Skip to content

Bump Microsoft.Identity.Web and Microsoft.Identity.Web.UI#1584

Merged
berviantoleo merged 1 commit into
mainfrom
dependabot/nuget/SimplePasswordManagerService/multi-e9b2dc1c11
May 17, 2026
Merged

Bump Microsoft.Identity.Web and Microsoft.Identity.Web.UI#1584
berviantoleo merged 1 commit into
mainfrom
dependabot/nuget/SimplePasswordManagerService/multi-e9b2dc1c11

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Updated Microsoft.Identity.Web from 4.7.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

Commits viewable in compare view.

Updated Microsoft.Identity.Web.UI from 4.7.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web.UI's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

Commits viewable in compare view.

@dependabot dependabot Bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file labels May 2, 2026
This was referenced May 2, 2026
Closed
Closed
@dependabot
Bump Microsoft.Identity.Web and Microsoft.Identity.Web.UI
7e2afbd 
Bumps Microsoft.Identity.Web from 4.7.0 to 4.9.0
Bumps Microsoft.Identity.Web.UI from 4.7.0 to 4.9.0

---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: Microsoft.Identity.Web.UI
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/nuget/SimplePasswordManagerService/multi-e9b2dc1c11 branch from 9bbe5fe to 7e2afbd Compare May 17, 2026 23:21
@sonarqubecloud

sonarqubecloud Bot commented May 17, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@berviantoleo berviantoleo merged commit 74a6c21 into main May 17, 2026
9 of 12 checks passed
@dependabot dependabot Bot deleted the dependabot/nuget/SimplePasswordManagerService/multi-e9b2dc1c11 branch May 17, 2026 23:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@berviantoleo berviantoleo

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .net code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@berviantoleo