Skip to content

Bump the nuget group with 23 updates#1511

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/dot-config/nuget-d711e5b4ae
Open

Bump the nuget group with 23 updates#1511
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/dot-config/nuget-d711e5b4ae

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Updated Aspire.Hosting.AppHost from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.AppHost's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

  • 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

  • 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Aspire.Hosting.PostgreSQL from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.PostgreSQL's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

  • 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

  • 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Aspire.Hosting.Redis from 13.4.2 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.Redis's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

  • 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions divergedAspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

  • 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

  • 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping


Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

  • 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
  • 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
  • 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

  • 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

13.4.4

What's New in Aspire 13.4.4

Patch release for Aspire 13.4 with improved DCP connection reliability during request execution and consistent ExcludeFromMcp() filtering across all CLI MCP tools.

🐛 Fixes

  • 🔌 DCP requests could fail permanently when the connection dropped mid-request — If the underlying DCP channel closed while a request was in flight, the error was surfaced directly instead of being retried. Reconnection is now attempted as part of the DCP request retry path so transient disconnections recover automatically without surfacing errors. (#​18096, @​karolz-ms)
  • 🔍 Resources marked with ExcludeFromMcp() were not consistently filtered from CLI MCP tools — Resources with the resource.excludeFromMcp property were not excluded uniformly from all CLI MCP tool results. list_resources, list_console_logs, execute_resource_command, list_structured_logs, list_traces, and list_trace_structured_logs all now honor the exclusion, preventing excluded resources and their telemetry from appearing in agent context. (#​18150, @​JamesNK)

🏷️ Housekeeping

  • 📦 Improved npm CLI package metadata and hardened npm publish validation in the release pipeline. (#​18093, @​adamratzman)

Full Changelog: v13.4.3...v13.4.4

Full commit: ccc566c5ab3285c9beb8f38ede34734bb477c029

13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

  • 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @​danegsta)

🏷️ Housekeeping

  • 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

Commits viewable in compare view.

Updated Basic.Reference.Assemblies from 1.8.8 to 1.8.9.

Release notes

Sourced from Basic.Reference.Assemblies's releases.

1.8.9

Create release 1.8.9

Commits viewable in compare view.

Updated csharpier from 1.2.6 to 1.3.0.

Release notes

Sourced from csharpier's releases.

1.3.0

1.3.0

Breaking Changes

Change xml formatting to return error when it runs into syntax error so it is consistent with c# #​1854

Previously CSharpier treated an invalid xml file as a warning instead of an error. This was inconsistent with how it treated c# files.
Invalid c# or xml files are not treated as errors.
The --compilation-errors-as-warnings argument has been renamed to --syntax-errors-as-warnings and can be used to return warnings instead of errors when encountering invalid files.

What's Changed

Feature: Configurable whitespace handling for xml #​1790

CSharpier now supports two types of xml whitespace formatting strict or ignore.
By default all xml except xaml or axaml is treated as strict whitespace. See details

Feature: Move closing bracket for xml elements to the same line. #​1598

With strict xml whitespace handling, csharpier now keeps the closing bracket for an element on the same line instead of breaking it to a new line.

<!-- input & expected output -->
<ElementWithAttribute Attribute="AttributeValue__________________"
  >TextValue</ElementWithAttribute>

<!-- 1.2.6 -->
<ElementWithAttribute Attribute="AttributeValue__________________"
  >TextValue</ElementWithAttribute
>

Feature: Support for csharpier-ignore with XML formatter #​1788

CSharpier now supports csharpier-ignore in xml files. See details

Feature: Add MSBuild transitive and multi-target support #​1833

CSharpier.MSBuild can now work as a transitive dependency.

Feature: allow checking formatting with cache #​1830

The csharpier check command now supports a --use-cache option.

Feature: remove dependency on Microsoft.AspNetCore.App #​1508

Previously CSharpier required that Microsoft.AspNetCore.App be installed. CSharpier has been modified to use an HttpListener when it is run using server to remove the need for this dependency.

