 (resolved by #​7546)
  • @​DeagleGross @​wtgodbe @​dariusclay @​evgenyfedorov2 @​peterwald @​PranavSenthilnathan @​shyamnamboodiripad @​stephentoub @​tarekgh reviewed pull requests

Full Changelog: dotnet/extensions@v10.6.0...v10.7.0

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 18.6.0 to 18.7.0.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.7.0

What's Changed

New Contributors

Full Changelog: microsoft/vstest@v18.6.0...v18.7.0

Commits viewable in compare view.

Pinned OpenTelemetry.Exporter.OpenTelemetryProtocol at 1.16.0.

Release notes

Sourced from OpenTelemetry.Exporter.OpenTelemetryProtocol's releases.

1.16.0

For highlights and announcements pertaining to this release see: Release Notes > 1.16.0.

The following changes are from the previous release 1.16.0-rc.1.

... (truncated)

1.16.0-rc.1

The following changes are from the previous release 1.15.3.

  • NuGet: OpenTelemetry v1.16.0-rc.1

    • Stop validating View-provided metric stream Name against the instrument
      name syntax, per
      spec clarification.
      (#​7300)

    • Fix incorrect validation of OTEL_BSP_* and OTEL_BLRP_* environment
      variables.
      (#​7187)

    • Fix observable instrument callbacks running once per reader instead of
      once per collection cycle.
      (#​7188)

    • Added exception safety for user-supplied ExemplarReservoir implementations.
      Exceptions thrown from Offer are now caught and logged rather than propagating
      out of Counter.Add/Histogram.Record.
      (#​7277)

    • Update OpenTelemetrySdkEventSource to support the W3C randomness flag.
      (#​7301)

    • Added ObservedTimestamp property to LogRecord.
      (#​6979)

    • Breaking Change Explicit histogram boundaries no longer allow more than
      10 million values.
      (#​7165)

    • Fixed a circular reference which could cause a LoggerProvider to fail to
      resolve when one of its dependencies depends on ILogger or ILoggerFactory.
      As part of this fix the LoggerProvider resolved from dependency injection
      is now created lazily when the first logger is created rather than when
      ILoggerProvider or ILoggerFactory is resolved. A consequence is that any
      invalid configuration now surfaces when the first log record is written instead
      of when the logging services are resolved.
      (#​7308)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.16.0-rc.1

    • Experimental (pre-release builds only):
      Add support for using environment variables as context propagation carriers.
      (#​7174)

    • Fix BaggagePropagator to correctly follow Key and Value Encoding rules as per
      ... (truncated)

1.16.0-beta.1

The following changes are from the previous release 1.15.3-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.16.0-beta.1

    • Fixed scrape response cache freshness using monotonic time so it is not
      affected by NTP system clock adjustments.
      (#​7253)

    • Breaking Change Removed DisableTimestamp property from
      PrometheusAspNetCoreOptions.
      (#​7176)

    • Fixed the serialization of NaN, PositiveInfinity, and NegativeInfinity
      values in Prometheus metrics to be compliant with the specification.
      (#​7179)

    • Fixed loss of precision when serializing double and float values in
      Prometheus metrics to be compliant with the specification by using 17
      significant digits to represent such values.
      (#​7179)

    • Fix non-ASCII characters in metric names and unit strings not being sanitized
      correctly during Prometheus serialization.
      (#​7184)

    • Fix case where reader tracking could be reset while readers were still active.
      (#​7190)

    • Improve Accept header handling for format negotiation so OpenMetrics is
      selected correctly by considering whitespace and q weights.
      (#​7208)

    • Emit OpenMetrics exemplars for counters and histogram buckets.
      (#​7222)

    • Fix incorrect handling of untyped metrics when using OpenMetrics format.
      (#​7219)

    • Fix Prometheus/OpenMetrics serialization to emit metric and label names
      containing _ instead of dropping them and prefixing leading digits.
      Invalid characters are replaced with _ instead of being dropped.
      (#​7209)

    • Add escaping=underscores to the Accept header handling for content
      negotiation so OpenMetrics are handled correctly.
      (#​7209)

    • Omit histogram _sum and _count in OpenMetrics when negative bucket
      thresholds are present.
      (#​7221)
      ... (truncated)

Commits viewable in compare view.

Pinned OpenTelemetry.Extensions.Hosting at 1.16.0.

Release notes

Sourced from OpenTelemetry.Extensions.Hosting's releases.

1.16.0

For highlights and announcements pertaining to this release see: Release Notes > 1.16.0.

The following changes are from the previous release 1.16.0-rc.1.

... (truncated)

1.16.0-rc.1

The following changes are from the previous release 1.15.3.

  • NuGet: OpenTelemetry v1.16.0-rc.1

    • Stop validating View-provided metric stream Name against the instrument
      name syntax, per
      spec clarification.
      (#​7300)

    • Fix incorrect validation of OTEL_BSP_* and OTEL_BLRP_* environment
      variables.
      (#​7187)

    • Fix observable instrument callbacks running once per reader instead of
      once per collection cycle.
      (#​7188)

    • Added exception safety for user-supplied ExemplarReservoir implementations.
      Exceptions thrown from Offer are now caught and logged rather than propagating
      out of Counter.Add/Histogram.Record.
      (#​7277)

    • Update OpenTelemetrySdkEventSource to support the W3C randomness flag.
      (#​7301)

    • Added ObservedTimestamp property to LogRecord.
      (#​6979)

    • Breaking Change Explicit histogram boundaries no longer allow more than
      10 million values.
      (#​7165)

    • Fixed a circular reference which could cause a LoggerProvider to fail to
      resolve when one of its dependencies depends on ILogger or ILoggerFactory.
      As part of this fix the LoggerProvider resolved from dependency injection
      is now created lazily when the first logger is created rather than when
      ILoggerProvider or ILoggerFactory is resolved. A consequence is that any
      invalid configuration now surfaces when the first log record is written instead
      of when the logging services are resolved.
      (#​7308)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.16.0-rc.1

    • Experimental (pre-release builds only):
      Add support for using environment variables as context propagation carriers.
      (#​7174)

    • Fix BaggagePropagator to correctly follow Key and Value Encoding rules as per
      ... (truncated)

1.16.0-beta.1

The following changes are from the previous release 1.15.3-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.16.0-beta.1

    • Fixed scrape response cache freshness using monotonic time so it is not
      affected by NTP system clock adjustments.
      (#​7253)

    • Breaking Change Removed DisableTimestamp property from
      PrometheusAspNetCoreOptions.
      (#​7176)

    • Fixed the serialization of NaN, PositiveInfinity, and NegativeInfinity
      values in Prometheus metrics to be compliant with the specification.
      (#​7179)

    • Fixed loss of precision when serializing double and float values in
      Prometheus metrics to be compliant with the specification by using 17
      significant digits to represent such values.
      (#​7179)

    • Fix non-ASCII characters in metric names and unit strings not being sanitized
      correctly during Prometheus serialization.
      (#​7184)

    • Fix case where reader tracking could be reset while readers were still active.
      (#​7190)

    • Improve Accept header handling for format negotiation so OpenMetrics is
      selected correctly by considering whitespace and q weights.
      (#​7208)

    • Emit OpenMetrics exemplars for counters and histogram buckets.
      (#​7222)

    • Fix incorrect handling of untyped metrics when using OpenMetrics format.
      (#​7219)

    • Fix Prometheus/OpenMetrics serialization to emit metric and label names
      containing _ instead of dropping them and prefixing leading digits.
      Invalid characters are replaced with _ instead of being dropped.
      (#​7209)

    • Add escaping=underscores to the Accept header handling for content
      negotiation so OpenMetrics are handled correctly.
      (#​7209)

    • Omit histogram _sum and _count in OpenMetrics when negative bucket
      thresholds are present.
      (#​7221)
      ... (truncated)

Commits viewable in compare view.

Pinned WolverineFx at 6.16.0.

Release notes

Sourced from WolverineFx's releases.

6.16.0

Lot of CritterWatch stuff, optimized SQL Server transport, new options for NServiceBus interop using SQL Server, bug fixes

What's Changed

Full Changelog: JasperFx/wolverine@V6.15.0...V6.16.0

6.15.0

Wolverine 6.15.0 aligns the critter-stack dependencies with the latest stable releases and brings observability, transport, and persistence improvements.

Dependency updates

  • Marten 9.11.0, Polecat 4.6.0, JasperFx / JasperFx.Events 2.16.0, Weasel 9.3.0

GCP Pub/Sub

  • Leader-pinned (ListenOnlyAtLeader()) listeners now use a single shared subscription instead of a per-node subscription, restoring single-consumer semantics (#​3258)
  • Configurable client builders + credential injection (#​3172); Pub/Sub added to CI (#​3191)

Observability & health

  • Shared BackgroundReceiveLoop with receive-loop health reporting, adopted across SQS, Redis, PostgreSQL queue, SQL Server queue, and Kafka (#​3236)
  • Transport connection state surfaced in EndpointHealthSnapshot; IReportConnectionState for NATS, MQTT, Pulsar, Redis (#​3231)
  • Force-restart path for stuck listeners (#​3232)
  • Metrics: every instrument tagged with source (service name) (#​3221); dimensional inbox/outbox/scheduled gauges (source + database); configurable millisecond histogram buckets (#​3224)
  • User-defined service Tags on WolverineOptions, surfaced on ServiceCapabilities (#​3240)
  • Discovered gRPC endpoint → message-type mapping exposed via IGrpcEndpointManifest (#​3235)

Persistence & fixes

  • Reconcile competing "Main" message stores via opt-in policy (#​3226)
  • DB transport binds a same-engine Ancillary store when Main is a different engine (#​3248)
  • EF Core: only call DbContext.Update() for untracked entities in Storage.Update (#​3229)
  • Register IEventStore for Polecat stores so they're discoverable (#​3219)
  • Fix flaky multi-node Polecat event-subscription agent distribution (#​3216)
  • NullMessageStore never throws — no-ops every member for storeless observers
  • Agent restrictions: PersistAgentRestrictionsAsync no-ops on empty list (#​3252); AssignmentGrid.ApplyRestrictions tolerates non-grid paused-agent URIs

Full changelog: JasperFx/wolverine@V6.14.0...V6.15.0

6.14.0

The big ticket item is new interop options for Wolverine to/from MassTransit or NServiceBus using each's SQL Server or PostgreSQL queueing. Also quite a few Pulsar improvements. And community additions too!

What's Changed

Full Changelog: JasperFx/wolverine@V6.13.1...V6.14.0

6.13.1

Patch release on the 6.x line — a Critter Stack dependency refresh plus one targeted fix. No breaking changes.

🐛 Fixes

  • DLQ admin readers tolerate a NULL received_at (#​3165) — the dead-letter explorer could report 0 messages even when dead letters existed; the RDBMS DLQ readers now handle a null received_at column.

⬆️ Dependencies

  • Weasel 9.1.5 → 9.2.3 (#​3166) — refreshes all seven Weasel packages (Core, EntityFrameworkCore, MySql, Oracle, Postgresql, SqlServer, Sqlite). Clean restore + Release build against the current Marten/JasperFx pins.

Full Changelog: JasperFx/wolverine@V6.13.0...V6.13.1

6.13.0

Wolverine 6.13.0 on the 6.0 line (JasperFx 2.x, net9.0/net10.0). The headline is a top-to-bottom Kafka integration re-evaluation (epic #​3134) that makes the transport idiomatic and high-throughput, plus [AsParameters] HTTP fidelity fixes and event-subscription/projection-distribution hardening. No breaking changes.

🚀 Kafka integration re-evaluation (#​3134)

  • Commit-strategy overhaul with CommitMode (#​3152) — StoreThenAutoFlush (default, non-blocking idiomatic throughput), PerMessage, and CommitOffsetsAfterCount/AfterInterval batch modes.
  • In-flight-safe offset watermark across all commit strategies (#​3162) — under concurrent out-of-order completion the committed/stored position never advances past a still-in-flight message; tolerates compacted/read_committed offset gaps.
  • Scale-out & concurrency — cooperative-sticky rebalancing + static membership (#​3154), and opt-in intra-partition concurrency by key with ordered-per-key guarantees via the durable inbox (#​3158).
  • Cold start vs. live tail — first-class AutoOffsetReset and ephemeral hot-tail / broadcast consume (#​3155).
  • Bounded one-shot topic replay by offset/timestamp via Assign (#​3156).
  • Idempotency & exactly-once — idempotent producer + read_committed isolation, with EOS guidance (#​3157).
  • Non-blocking tiered retry topics via the OnException<T>().MoveToKafkaRetryTopic(...) DSL (#​3160).
  • Fix: ExtendConsumerConfiguration now preserves parent/global consumer settings (#​3151).

🌐 HTTP — [AsParameters] (#​3135)

  • OpenAPI route-type fidelity + multiple-body guard (#​3141)
  • Optional [FromBody] in [AsParameters]: binds null with required:false (#​3142)
  • Fix [AsParameters] + [FromBody] + [WriteAggregate] codegen 500 (#​3143/#​3144)
  • Docs: [AsParameters] as the idiomatic route/body split (#​3145)

🗄️ Event subscriptions, projections & distribution

  • Lift event-subscription distribution into core; fix Polecat managed distribution (#​3136, closes #​3133)
  • Rebuild a registered projection with no live agent — Inline/Live/undistributed (#​3163)
  • Fix: SQL Server node-capabilities delimiter must be newline, not comma — Polecat managed-distribution startup crash (#​3164)

🐛 Other fixes

  • Fix circuit breaker (#​3132) and RabbitMQ post-#​3132 cleanup (#​3138)

Full Changelog: JasperFx/wolverine@V6.12.0...V6.13.0

6.12.0

What's Changed

Full Changelog: JasperFx/wolverine@V6.11.0...V6.12.0

6.11.0

The Polecat change was necessary for CritterWatch persistence with SQL Server. The inbox cleanup should help with very busy Wolverine systems be a bit easier on databases.

What's Changed

Full Changelog: JasperFx/wolverine@V6.10.0...V6.11.0

6.10.0

New Polecat integration for ancillary store support within Wolverine that folks doing modular monoliths will want -- and we needed in CritterWatch post haste. Also new options for configuring Redis.

What's Changed

Description has been truncated

@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jun 30, 2026
@dependabot dependabot Bot requested a review from mkasperczyk90 as a code owner June 30, 2026 13:13
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code labels Jun 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/nuget/dotnet-6ef2f09298 branch from 62aae11 to d135546 Compare July 1, 2026 19:04
Bumps Aspire.Hosting.PostgreSQL from 13.4.3 to 13.4.6
Bumps Aspire.Hosting.RabbitMQ from 13.4.3 to 13.4.6
Bumps Aspire.Npgsql.EntityFrameworkCore.PostgreSQL from 13.4.3 to 13.4.6
Bumps coverlet.collector from 6.0.2 to 10.0.1
Bumps Microsoft.Extensions.Http.Resilience from 10.6.0 to 10.7.0
Bumps Microsoft.NET.Test.Sdk from 18.6.0 to 18.7.0
Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.3 to 1.16.0
Bumps OpenTelemetry.Extensions.Hosting from 1.15.3 to 1.16.0
Bumps WolverineFx from 6.9.0 to 6.16.0
Bumps WolverineFx.EntityFrameworkCore from 6.9.0 to 6.16.0
Bumps WolverineFx.Postgresql from 6.9.0 to 6.16.0
Bumps WolverineFx.RabbitMQ from 6.9.0 to 6.16.0

---
updated-dependencies:
- dependency-name: Aspire.Hosting.PostgreSQL
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Aspire.Hosting.RabbitMQ
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: Aspire.Npgsql.EntityFrameworkCore.PostgreSQL
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet
- dependency-name: coverlet.collector
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dotnet
- dependency-name: Microsoft.Extensions.Http.Resilience
  dependency-version: 10.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: OpenTelemetry.Extensions.Hosting
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: WolverineFx
  dependency-version: 6.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: WolverineFx.EntityFrameworkCore
  dependency-version: 6.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: WolverineFx.Postgresql
  dependency-version: 6.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
- dependency-name: WolverineFx.RabbitMQ
  dependency-version: 6.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/nuget/dotnet-6ef2f09298 branch from d135546 to 949db7f Compare July 1, 2026 19:26
@mkasperczyk90 mkasperczyk90 changed the title Bump Aspire.Hosting.PostgreSQL and 11 others chore(deps): Bump Aspire.Hosting.PostgreSQL and 11 others Jul 1, 2026
@mkasperczyk90 mkasperczyk90 changed the title chore(deps): Bump Aspire.Hosting.PostgreSQL and 11 others chore(deps): bump Aspire.Hosting.PostgreSQL and 11 others Jul 1, 2026
@mkasperczyk90 mkasperczyk90 enabled auto-merge (squash) July 1, 2026 19:47
@mkasperczyk90 mkasperczyk90 merged commit 55fd011 into main Jul 1, 2026
23 checks passed
@mkasperczyk90 mkasperczyk90 deleted the dependabot/nuget/dotnet-6ef2f09298 branch July 1, 2026 19:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant