Bump the nuget-all group with 3 updates

[dependabot]

Updated Azure.Monitor.OpenTelemetry.AspNetCore from 1.4.0 to 1.5.0.

Release notes

Sourced from Azure.Monitor.OpenTelemetry.AspNetCore's releases.

1.5.0

1.5.0 (2026-04-30)

Features Added

• Add ability to specify EnableStandardMetrics and EnablePerformanceCounters
  (#​56438)

Breaking Changes

• Default Sampler Changed: The default sampling behavior has been changed from
  ApplicationInsightsSampler with 100% sampling (all traces sampled) to
  RateLimitedSampler with 5.0 traces per second. This change significantly
  reduces telemetry volume for high-traffic applications and provides better
  cost optimization out of the box.
  Impact: Applications with more than 5 requests per second will see fewer
  traces exported by default.
  Migration: To maintain the previous behavior (100% sampling), explicitly
  configure the sampler:

// Option 1: Set SamplingRatio and clear TracesPerSecond
builder.Services.AddOpenTelemetry()
    .UseAzureMonitor(options =>
    {
        options.SamplingRatio = 1.0f;
        options.TracesPerSecond = null;
    });
// Option 2: Use environment variables
// OTEL_TRACES_SAMPLER=microsoft.fixed_percentage
// OTEL_TRACES_SAMPLER_ARG=1.0

Bugs Fixed

• Fixed an issue where Azure Container Apps instances were showing VM instance GUIDs
  instead of replica names in the Role Instance field.
  (#​54586)

1.5.0-beta.1

1.5.0-beta.1 (2026-04-28)

Features Added

• Upgraded api-version tag from package-2024-05-01 to package-preview-2025-06. Tag detail available at https://github.com/Azure/azure-rest-api-specs/blob/main/specification/appconfiguration/resource-manager/readme.md.
• Added AzureFrontDoor property to AppConfigurationStoreData and AppConfigurationStorePatch to support Azure Front Door configuration for a configuration store.
• Added new model AppConfigurationAzureFrontDoorProperties with a ResourceId property representing an Azure Front Door profile resource ID.

1.4.2

1.4.2 (2026-04-28)

Other Changes

• Upgraded dependent Azure.Core to 1.54.0.
• Upgraded dependent Azure.ResourceManager to 1.14.0.

1.4.1

1.4.1 (2026-04-27)

Other Changes

• Upgraded dependent Azure.Core to 1.54.0.
• Upgraded dependent Azure.ResourceManager to 1.14.0.

Commits viewable in compare view.

Updated Microsoft.Identity.Web from 4.8.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

• Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

• Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
• Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
• Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
• Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

Commits viewable in compare view.

Updated Microsoft.Identity.Web.UI from 4.8.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web.UI's releases.

4.9.0

New features

• Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

• Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
• Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
• Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
• Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

⏰ PR Preview Environment — Nightly Teardown

The preview environment was automatically torn down as part of the nightly cleanup (23:00 Brussels time).

To resume testing:

• Push a new commit to this branch to automatically re-deploy (full CI + new images), or
• Trigger the Redeploy PR Environment workflow manually to redeploy using the last-built image (no new commit needed).