Skip to content

Bump the nuget-all group with 5 updates#466

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/nuget-all-69da1c027d
Open

Bump the nuget-all group with 5 updates#466
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/nuget-all-69da1c027d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Updated Aspire.Hosting.AppHost from 13.4.3 to 13.4.5.

Release notes

Sourced from Aspire.Hosting.AppHost's releases.

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated Markdig from 1.2.0 to 1.3.1.

Release notes

Sourced from Markdig's releases.

1.3.1

Changes

🐛 Bug Fixes

  • Fix LinkHelper non-ASCII urilize (#​942) (50061841)
  • Fix plus superscript parsing (#​791) (25506f20)

Full Changelog: 1.3.0...1.3.1

Published with dotnet-releaser

1.3.0

Changes

🐛 Bug Fixes

  • Fix CJK emphasis after HTML entity newlines (#​941) (fcbf8170)
  • Fix pipe table cells with unmatched subscript (#​932) (0f98267a)
  • Fix roundtrip autolink URLs (#​919) (b8364135)
  • Fix configurable nesting depth limit (#​892) (d7f13b03)
  • Fix NormalizeRenderer auto identifiers output (#​930) (9dffce52)
  • Fix blockquote ordered list parsing (#​887) (bc4e3990)

📚 Documentation

  • add InferColumnWidthsFromSeparator docs (PR #​939) by @​SimonCropp

🧰 Misc

  • Update readme with Alert extension details (PR #​940) by @​AndrewTriesToCode
  • Update AGENTS.md (5dca4149)

Full Changelog: 1.2.0...1.3.0

Published with dotnet-releaser

Commits viewable in compare view.

Updated OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.3 to 1.16.0.

Release notes

Sourced from OpenTelemetry.Exporter.OpenTelemetryProtocol's releases.

1.16.0

For highlights and announcements pertaining to this release see: Release Notes > 1.16.0.

The following changes are from the previous release 1.16.0-rc.1.

... (truncated)

1.16.0-rc.1

The following changes are from the previous release 1.15.3.

  • NuGet: OpenTelemetry v1.16.0-rc.1

    • Stop validating View-provided metric stream Name against the instrument
      name syntax, per
      spec clarification.
      (#​7300)

    • Fix incorrect validation of OTEL_BSP_* and OTEL_BLRP_* environment
      variables.
      (#​7187)

    • Fix observable instrument callbacks running once per reader instead of
      once per collection cycle.
      (#​7188)

    • Added exception safety for user-supplied ExemplarReservoir implementations.
      Exceptions thrown from Offer are now caught and logged rather than propagating
      out of Counter.Add/Histogram.Record.
      (#​7277)

    • Update OpenTelemetrySdkEventSource to support the W3C randomness flag.
      (#​7301)

    • Added ObservedTimestamp property to LogRecord.
      (#​6979)

    • Breaking Change Explicit histogram boundaries no longer allow more than
      10 million values.
      (#​7165)

    • Fixed a circular reference which could cause a LoggerProvider to fail to
      resolve when one of its dependencies depends on ILogger or ILoggerFactory.
      As part of this fix the LoggerProvider resolved from dependency injection
      is now created lazily when the first logger is created rather than when
      ILoggerProvider or ILoggerFactory is resolved. A consequence is that any
      invalid configuration now surfaces when the first log record is written instead
      of when the logging services are resolved.
      (#​7308)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.16.0-rc.1

    • Experimental (pre-release builds only):
      Add support for using environment variables as context propagation carriers.
      (#​7174)

    • Fix BaggagePropagator to correctly follow Key and Value Encoding rules as per
      ... (truncated)

1.16.0-beta.1

The following changes are from the previous release 1.15.3-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.16.0-beta.1

    • Fixed scrape response cache freshness using monotonic time so it is not
      affected by NTP system clock adjustments.
      (#​7253)

    • Breaking Change Removed DisableTimestamp property from
      PrometheusAspNetCoreOptions.
      (#​7176)

    • Fixed the serialization of NaN, PositiveInfinity, and NegativeInfinity
      values in Prometheus metrics to be compliant with the specification.
      (#​7179)

    • Fixed loss of precision when serializing double and float values in
      Prometheus metrics to be compliant with the specification by using 17
      significant digits to represent such values.
      (#​7179)

    • Fix non-ASCII characters in metric names and unit strings not being sanitized
      correctly during Prometheus serialization.
      (#​7184)

    • Fix case where reader tracking could be reset while readers were still active.
      (#​7190)

    • Improve Accept header handling for format negotiation so OpenMetrics is
      selected correctly by considering whitespace and q weights.
      (#​7208)

    • Emit OpenMetrics exemplars for counters and histogram buckets.
      (#​7222)

    • Fix incorrect handling of untyped metrics when using OpenMetrics format.
      (#​7219)

    • Fix Prometheus/OpenMetrics serialization to emit metric and label names
      containing _ instead of dropping them and prefixing leading digits.
      Invalid characters are replaced with _ instead of being dropped.
      (#​7209)

    • Add escaping=underscores to the Accept header handling for content
      negotiation so OpenMetrics are handled correctly.
      (#​7209)

    • Omit histogram _sum and _count in OpenMetrics when negative bucket
      thresholds are present.
      (#​7221)
      ... (truncated)

Commits viewable in compare view.

Updated OpenTelemetry.Extensions.Hosting from 1.15.3 to 1.16.0.

Release notes

Sourced from OpenTelemetry.Extensions.Hosting's releases.

1.16.0

For highlights and announcements pertaining to this release see: Release Notes > 1.16.0.

The following changes are from the previous release 1.16.0-rc.1.

... (truncated)

1.16.0-rc.1

The following changes are from the previous release 1.15.3.

  • NuGet: OpenTelemetry v1.16.0-rc.1

    • Stop validating View-provided metric stream Name against the instrument
      name syntax, per
      spec clarification.
      (#​7300)

    • Fix incorrect validation of OTEL_BSP_* and OTEL_BLRP_* environment
      variables.
      (#​7187)

    • Fix observable instrument callbacks running once per reader instead of
      once per collection cycle.
      (#​7188)

    • Added exception safety for user-supplied ExemplarReservoir implementations.
      Exceptions thrown from Offer are now caught and logged rather than propagating
      out of Counter.Add/Histogram.Record.
      (#​7277)

    • Update OpenTelemetrySdkEventSource to support the W3C randomness flag.
      (#​7301)

    • Added ObservedTimestamp property to LogRecord.
      (#​6979)

    • Breaking Change Explicit histogram boundaries no longer allow more than
      10 million values.
      (#​7165)

    • Fixed a circular reference which could cause a LoggerProvider to fail to
      resolve when one of its dependencies depends on ILogger or ILoggerFactory.
      As part of this fix the LoggerProvider resolved from dependency injection
      is now created lazily when the first logger is created rather than when
      ILoggerProvider or ILoggerFactory is resolved. A consequence is that any
      invalid configuration now surfaces when the first log record is written instead
      of when the logging services are resolved.
      (#​7308)

    See CHANGELOG for details.

  • NuGet: OpenTelemetry.Api v1.16.0-rc.1

    • Experimental (pre-release builds only):
      Add support for using environment variables as context propagation carriers.
      (#​7174)

    • Fix BaggagePropagator to correctly follow Key and Value Encoding rules as per
      ... (truncated)

1.16.0-beta.1

The following changes are from the previous release 1.15.3-beta.1.

  • NuGet: OpenTelemetry.Exporter.Prometheus.AspNetCore v1.16.0-beta.1

    • Fixed scrape response cache freshness using monotonic time so it is not
      affected by NTP system clock adjustments.
      (#​7253)

    • Breaking Change Removed DisableTimestamp property from
      PrometheusAspNetCoreOptions.
      (#​7176)

    • Fixed the serialization of NaN, PositiveInfinity, and NegativeInfinity
      values in Prometheus metrics to be compliant with the specification.
      (#​7179)

    • Fixed loss of precision when serializing double and float values in
      Prometheus metrics to be compliant with the specification by using 17
      significant digits to represent such values.
      (#​7179)

    • Fix non-ASCII characters in metric names and unit strings not being sanitized
      correctly during Prometheus serialization.
      (#​7184)

    • Fix case where reader tracking could be reset while readers were still active.
      (#​7190)

    • Improve Accept header handling for format negotiation so OpenMetrics is
      selected correctly by considering whitespace and q weights.
      (#​7208)

    • Emit OpenMetrics exemplars for counters and histogram buckets.
      (#​7222)

    • Fix incorrect handling of untyped metrics when using OpenMetrics format.
      (#​7219)

    • Fix Prometheus/OpenMetrics serialization to emit metric and label names
      containing _ instead of dropping them and prefixing leading digits.
      Invalid characters are replaced with _ instead of being dropped.
      (#​7209)

    • Add escaping=underscores to the Accept header handling for content
      negotiation so OpenMetrics are handled correctly.
      (#​7209)

    • Omit histogram _sum and _count in OpenMetrics when negative bucket
      thresholds are present.
      (#​7221)
      ... (truncated)

Commits viewable in compare view.

Updated Polly from 8.6.6 to 8.7.0.

Release notes

Sourced from Polly's releases.

8.7.0

Highlights

What's Changed

New Contributors

Full Changelog: App-vNext/Polly@8.6.6...8.7.0

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the nuget-all group with 5 updates
2075210 
Bumps Aspire.Hosting.AppHost from 13.4.3 to 13.4.5
Bumps Markdig from 1.2.0 to 1.3.1
Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.3 to 1.16.0
Bumps OpenTelemetry.Extensions.Hosting from 1.15.3 to 1.16.0
Bumps Polly from 8.6.6 to 8.7.0

---
updated-dependencies:
- dependency-name: Aspire.Hosting.AppHost
  dependency-version: 13.4.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget-all
- dependency-name: Markdig
  dependency-version: 1.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-all
- dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-all
- dependency-name: OpenTelemetry.Extensions.Hosting
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-all
- dependency-name: Polly
  dependency-version: 8.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget-all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jun 17, 2026
@dependabot dependabot Bot requested review from rajbos and rvanmaanen as code owners June 17, 2026 09:58
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code labels Jun 17, 2026
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

⏰ PR Preview Environment — Nightly Teardown

The preview environment was automatically torn down as part of the nightly cleanup (23:00 Brussels time).

To resume testing:

  • Push a new commit to this branch to automatically re-deploy (full CI + new images), or
  • Trigger the Redeploy PR Environment workflow manually to redeploy using the last-built image (no new commit needed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rvanmaanen rvanmaanen Awaiting requested review from rvanmaanen rvanmaanen is a code owner

@rajbos rajbos Awaiting requested review from rajbos rajbos is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants