Skip to content

Bump the dotnet-deps group with 10 updates#60

Merged
MiguelGuedelha merged 1 commit into
masterfrom
dependabot/nuget/project-templates/content/umbraco-headless-bff/UmbracoHeadlessBFF.Aspire/dotnet-deps-cfb9dbc134
Jun 20, 2026
Merged

Bump the dotnet-deps group with 10 updates#60
MiguelGuedelha merged 1 commit into
masterfrom
dependabot/nuget/project-templates/content/umbraco-headless-bff/UmbracoHeadlessBFF.Aspire/dotnet-deps-cfb9dbc134

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Updated Aspire.Hosting.Azure.Storage from 13.4.3 to 13.4.5.

Release notes

Sourced from Aspire.Hosting.Azure.Storage's releases.

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated Aspire.Hosting.Redis from 13.4.3 to 13.4.5.

Release notes

Sourced from Aspire.Hosting.Redis's releases.

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated Aspire.Hosting.SqlServer from 13.4.3 to 13.4.5.

Release notes

Sourced from Aspire.Hosting.SqlServer's releases.

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated Aspire.StackExchange.Redis.DistributedCaching from 13.4.3 to 13.4.5.

Release notes

Sourced from Aspire.StackExchange.Redis.DistributedCaching's releases.

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

Commits viewable in compare view.

Updated IntelliTect.AspNetCore.SignalR.SqlServer from 1.4.0 to 1.4.2.

Release notes

Sourced from IntelliTect.AspNetCore.SignalR.SqlServer's releases.

1.4.1

What's Changed

Commits viewable in compare view.

Updated Scalar.AspNetCore from 2.16.3 to 2.16.4.

Release notes

Sourced from Scalar.AspNetCore's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Serilog.Settings.Configuration from 10.0.0 to 10.0.1.

Release notes

Sourced from Serilog.Settings.Configuration's releases.

10.0.1

What's Changed

New Contributors

Full Changelog: serilog/serilog-settings-configuration@v10.0.0...v10.0.1

Commits viewable in compare view.

Updated Swashbuckle.AspNetCore from 10.2.1 to 10.2.2.

Release notes

Sourced from Swashbuckle.AspNetCore's releases.

10.2.2

What's Changed

New Contributors

Full Changelog: domaindrivendev/Swashbuckle.AspNetCore@v10.2.1...v10.2.2

Commits viewable in compare view.

Updated Swashbuckle.AspNetCore.SwaggerGen from 10.2.1 to 10.2.2.

Release notes

Sourced from Swashbuckle.AspNetCore.SwaggerGen's releases.

10.2.2

What's Changed

New Contributors

Full Changelog: domaindrivendev/Swashbuckle.AspNetCore@v10.2.1...v10.2.2

Commits viewable in compare view.

Updated Umbraco.Community.Contentment from 6.1.4 to 6.2.0.

Release notes

Sourced from Umbraco.Community.Contentment's releases.

6.2.0

Hey there Umbraco fans!

I've been busy developing new features for the upcoming v7 release, but I thought it'd be good to have some of them in the v6 branch too. I'm pleased to announce... Contentment v6.2.0! 🎉

A full changelog can be found here: leekelleher/umbraco-contentment@6.1.4...6.2.0

What's new? Features and bug fixes...

  • #​543 Dropped hey-api/openapi-ts from client and OpenAPI/Swagger from server
  • #​548 .NET Languages data-source: adds displayMode config option - thanks @​clementfavre! 🎉
  • #​552 Umbraco Content data source: filter child nodes by document type - thanks @​prjseal! 🎉
  • c548d12 Umbraco Content data source: include unpublished child nodes
  • 4280b69 Checkbox List: Adds "Clear Selection" action
  • da9e615 Eager load global-context and conditions, (less HTTP requests)
  • 81aab74 Property Editor UI tweaks
  • a9c65af Sets the Umbraco upper dependency to v18, (due to binary incompatibility)

Where can I get it?

This release is available on NuGet...

dotnet add package Umbraco.Community.Contentment

Sponsorship

I am developing Contentment in my own personal time, so if it is of great value to you and/or your business, then please do sponsor me on GitHub! ...or if an ongoing sponsorship is too much of a commitment, then you could consider a one off sponsorship instead.
Think of it as gifting me Netflix or Spotify for a month. 😻

Thanks to @​clementfavre and @​prjseal for your contributions during this release cycle. 🙏

Enjoy the release!

Cheers,
@​leekelleher
✌️❤️🕊️

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the dotnet-deps group with 10 updates
eb9d4a5 
Bumps Aspire.Hosting.Azure.Storage from 13.4.3 to 13.4.5
Bumps Aspire.Hosting.Redis from 13.4.3 to 13.4.5
Bumps Aspire.Hosting.SqlServer from 13.4.3 to 13.4.5
Bumps Aspire.StackExchange.Redis.DistributedCaching from 13.4.3 to 13.4.5
Bumps IntelliTect.AspNetCore.SignalR.SqlServer from 1.4.0 to 1.4.2
Bumps Scalar.AspNetCore from 2.16.3 to 2.16.4
Bumps Serilog.Settings.Configuration from 10.0.0 to 10.0.1
Bumps Swashbuckle.AspNetCore from 10.2.1 to 10.2.2
Bumps Swashbuckle.AspNetCore.SwaggerGen from 10.2.1 to 10.2.2
Bumps Umbraco.Community.Contentment from 6.1.4 to 6.2.0

---
updated-dependencies:
- dependency-name: Aspire.Hosting.Azure.Storage
  dependency-version: 13.4.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Aspire.Hosting.Redis
  dependency-version: 13.4.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Aspire.Hosting.SqlServer
  dependency-version: 13.4.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Aspire.StackExchange.Redis.DistributedCaching
  dependency-version: 13.4.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: IntelliTect.AspNetCore.SignalR.SqlServer
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Scalar.AspNetCore
  dependency-version: 2.16.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Scalar.AspNetCore
  dependency-version: 2.16.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Serilog.Settings.Configuration
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Serilog.Settings.Configuration
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Swashbuckle.AspNetCore
  dependency-version: 10.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Swashbuckle.AspNetCore.SwaggerGen
  dependency-version: 10.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dotnet-deps
- dependency-name: Umbraco.Community.Contentment
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jun 19, 2026
@MiguelGuedelha MiguelGuedelha merged commit 3d5a5fe into master Jun 20, 2026
1 check passed
@MiguelGuedelha MiguelGuedelha deleted the dependabot/nuget/project-templates/content/umbraco-headless-bff/UmbracoHeadlessBFF.Aspire/dotnet-deps-cfb9dbc134 branch June 20, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MiguelGuedelha