Update package dependencies and fix security vulnerabilities by ellendular · Pull Request #22058 · microsoft/azure-pipelines-tasks

ellendular · 2026-04-23T16:04:22Z

Context

The Packages in the azure-pipeline-tasks repository have been updated to align with version changes from the azure-pipelines-tasks-common-packages repository:
azure-pipelines-tasks-artifacts-common: ^2.273.0
azp-tasks-az-blobstorage-provider: ^3.272.1
azure-pipelines-tasks-utility-common: 3.272.0
azure-pipelines-tasks-webdeployment-common: ^4.272.1
azure-pipelines-tasks-kubernetes-common: ^2.272.0
Additionally, the azure-pipelines-task-lib package has been upgraded to version 5.2.8 to address security vulnerabilities.

Task Names

AzureCLIV2
AzureCLIV3
AzurePowerShellV4
AzurePowerShellV5
AzureVmssDeploymentV0
AzureVmssDeploymentV1
AzureWebAppV1
DockerV2
DownloadFileshareArtifactsV1
FileTransformV2
FuncToolsInstallerV0
GitHubReleaseV1
GoToolV0
GoV0
HelmDeployV0
HelmDeployV1
HelmInstallerV1
IISWebAppDeploymentOnMachineGroupV0
JenkinsDownloadArtifactsV2
KubectlInstallerV0
KubernetesManifestV1
KubernetesV1
PublishPipelineMetadataV0

Description

The packages within the azure-pipeline-tasks repository have been updated to maintain consistency with the recent version changes from the azure-pipelines-tasks-common-packages repository:

azure-pipelines-tasks-artifacts-common: ^2.273.0
azp-tasks-az-blobstorage-provider: ^3.272.1
azure-pipelines-tasks-utility-common: 3.272.0
azure-pipelines-tasks-webdeployment-common: ^4.272.1
azure-pipelines-tasks-kubernetes-common: ^2.272.0

Relevant pull requests:
microsoft/azure-pipelines-tasks-common-packages#608
microsoft/azure-pipelines-tasks-common-packages#606
microsoft/azure-pipelines-tasks-common-packages#597
microsoft/azure-pipelines-tasks-common-packages#610
microsoft/azure-pipelines-tasks-common-packages#603

Additionally , the azure-pipelines-task-lib package has been upgraded to version 5.2.8 to address identified security vulnerabilities.
Below are the reported vulnerabilities:
AB#2362008
AB#2362009
AB#2362012
AB#2362013
AB#2374311

Risk Assessment (Low / Medium / High)

Low- As we are updating the version

Change Behind Feature Flag (Yes / No)

No

Tech Design / Approach

Design has been written and reviewed.
Any architectural decisions, trade-offs, and alternatives are captured.

Documentation Changes Required (Yes/No)

NA

Unit Tests Added or Updated (Yes / No)

No

Additional Testing Performed

No - testing done only through CI checks no further testing done.

Logging Added/Updated (Yes/No)

Appropriate log statements are added with meaningful messages.
Logging does not expose sensitive data.
Log levels are used correctly (e.g., info, warn, error).

Telemetry Added/Updated (Yes/No)

Custom telemetry (e.g., counters, timers, error tracking) is added as needed.
Events are tagged with proper metadata for filtering and analysis.
Telemetry is validated in staging or test environments.

Rollback Scenario and Process (Yes/No)

Rollback plan is documented.

Dependency Impact Assessed and Regression Tested (Yes/No)

All impacted internal modules, APIs, services, and third-party libraries are analyzed.
Results are reviewed and confirmed to not break existing functionality.