Fix: csharpier-ignore comment removes linespaces before block #​1867

CSharpier was removing blank lines before csharpier-ignore comments in some cases

// input and expected output
var x = 1;
    
// csharpier-ignore
var y=1;

/// 1.2.6
var x = 1;
// csharpier-ignore
var y=1;
 ... (truncated)

Commits viewable in [compare view](https://github.com/belav/csharpier/compare/1.2.6...1.3.0).
</details>

Updated [dotnet-ef](https://github.com/dotnet/dotnet) from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [dotnet-ef's releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits).
</details>

Updated [JetBrains.Annotations](https://github.com/JetBrains/JetBrains.Annotations) from 2025.2.4 to 2026.2.0.

<details>
<summary>Release notes</summary>

_Sourced from [JetBrains.Annotations's releases](https://github.com/JetBrains/JetBrains.Annotations/releases)._

No release notes found for this version range.

Commits viewable in [compare view](https://github.com/JetBrains/JetBrains.Annotations/commits).
</details>

Updated [MessagePack](https://github.com/MessagePack-CSharp/MessagePack-CSharp) from 3.1.6 to 3.1.7.

<details>
<summary>Release notes</summary>

_Sourced from [MessagePack's releases](https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases)._

## 3.1.7

## What's Changed

* Add `scoped` to `MessagePackWriter.Write(ReadOnlySpan<T>)` methods by @​AArnott in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2271
* Fix security issues in master by @​AArnott in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2274

## Security release details

This release fixes 3 high severity and 9 moderate severity security vulnerabilities.

### High severity advisory fixes

- 26d4e743 GHSA-382j-8mxh-c7x2 Reject invalid DateTime ext lengths for CWE-789
- b9cb6050 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674
- 719e690a GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125

### Moderage severity advisory fixes

- 2b5a500a GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409
- f093bdc1 GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502
- f077798e GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-1188
- 25a3493e GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407
- b414e6df GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674
- 0555f07c GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789
- 9b5783a7 GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validation
- f96fcf05 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407
- b3af7cf7 GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674
- 66ad0894 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674
- 082ba7da GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674

### Fixes with no security advisory

- fb0fe9f0 Honor TypeFormatter options hooks for CWE-470
- c1c06a6f Fix WriteRawX methods to advance by written length
- 46c6a0fe Fix CWE-190 map header length overflow

**Full Changelog**: https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v3.1.6...v3.1.7

Commits viewable in [compare view](https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v3.1.6...v3.1.7).
</details>

Updated [MessagePack.AspNetCoreMvcFormatter](https://github.com/MessagePack-CSharp/MessagePack-CSharp) from 3.1.6 to 3.1.7.

<details>
<summary>Release notes</summary>

_Sourced from [MessagePack.AspNetCoreMvcFormatter's releases](https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases)._

## 3.1.7

## What's Changed

* Add `scoped` to `MessagePackWriter.Write(ReadOnlySpan<T>)` methods by @​AArnott in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2271
* Fix security issues in master by @​AArnott in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2274

## Security release details

This release fixes 3 high severity and 9 moderate severity security vulnerabilities.

### High severity advisory fixes

- 26d4e743 GHSA-382j-8mxh-c7x2 Reject invalid DateTime ext lengths for CWE-789
- b9cb6050 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674
- 719e690a GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125

### Moderage severity advisory fixes

- 2b5a500a GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409
- f093bdc1 GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502
- f077798e GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-1188
- 25a3493e GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407
- b414e6df GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674
- 0555f07c GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789
- 9b5783a7 GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validation
- f96fcf05 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407
- b3af7cf7 GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674
- 66ad0894 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674
- 082ba7da GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674

### Fixes with no security advisory

- fb0fe9f0 Honor TypeFormatter options hooks for CWE-470
- c1c06a6f Fix WriteRawX methods to advance by written length
- 46c6a0fe Fix CWE-190 map header length overflow

**Full Changelog**: https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v3.1.6...v3.1.7

Commits viewable in [compare view](https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v3.1.6...v3.1.7).
</details>

Updated [Microsoft.AspNetCore.Authentication.JwtBearer](https://github.com/dotnet/dotnet) from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.AspNetCore.Authentication.JwtBearer's releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits).
</details>

Updated [Microsoft.AspNetCore.OpenApi](https://github.com/dotnet/dotnet) from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.AspNetCore.OpenApi's releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits).
</details>

Updated [Microsoft.AspNetCore.TestHost](https://github.com/dotnet/dotnet) from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.AspNetCore.TestHost's releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits).
</details>

Updated [Microsoft.Extensions.Caching.StackExchangeRedis](https://github.com/dotnet/dotnet) from 10.0.8 to 10.0.9.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Extensions.Caching.StackExchangeRedis's releases](https://github.com/dotnet/dotnet/releases)._

No release notes found for this version range.

Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits).
</details>

Updated [Microsoft.FeatureManagement](https://github.com/microsoft/FeatureManagement-Dotnet) from 4.5.0 to 4.6.0.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.FeatureManagement's releases](https://github.com/microsoft/FeatureManagement-Dotnet/releases)._

## 4.6.0

## 4.6.0 - July 1, 2026

# Microsoft.FeatureManagement Updates

The packages associated with this release are

* [Microsoft.FeatureManagement 4.6.0](https://www.nuget.org/packages/Microsoft.FeatureManagement/4.6.0)
* [Microsoft.FeatureManagement.AspNetCore 4.6.0](https://www.nuget.org/packages/Microsoft.FeatureManagement.AspNetCore/4.6.0)
* [Microsoft.FeatureManagement.Telemetry.ApplicationInsights 4.6.0](https://www.nuget.org/packages/Microsoft.FeatureManagement.Telemetry.ApplicationInsights/4.6.0)

## Microsoft.FeatureManagement

### Enhancements

* Added support for resolving variant service implementations through keyed dependency injection. This enables lazy, on-demand instantiation for scenarios where each implementation has its own dependencies and configuration. [#​564](https://github.com/microsoft/FeatureManagement-Dotnet/issues/564)

## Microsoft.FeatureManagement.AspNetCore

### Enhancements

* Updated `Microsoft.FeatureManagement` reference to `4.6.0`. See the [release notes](https://github.com/Azure/AppConfiguration/blob/main/releaseNotes/Microsoft.Featuremanagement.md) for more information on the changes.

## Microsoft.FeatureManagement.Telemetry.ApplicationInsights

### Enhancements

* Updated `Microsoft.FeatureManagement` reference to `4.6.0`. See the [release notes](https://github.com/Azure/AppConfiguration/blob/main/releaseNotes/Microsoft.Featuremanagement.md) for more information on the changes.

Commits viewable in [compare view](https://github.com/microsoft/FeatureManagement-Dotnet/compare/4.5.0...4.6.0).
</details>

Updated [Nerdbank.GitVersioning](https://github.com/dotnet/Nerdbank.GitVersioning) from 3.9.50 to 3.10.85.

<details>
<summary>Release notes</summary>

_Sourced from [Nerdbank.GitVersioning's releases](https://github.com/dotnet/Nerdbank.GitVersioning/releases)._

## 3.10.85

## What's Changed

* Avoid writing server.json multiple times in a single pack by @​AArnott in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1391

**Full Changelog**: https://github.com/dotnet/Nerdbank.GitVersioning/compare/v3.10.70...v3.10.85

## 3.10.70

## What's Changed

### Fixes

* Fix case insensitivity for the managed engine on git worktrees, and implement for libgit2 by @​AArnott in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1334
* Fix native heap corruption in GitPackIndexMappedReaderTests by @​AArnott in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1360

### Enhancements

* Add prerelease property to inheriting version.json files by @​Copilot in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1317
* Add NBGV_SetCloudBuildVersionVars property to disable cloud build variable output by @​Copilot in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1324
* Add --what-if option to prepare-release command for simulating version changes by @​Copilot in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1242
* Build nbgv CLI tool for .NET 9 and 10 by @​AArnott in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1369


**Full Changelog**: https://github.com/dotnet/Nerdbank.GitVersioning/compare/v3.9.50...v3.10.70

## 3.10.44-alpha

## What's Changed

### Fixes

* Fix case insensitivity for the managed engine on git worktrees, and implement for libgit2 by @​AArnott in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1334

### Enhancements

* Add --what-if option to prepare-release command for simulating version changes by @​Copilot in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1242
* Add NBGV_SetCloudBuildVersionVars property to disable cloud build variable output by @​Copilot in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1324


### Dependency updates

* chore(deps): update dependency microsoft.build.locator to 1.11.2 by @​renovate[bot] in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1304
* chore(deps): update dotnet monorepo by @​renovate[bot] in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1309
* Update dotnet monorepo by @​renovate[bot] in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1338


**Full Changelog**: https://github.com/dotnet/Nerdbank.GitVersioning/compare/v3.10.8-alpha...v3.10.44-alpha

## 3.10.8-alpha

## What's Changed
* Add prerelease property to inheriting version.json files by @​Copilot in https://github.com/dotnet/Nerdbank.GitVersioning/pull/1317


**Full Changelog**: https://github.com/dotnet/Nerdbank.GitVersioning/compare/v3.9.50...v3.10.8-alpha

Commits viewable in [compare view](https://github.com/dotnet/Nerdbank.GitVersioning/compare/v3.9.50...v3.10.85).
</details>

Updated [OpenTelemetry.Exporter.OpenTelemetryProtocol](https://github.com/open-telemetry/opentelemetry-dotnet) from 1.15.3 to 1.16.0.

<details>
<summary>Release notes</summary>

_Sourced from [OpenTelemetry.Exporter.OpenTelemetryProtocol's releases](https://github.com/open-telemetry/opentelemetry-dotnet/releases)._

## 1.16.0

For highlights and announcements pertaining to this release see: [Release Notes > 1.16.0](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/RELEASENOTES.md#​1160).

The following changes are from the previous release [1.16.0-rc.1](https://github.com/open-telemetry/opentelemetry-dotnet/releases/tag/core-1.16.0-rc.1).

* NuGet: [OpenTelemetry v1.16.0](https://www.nuget.org/packages/OpenTelemetry/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Api v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Api/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Api/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Api.ProviderBuilderExtensions v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Api.ProviderBuilderExtensions/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Api.ProviderBuilderExtensions/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.Console v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.Console/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.Console/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.InMemory v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.InMemory/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.InMemory/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.OpenTelemetryProtocol v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.OpenTelemetryProtocol/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.OpenTelemetryProtocol/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.Zipkin v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.Zipkin/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Extensions.Hosting v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Extensions.Hosting/1.16.0)

  No notable changes.

 ... (truncated)

## 1.16.0-rc.1

The following changes are from the previous release [1.15.3](https://github.com/open-telemetry/opentelemetry-dotnet/releases/tag/core-1.15.3).

* NuGet: [OpenTelemetry v1.16.0-rc.1](https://www.nuget.org/packages/OpenTelemetry/1.16.0-rc.1)

  * Stop validating View-provided metric stream `Name` against the instrument
    name syntax, per
    [spec clarification](https://github.com/open-telemetry/opentelemetry-specification/pull/5094).
    ([#​7300](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7300))
  
  * Fix incorrect validation of `OTEL_BSP_*` and `OTEL_BLRP_*` environment
    variables.
    ([#​7187](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7187))
  
  * Fix observable instrument callbacks running once per reader instead of
    once per collection cycle.
    ([#​7188](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7188))
  
  * Added exception safety for user-supplied `ExemplarReservoir` implementations.
    Exceptions thrown from `Offer` are now caught and logged rather than propagating
    out of `Counter.Add`/`Histogram.Record`.
    ([#​7277](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7277))
  
  * Update `OpenTelemetrySdkEventSource` to support the W3C randomness flag.
    ([#​7301](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7301))
  
  * Added `ObservedTimestamp` property to `LogRecord`.
    ([#​6979](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6979))
  
  * **Breaking Change** Explicit histogram boundaries no longer allow more than
    10 million values.
    ([#​7165](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7165))
  
  * Fixed a circular reference which could cause a `LoggerProvider` to fail to
    resolve when one of its dependencies depends on `ILogger` or `ILoggerFactory`.
    As part of this fix the `LoggerProvider` resolved from dependency injection
    is now created lazily when the first logger is created rather than when
    `ILoggerProvider` or `ILoggerFactory` is resolved. A consequence is that any
    invalid configuration now surfaces when the first log record is written instead
    of when the logging services are resolved.
    ([#​7308](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7308))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0-rc.1/src/OpenTelemetry/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Api v1.16.0-rc.1](https://www.nuget.org/packages/OpenTelemetry.Api/1.16.0-rc.1)

  * **Experimental (pre-release builds only):**
    Add support for using environment variables as context propagation carriers.
    ([#​7174](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7174))
  
  * Fix `BaggagePropagator` to correctly follow Key and Value Encoding rules as per
 ... (truncated)

## 1.16.0-beta.1

The following changes are from the previous release [1.15.3-beta.1](https://github.com/open-telemetry/opentelemetry-dotnet/releases/tag/coreunstable-1.15.3-beta.1).

* NuGet: [OpenTelemetry.Exporter.Prometheus.AspNetCore v1.16.0-beta.1](https://www.nuget.org/packages/OpenTelemetry.Exporter.Prometheus.AspNetCore/1.16.0-beta.1)

  * Fixed scrape response cache freshness using monotonic time so it is not
    affected by NTP system clock adjustments.
    ([#​7253](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7253))
  
  * **Breaking Change** Removed `DisableTimestamp` property from
    `PrometheusAspNetCoreOptions`.
    ([#​7176](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7176))
  
  * Fixed the serialization of `NaN`, `PositiveInfinity`, and `NegativeInfinity`
    values in Prometheus metrics to be compliant with the specification.
    ([#​7179](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7179))
  
  * Fixed loss of precision when serializing `double` and `float` values in
    Prometheus metrics to be compliant with the specification by using 17
    significant digits to represent such values.
    ([#​7179](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7179))
  
  * Fix non-ASCII characters in metric names and unit strings not being sanitized
    correctly during Prometheus serialization.
    ([#​7184](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7184))
  
  * Fix case where reader tracking could be reset while readers were still active.
    ([#​7190](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7190))
  
  * Improve `Accept` header handling for format negotiation so OpenMetrics is
    selected correctly by considering whitespace and `q` weights.
    ([#​7208](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7208))
  
  * Emit OpenMetrics exemplars for counters and histogram buckets.
    ([#​7222](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7222))
  
  * Fix incorrect handling of untyped metrics when using OpenMetrics format.
    ([#​7219](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7219))
  
  * Fix Prometheus/OpenMetrics serialization to emit metric and label names
    containing `_` instead of dropping them and prefixing leading digits.
    Invalid characters are replaced with `_` instead of being dropped.
    ([#​7209](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7209))
  
  * Add `escaping=underscores` to the `Accept` header handling for content
    negotiation so OpenMetrics are handled correctly.
    ([#​7209](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7209))
  
  * Omit histogram `_sum` and `_count` in OpenMetrics when negative bucket
    thresholds are present.
    ([#​7221](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7221))
 ... (truncated)

Commits viewable in [compare view](https://github.com/open-telemetry/opentelemetry-dotnet/compare/core-1.15.3...core-1.16.0).
</details>

Updated [OpenTelemetry.Extensions.Hosting](https://github.com/open-telemetry/opentelemetry-dotnet) from 1.15.3 to 1.16.0.

<details>
<summary>Release notes</summary>

_Sourced from [OpenTelemetry.Extensions.Hosting's releases](https://github.com/open-telemetry/opentelemetry-dotnet/releases)._

## 1.16.0

For highlights and announcements pertaining to this release see: [Release Notes > 1.16.0](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/RELEASENOTES.md#​1160).

The following changes are from the previous release [1.16.0-rc.1](https://github.com/open-telemetry/opentelemetry-dotnet/releases/tag/core-1.16.0-rc.1).

* NuGet: [OpenTelemetry v1.16.0](https://www.nuget.org/packages/OpenTelemetry/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Api v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Api/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Api/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Api.ProviderBuilderExtensions v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Api.ProviderBuilderExtensions/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Api.ProviderBuilderExtensions/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.Console v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.Console/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.Console/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.InMemory v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.InMemory/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.InMemory/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.OpenTelemetryProtocol v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.OpenTelemetryProtocol/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.OpenTelemetryProtocol/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Exporter.Zipkin v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Exporter.Zipkin/1.16.0)

  No notable changes.

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Extensions.Hosting v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Extensions.Hosting/1.16.0)

  No notable changes.

 ... (truncated)

## 1.16.0-rc.1

The following changes are from the previous release [1.15.3](https://github.com/open-telemetry/opentelemetry-dotnet/releases/tag/core-1.15.3).

* NuGet: [OpenTelemetry v1.16.0-rc.1](https://www.nuget.org/packages/OpenTelemetry/1.16.0-rc.1)

  * Stop validating View-provided metric stream `Name` against the instrument
    name syntax, per
    [spec clarification](https://github.com/open-telemetry/opentelemetry-specification/pull/5094).
    ([#​7300](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7300))
  
  * Fix incorrect validation of `OTEL_BSP_*` and `OTEL_BLRP_*` environment
    variables.
    ([#​7187](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7187))
  
  * Fix observable instrument callbacks running once per reader instead of
    once per collection cycle.
    ([#​7188](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7188))
  
  * Added exception safety for user-supplied `ExemplarReservoir` implementations.
    Exceptions thrown from `Offer` are now caught and logged rather than propagating
    out of `Counter.Add`/`Histogram.Record`.
    ([#​7277](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7277))
  
  * Update `OpenTelemetrySdkEventSource` to support the W3C randomness flag.
    ([#​7301](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7301))
  
  * Added `ObservedTimestamp` property to `LogRecord`.
    ([#​6979](https://github.com/open-telemetry/opentelemetry-dotnet/pull/6979))
  
  * **Breaking Change** Explicit histogram boundaries no longer allow more than
    10 million values.
    ([#​7165](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7165))
  
  * Fixed a circular reference which could cause a `LoggerProvider` to fail to
    resolve when one of its dependencies depends on `ILogger` or `ILoggerFactory`.
    As part of this fix the `LoggerProvider` resolved from dependency injection
    is now created lazily when the first logger is created rather than when
    `ILoggerProvider` or `ILoggerFactory` is resolved. A consequence is that any
    invalid configuration now surfaces when the first log record is written instead
    of when the logging services are resolved.
    ([#​7308](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7308))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet/blob/core-1.16.0-rc.1/src/OpenTelemetry/CHANGELOG.md) for details.

* NuGet: [OpenTelemetry.Api v1.16.0-rc.1](https://www.nuget.org/packages/OpenTelemetry.Api/1.16.0-rc.1)

  * **Experimental (pre-release builds only):**
    Add support for using environment variables as context propagation carriers.
    ([#​7174](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7174))
  
  * Fix `BaggagePropagator` to correctly follow Key and Value Encoding rules as per
 ... (truncated)

## 1.16.0-beta.1

The following changes are from the previous release [1.15.3-beta.1](https://github.com/open-telemetry/opentelemetry-dotnet/releases/tag/coreunstable-1.15.3-beta.1).

* NuGet: [OpenTelemetry.Exporter.Prometheus.AspNetCore v1.16.0-beta.1](https://www.nuget.org/packages/OpenTelemetry.Exporter.Prometheus.AspNetCore/1.16.0-beta.1)

  * Fixed scrape response cache freshness using monotonic time so it is not
    affected by NTP system clock adjustments.
    ([#​7253](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7253))
  
  * **Breaking Change** Removed `DisableTimestamp` property from
    `PrometheusAspNetCoreOptions`.
    ([#​7176](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7176))
  
  * Fixed the serialization of `NaN`, `PositiveInfinity`, and `NegativeInfinity`
    values in Prometheus metrics to be compliant with the specification.
    ([#​7179](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7179))
  
  * Fixed loss of precision when serializing `double` and `float` values in
    Prometheus metrics to be compliant with the specification by using 17
    significant digits to represent such values.
    ([#​7179](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7179))
  
  * Fix non-ASCII characters in metric names and unit strings not being sanitized
    correctly during Prometheus serialization.
    ([#​7184](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7184))
  
  * Fix case where reader tracking could be reset while readers were still active.
    ([#​7190](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7190))
  
  * Improve `Accept` header handling for format negotiation so OpenMetrics is
    selected correctly by considering whitespace and `q` weights.
    ([#​7208](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7208))
  
  * Emit OpenMetrics exemplars for counters and histogram buckets.
    ([#​7222](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7222))
  
  * Fix incorrect handling of untyped metrics when using OpenMetrics format.
    ([#​7219](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7219))
  
  * Fix Prometheus/OpenMetrics serialization to emit metric and label names
    containing `_` instead of dropping them and prefixing leading digits.
    Invalid characters are replaced with `_` instead of being dropped.
    ([#​7209](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7209))
  
  * Add `escaping=underscores` to the `Accept` header handling for content
    negotiation so OpenMetrics are handled correctly.
    ([#​7209](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7209))
  
  * Omit histogram `_sum` and `_count` in OpenMetrics when negative bucket
    thresholds are present.
    ([#​7221](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7221))
 ... (truncated)

Commits viewable in [compare view](https://github.com/open-telemetry/opentelemetry-dotnet/compare/core-1.15.3...core-1.16.0).
</details>

Updated [OpenTelemetry.Instrumentation.AspNetCore](https://github.com/open-telemetry/opentelemetry-dotnet-contrib) from 1.15.2 to 1.16.0.

<details>
<summary>Release notes</summary>

_Sourced from [OpenTelemetry.Instrumentation.AspNetCore's releases](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/releases)._

## 1.16.0

* NuGet: [OpenTelemetry.Extensions.AWS v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Extensions.AWS/1.16.0)

  * Fix sampling behaviour to be compatible with .NET 11.
    ([#​4396](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4396))
  
  * Updated OpenTelemetry core component version(s) to `1.16.0`.
    ([#​4487](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4487))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AWS-1.16.0/src/OpenTelemetry.Extensions.AWS/CHANGELOG.md) for details.
* NuGet: [OpenTelemetry.Instrumentation.AWS v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AWS/1.16.0)

  * Add instrumentation scope version and schema URL to metrics and traces.
    ([#​4063](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4063))
  
  * Pass AWS attribute values to created meters as tags.
    ([#​4063](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4063))
  
  * Capture SNS `TopicArn` as the `aws.sns.topic.arn` span attribute.
    ([#​4043](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4043))
  
  * Add `cloud.region` attribute to all AWS SDK client spans.
    ([#​4043](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4043))
  
  * Add messaging attributes for AWS SNS and SQS.
    ([#​4043](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4043))
  
  * BREAKING: Update latest AWS Semantic Conventions to 1.40.0.
    ([#​4043](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4043))
  
  * Fix suppression scope leakage when `SuppressDownstreamInstrumentation` is
    enabled.
    ([#​4304](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4304))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AWS-1.16.0/src/OpenTelemetry.Instrumentation.AWS/CHANGELOG.md) for details.
* NuGet: [OpenTelemetry.Instrumentation.AWSLambda v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AWSLambda/1.16.0)

  * Update `System.Text.Json` for `netstandard2.0` to `8.0.5`.
    ([#​4154](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4154))
  
  * Add instrumentation scope version and schema URL to traces.
    ([#​4063](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4063))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AWS-1.16.0/src/OpenTelemetry.Instrumentation.AWSLambda/CHANGELOG.md) for details.


## 1.16.0-beta.1

* NuGet: [OpenTelemetry.Instrumentation.ServiceFabricRemoting v1.16.0-beta.1](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.ServiceFabricRemoting/1.16.0-beta.1)

  * Raised the minimum required version of `Microsoft.ServiceFabric.Actors` and
    `Microsoft.ServiceFabric.Services.Remoting` from `7.1.2448` to `8.4.268`, as the
    `7.1` Service Fabric runtime is going out of support.
    ([#​4510](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4510))
  
  * Updated OpenTelemetry core component version(s) to `1.16.0`.
    ([#​4487](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4487))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.ServiceFabricRemoting-1.16.0-beta.1/src/OpenTelemetry.Instrumentation.ServiceFabricRemoting/CHANGELOG.md) for details.


## 1.16.0-alpha.1

* NuGet: [OpenTelemetry.Instrumentation.EventCounters v1.16.0-alpha.1](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.EventCounters/1.16.0-alpha.1)

  * Fixed `OnEventWritten` processing events from EventSources that were not
    configured via `AddEventSources`.
    ([#​4031](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4031))
  
  * Updated OpenTelemetry core component version(s) to `1.16.0`.
    ([#​4487](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4487))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.EventCounters-1.16.0-alpha.1/src/OpenTelemetry.Instrumentation.EventCounters/CHANGELOG.md) for details.


Commits viewable in [compare view](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/compare/Exporter.Geneva-1.15.2...Instrumentation.AWS-1.16.0).
</details>

Updated [OpenTelemetry.Instrumentation.Http](https://github.com/open-telemetry/opentelemetry-dotnet-contrib) from 1.15.1 to 1.16.0.

<details>
<summary>Release notes</summary>

_Sourced from [OpenTelemetry.Instrumentation.Http's releases](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/releases)._

## 1.16.0

* NuGet: [OpenTelemetry.Extensions.AWS v1.16.0](https://www.nuget.org/packages/OpenTelemetry.Extensions.AWS/1.16.0)

  * Fix sampling behaviour to be compatible with .NET 11.
    ([#​4396](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4396))
  
  * Updated OpenTelemetry core component version(s) to `1.16.0`.
    ([#​4487](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4487))

  See [CHANGELOG](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AWS-1.16.0/src/OpenTelemetry.Extensions.AWS/CHANGELOG.md) for details.
* NuGet: [Ope...

_Description has been truncated_

Dependabot will resolve ...

_Description has been truncated_

Bumps Aspire.Hosting.AppHost from 13.4.2 to 13.4.6
Bumps Aspire.Hosting.PostgreSQL from 13.4.2 to 13.4.6
Bumps Aspire.Hosting.Redis from 13.4.2 to 13.4.6
Bumps Basic.Reference.Assemblies from 1.8.8 to 1.8.9
Bumps csharpier from 1.2.6 to 1.3.0
Bumps dotnet-ef from 10.0.8 to 10.0.9
Bumps JetBrains.Annotations from 2025.2.4 to 2026.2.0
Bumps MessagePack from 3.1.6 to 3.1.7
Bumps MessagePack.AspNetCoreMvcFormatter from 3.1.6 to 3.1.7
Bumps Microsoft.AspNetCore.Authentication.JwtBearer from 10.0.8 to 10.0.9
Bumps Microsoft.AspNetCore.OpenApi from 10.0.8 to 10.0.9
Bumps Microsoft.AspNetCore.TestHost from 10.0.8 to 10.0.9
Bumps Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.8 to 10.0.9
Bumps Microsoft.FeatureManagement from 4.5.0 to 4.6.0
Bumps Nerdbank.GitVersioning from 3.9.50 to 3.10.85
Bumps OpenTelemetry.Exporter.OpenTelemetryProtocol from 1.15.3 to 1.16.0
Bumps OpenTelemetry.Extensions.Hosting from 1.15.3 to 1.16.0
Bumps OpenTelemetry.Instrumentation.AspNetCore from 1.15.2 to 1.16.0
Bumps OpenTelemetry.Instrumentation.Http from 1.15.1 to 1.16.0
Bumps Redis.OM from 1.2.0 to 1.3.0
Bumps Serilog.Settings.Configuration from 10.0.0 to 10.0.1
Bumps System.Text.Json from 10.0.8 to 10.0.9
Bumps Verify.XunitV3 from 31.19.0 to 31.20.0

---
updated-dependencies:
- dependency-name: Aspire.Hosting.AppHost
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Aspire.Hosting.PostgreSQL
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Aspire.Hosting.Redis
  dependency-version: 13.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Basic.Reference.Assemblies
  dependency-version: 1.8.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: csharpier
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: dotnet-ef
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: JetBrains.Annotations
  dependency-version: 2026.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: nuget
- dependency-name: MessagePack
  dependency-version: 3.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: MessagePack.AspNetCoreMvcFormatter
  dependency-version: 3.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.AspNetCore.Authentication.JwtBearer
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.AspNetCore.OpenApi
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.AspNetCore.TestHost
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.Extensions.Caching.StackExchangeRedis
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Microsoft.FeatureManagement
  dependency-version: 4.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Nerdbank.GitVersioning
  dependency-version: 3.10.85
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: OpenTelemetry.Exporter.OpenTelemetryProtocol
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: OpenTelemetry.Extensions.Hosting
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: OpenTelemetry.Instrumentation.AspNetCore
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: OpenTelemetry.Instrumentation.Http
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Redis.OM
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
- dependency-name: Serilog.Settings.Configuration
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: System.Text.Json
  dependency-version: 10.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: nuget
- dependency-name: Verify.XunitV3
  dependency-version: 31.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: nuget
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .net code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants