chore(deps): Bump System.IdentityModel.Tokens.Jwt from 8.18.0 to 8.19.1

[dependabot]

Updated System.IdentityModel.Tokens.Jwt from 8.18.0 to 8.19.1.

Release notes

Sourced from System.IdentityModel.Tokens.Jwt's releases.

8.19.1

Bug Fixes

• Update JwtSecurityTokenHandler for IssuerSigningKeyResolverUsingConfiguration to take priority over IssuerSigningKeyResolver, matching the documented contract and the correct behavior already present in JsonWebTokenHandler. See PR #​3519.

8.19.0

New Features

• Add ML-DSA (FIPS 204) post-quantum signature support. See PR #​3479.
• Cache custom crypto providers in CryptoProviderFactory. See PR #​3489.

Bug Fixes

• Disable automatic redirects on default HttpClient for JKU retrieval. See PR #​3494.
• Adjust rented buffer handling in claim set parsing. See PR #​3493.
• Tidy null handling in SAML conditions validation. See PR #​3491.
• Improve validation of jku claim. See PR #​3481.
• Limit telemetry algorithm dimension cardinality. See PR #​3490.
• Add defensive copy of collections in ValidationParameters. See PR #​3492.
• Update TokenValidationParameter copy constructor to make a deep copy. See PR #​3488.
• Update to fail-closed when replay protection isn't configured and other DPoP hardening. See PR #​3505.
• Apply RFC 3986 section 6.2.2 normalization to DPoP htu comparison. See PR #​3509.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

WOPI Validator results

Status	Count
✅ Pass	94
❌ Fail	3
⏭️ Skipped	122

Validator: WopiValidator 2.0.5 (from nuget.org)
Test category: All

📋 Full report and wopi-validator-output artifact ↗

[github-actions]

API Compatibility Report

Compared this PR's packed assemblies against the latest stable release on NuGet.org for each library. This check is informational only — intentional breaks at major version bumps are expected.

⚠️ WopiHost.Abstractions vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API compatibility errors between 'lib/net10.0/WopiHost.Abstractions.dll' (./artifacts/baseline/WopiHost.Abstractions.8.0.0.nupkg) and 'lib/net10.0/WopiHost.Abstractions.dll' (./artifacts/new/WopiHost.Abstractions.99.99.99.nupkg):
CP0002: Member 'System.Threading.Tasks.Task<WopiHost.Abstractions.WopiCheckContainerInfo> WopiHost.Abstractions.ICheckContainerInfoBuilder.BuildAsync(WopiHost.Abstractions.IWopiContainer, Microsoft.AspNetCore.Http.HttpContext, System.Threading.CancellationToken)' exists on [Baseline] lib/net10.0/WopiHost.Abstractions.dll but not on lib/net10.0/WopiHost.Abstractions.dll
CP0006: Cannot add interface member 'System.Threading.Tasks.Task<WopiHost.Abstractions.WopiCheckContainerInfo> WopiHost.Abstractions.ICheckContainerInfoBuilder.BuildAsync(WopiHost.Abstractions.IWopiContainer, System.Security.Claims.ClaimsPrincipal, System.Threading.CancellationToken)' to lib/net10.0/WopiHost.Abstractions.dll because it does not exist on [Baseline] lib/net10.0/WopiHost.Abstractions.dll
CP0002: Member 'System.Threading.Tasks.Task<WopiHost.Abstractions.WopiCheckFileInfo> WopiHost.Abstractions.ICheckFileInfoBuilder.BuildAsync(WopiHost.Abstractions.IWopiFile, Microsoft.AspNetCore.Http.HttpContext, WopiHost.Abstractions.WopiHostCapabilities?, string?, System.Threading.CancellationToken)' exists on [Baseline] lib/net10.0/WopiHost.Abstractions.dll but not on lib/net10.0/WopiHost.Abstractions.dll
CP0006: Cannot add interface member 'System.Threading.Tasks.Task<WopiHost.Abstractions.WopiCheckFileInfo> WopiHost.Abstractions.ICheckFileInfoBuilder.BuildAsync(WopiHost.Abstractions.IWopiFile, WopiHost.Abstractions.WopiRequestInfo, WopiHost.Abstractions.WopiHostCapabilities?, string?, System.Threading.CancellationToken)' to lib/net10.0/WopiHost.Abstractions.dll because it does not exist on [Baseline] lib/net10.0/WopiHost.Abstractions.dll
CP0002: Member 'WopiHost.Abstractions.WopiCheckFolderInfo WopiHost.Abstractions.ICheckFolderInfoBuilder.Build(WopiHost.Abstractions.IWopiContainer, Microsoft.AspNetCore.Http.HttpContext)' exists on [Baseline] lib/net10.0/WopiHost.Abstractions.dll but not on lib/net10.0/WopiHost.Abstractions.dll
CP0006: Cannot add interface member 'WopiHost.Abstractions.WopiCheckFolderInfo WopiHost.Abstractions.ICheckFolderInfoBuilder.Build(WopiHost.Abstractions.IWopiContainer, System.Security.Claims.ClaimsPrincipal)' to lib/net10.0/WopiHost.Abstractions.dll because it does not exist on [Baseline] lib/net10.0/WopiHost.Abstractions.dll
CP0002: Member 'System.Threading.Tasks.Task<bool> WopiHost.Abstractions.IWopiProofValidator.ValidateProofAsync(Microsoft.AspNetCore.Http.HttpContext, string)' exists on [Baseline] lib/net10.0/WopiHost.Abstractions.dll but not on lib/net10.0/WopiHost.Abstractions.dll
CP0006: Cannot add interface member 'System.Threading.Tasks.Task<bool> WopiHost.Abstractions.IWopiProofValidator.ValidateProofAsync(WopiHost.Abstractions.WopiRequestInfo, string)' to lib/net10.0/WopiHost.Abstractions.dll because it does not exist on [Baseline] lib/net10.0/WopiHost.Abstractions.dll
CP0002: Member 'WopiHost.Abstractions.WopiNewChildFileRequest.WopiNewChildFileRequest(string, string?, string?, bool, string)' exists on [Baseline] lib/net10.0/WopiHost.Abstractions.dll but not on lib/net10.0/WopiHost.Abstractions.dll
CP0002: Member 'void WopiHost.Abstractions.WopiNewChildFileRequest.Deconstruct(out string, out string?, out string?, out bool, out string)' exists on [Baseline] lib/net10.0/WopiHost.Abstractions.dll but not on lib/net10.0/WopiHost.Abstractions.dll
CP0002: Member 'WopiHost.Abstractions.WopiNewChildFileResult WopiHost.Abstractions.WopiNewChildFileResult.BadRequest()' exists on [Baseline] lib/net10.0/WopiHost.Abstractions.dll but not on lib/net10.0/WopiHost.Abstractions.dll
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

⚠️ WopiHost.Core vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API compatibility errors between 'lib/net10.0/WopiHost.Core.dll' (./artifacts/baseline/WopiHost.Core.8.0.0.nupkg) and 'lib/net10.0/WopiHost.Core.dll' (./artifacts/new/WopiHost.Core.99.99.99.nupkg):
CP0001: Type 'WopiHost.Core.Controllers.ContainersController' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Controllers.EcosystemController' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Controllers.FilesController' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Controllers.FoldersController' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Controllers.WopiBootstrapperController' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0002: Member 'System.Threading.Tasks.Task<WopiHost.Abstractions.WopiCheckContainerInfo> WopiHost.Core.Infrastructure.DefaultCheckContainerInfoBuilder.BuildAsync(WopiHost.Abstractions.IWopiContainer, Microsoft.AspNetCore.Http.HttpContext, System.Threading.CancellationToken)' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0002: Member 'System.Threading.Tasks.Task<WopiHost.Abstractions.WopiCheckFileInfo> WopiHost.Core.Infrastructure.DefaultCheckFileInfoBuilder.BuildAsync(WopiHost.Abstractions.IWopiFile, Microsoft.AspNetCore.Http.HttpContext, WopiHost.Abstractions.WopiHostCapabilities?, string?, System.Threading.CancellationToken)' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0002: Member 'WopiHost.Abstractions.WopiCheckFolderInfo WopiHost.Core.Infrastructure.DefaultCheckFolderInfoBuilder.Build(WopiHost.Abstractions.IWopiContainer, Microsoft.AspNetCore.Http.HttpContext)' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0002: Member 'WopiHost.Core.Infrastructure.DefaultWopiNewChildFileNegotiator.DefaultWopiNewChildFileNegotiator(WopiHost.Abstractions.IWopiStorageProvider, WopiHost.Abstractions.IWopiWritableStorageProvider, WopiHost.Abstractions.IWopiLockProvider?)' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Infrastructure.FromStringBodyAttribute' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Infrastructure.FromStringBodyModelBinder' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Infrastructure.HttpHeaderAttribute' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Infrastructure.RequiresWritableStorageAttribute' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Infrastructure.WopiOverrideHeaderAttribute' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Infrastructure.WopiTelemetryActionFilter' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Results.FileResult' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Results.InternalServerErrorResult' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Results.InvalidContainerNameResult' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Results.JsonResult<T>' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Results.LockMismatchResult' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Results.NotImplementedResult' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Results.PreconditionFailedResult' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0001: Type 'WopiHost.Core.Security.Authentication.WopiOriginValidationActionFilter' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
CP0002: Member 'System.Threading.Tasks.Task<bool> WopiHost.Core.Security.Authentication.WopiProofValidator.ValidateProofAsync(Microsoft.AspNetCore.Http.HttpContext, string)' exists on [Baseline] lib/net10.0/WopiHost.Core.dll but not on lib/net10.0/WopiHost.Core.dll
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

⚠️ WopiHost.Discovery vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

⚠️ WopiHost.Url vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

⚠️ WopiHost.FileSystemProvider vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

⚠️ WopiHost.MemoryLockProvider vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

⚠️ WopiHost.AzureStorageProvider vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

⚠️ WopiHost.AzureLockProvider vs 8.0.0

API differences found — click to expand

PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net8.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
PKV006: Target framework net9.0 is no longer supported in the latest version.
API breaking changes found. If those are intentional, the APICompat suppression file can be updated by specifying the '--generate-suppression-file' parameter.

---

Diagnostic IDs starting with CP are assembly-level diffs; PKV are package-shape diffs. See the ApiCompat docs for details.

[qltysh]

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.05%. Comparing base (3bd6743) to head (20bbcf0).
⚠️ Report is 10 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #505   +/-   ##
=======================================
  Coverage   93.05%   93.05%           
=======================================
  Files         116      116           
  Lines        4582     4582           
  Branches      563      563           
=======================================
  Hits         4264     4264           
  Misses        161      161           
  Partials      157      157           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.