Skip to content

Bump the all-actions group with 5 updates#443

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/nuget/dev/all-actions-6c8f010936
Open

Bump the all-actions group with 5 updates#443
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/nuget/dev/all-actions-6c8f010936

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown
Contributor

Updated Auth0.AspNetCore.Authentication from 1.8.0 to 1.9.0.

Release notes

Sourced from Auth0.AspNetCore.Authentication's releases.

1.9.0

Added

  • Token Vault support #​255 (kailash-b) - web apps can now obtain a third-party API access token for a federated connection (e.g. Google, GitHub, Slack) on behalf of the logged-in user by exchanging the session's refresh token, without running a separate provider OAuth flow.
    • New HttpContext.GetAccessTokenForConnectionAsync(AccessTokenForConnectionRequest, string? scheme = null) extension serves an unexpired connection token from the session cache when possible, and otherwise exchanges the refresh token and persists the result.
    • AccessTokenForConnectionRequest carries Connection (required), an optional LoginHint (the provider-side IdP user ID), and ForceRefresh to bypass the cache.
    • Returns null rather than throwing when no refresh token is present (fires OnMissingRefreshToken) or the exchange is rejected (fires OnAccessTokenRefreshFailed).
  • Custom Token Exchange support #​258 (kailash-b) - applications can exchange an existing external/custom security token for Auth0 tokens without a browser redirect (RFC 8693), enabling delegation/impersonation and agent-identity scenarios. Requires a Custom Token Exchange Profile and a validation Action configured in the tenant.
    • New HttpContext.CustomTokenExchangeAsync(CustomTokenExchangeRequest) extension performs the exchange. CustomTokenExchangeRequest takes SubjectToken and SubjectTokenType (required), plus optional Audience, Scope, an ActorToken/ActorTokenType delegation pair, and Organization.
    • CustomTokenExchangeResult returns the exchanged tokens (AccessToken, IdToken, RefreshToken, ExpiresIn, Scope) and the decoded act (actor) claim for delegation flows.
    • Stateless by design - the exchange returns tokens but has no session side-effects: it does not sign the user in or write any cookie, leaving the caller to decide what to persist.
    • Client-side validation runs before any network call (subject_token must be non-empty and un-prefixed; subject_token_type must be a valid 10–100 character URI, rejecting the reserved urn:ietf: and urn:auth0: namespaces; an actor token requires its matching type). Failures surface as CustomTokenExchangeException, which carries StatusCode, Error, and ErrorDescription but never token-bearing bytes.
  • Claims refresh and OnTokensRefreshed event on token refresh #​254 (kailash-b) - previously, refreshing an expired access token persisted the new tokens but left the ClaimsPrincipal at its login-time snapshot for the life of the refresh token. Two opt-in additions let applications react to a successful primary refresh (fixes #​174).
    • New Auth0WebAppWithAccessTokenOptions.RebuildPrincipalOnRefresh (default false) rebuilds the ClaimsPrincipal from the refreshed id_token so User.Claims and User.Identity.Name reflect current user information.
    • New Auth0WebAppWithAccessTokenOptions.RefreshClaimsValidationType controls how the refreshed id_token is validated before its claims replace the principal (only consulted when RebuildPrincipalOnRefresh is true): Full (default) validates signature against the cached JWKS plus issuer/audience and business-rule checks, while SkipSignature trusts the back-channel TLS exchange and runs only the business-rule checks.
    • New Auth0WebAppWithAccessTokenEvents.OnTokensRefreshed event fires after every successful primary refresh; the AccessTokenRefreshedContext carries the refreshed AccessToken, IdToken, RefreshToken (null when not rotated), and ExpiresAt. It fires independently of RebuildPrincipalOnRefresh, and after the principal is rebuilt when both are used.
    • Graceful degradation - if the refresh succeeds but rebuilding the principal fails (signature failure, malformed token, or business-rule failure), the SDK keeps the refreshed tokens, retains the existing (stale) principal, logs a warning, and still fires OnTokensRefreshed.
    • Both additions apply only to the primary (login-time) refresh path; tokens fetched for additional audiences via MRRT do not rebuild the principal or fire OnTokensRefreshed.

Commits viewable in compare view.

Updated MongoDB.Bson from 3.9.0 to 3.10.0.

Release notes

Sourced from MongoDB.Bson's releases.

3.10.0

This is the general availability release for the 3.10.0 version of the driver.

[!IMPORTANT]

In-Use Encryption String (renamed from Text) API GA

The GA API requires mongodb server version 9.0. The preview API can continue to be used with pre-9.0 server versions.

The main new features in 3.10.0 include:

  • CSHARP-6017: Support LINQ LeftJoin for joins and includes
  • CSHARP-3791: Allow hint for unacknowledged writes using OP_MSG when supported by the server
  • CSHARP-5826: Add $top, $bottom, $topN and $bottomN expression operators
  • CSHARP-6024: Support ReadOnlySet Serialization
  • CSHARP-6020: Add builders for the doesNotAffect field for in, range, equals and compound Atlas Search operators
  • CSHARP-4216: Support $topN and similar accumulators in $setWindowFields
  • CSHARP-5750: Add support for new QE prefix/substring/suffix aggregation expression operators
  • CSHARP-5495: Support $concatArrays and $setUnion aggregation accumulators
  • CSHARP-6041: Add $setWindowFields support for the $minMaxScaler window operator
  • CSHARP-6091: Support checked arithmetic operators in LINQ translation
  • CSHARP-5984: Add QE prefix+suffix GA and rename API to string
  • CSHARP-6105: Add QE substring GA
  • CSHARP-5693: Allow Instantiated MongoClients to Send Client Metadata On-Demand

Improvements:

  • CSHARP-6094: Use minimum supported wire version for CompatibilityLevel when null
  • CSHARP-5964: Investigate a way to read into BsonBinaryData property if it's missed in the stored document
  • CSHARP-6093: Compile one-shot LINQ eval lambdas with preferInterpretation
  • CSHARP-6096: Optimize AsyncCursor<> disposal to consume less resources

Fixes:

  • CSHARP-5816: Insonsistent behavior of EnsureNoMemberMapConflicts for discriminator convention
  • CSHARP-5740: Remove duplicate read concern for operations in snapshot sessions
  • CSHARP-5846: Global GuidSerializer settings ignored for object-typed properties
  • CSHARP-5658: Queries using Equals with different types throw
  • CSHARP-6066: FilteredMongoCollectionBase.FindOneAndUpdate throws NullReferenceException when options is null
  • CSHARP-6080: Pool clear with closeInUseConnections leaks raw ObjectDisposedException to the application instead of a retryable connection error

Maintenance:

  • CSHARP-5746: Update $lookup prose test for MONGOCRYPT-793
  • CSHARP-6062: Add empty permissions section to PR workflow
  • CSHARP-6007: Mark Server version 4.2 as EOL from driver's PoV (Min server version as 4.4, minWireVersion as 9)
  • CSHARP-5992: Add LINQ translation benchmark suite
  • CSHARP-6030: Add case and diacritic sensitivity prose tests for text explicit encryption
  • CSHARP-5943: Add per-area AGENTS.md files and reviewer sub-agents
  • CSHARP-6071: Script to create a local Docker container with a single replica set
  • CSHARP-6100: Clarify status and semver treatment for shipped IWM driver APIs

The full list of issues resolved in this release is available at CSHARP JIRA project.
... (truncated)

Commits viewable in compare view.

Updated MongoDB.Driver from 3.9.0 to 3.10.0.

Release notes

Sourced from MongoDB.Driver's releases.

3.10.0

This is the general availability release for the 3.10.0 version of the driver.

[!IMPORTANT]

In-Use Encryption String (renamed from Text) API GA

The GA API requires mongodb server version 9.0. The preview API can continue to be used with pre-9.0 server versions.

The main new features in 3.10.0 include:

  • CSHARP-6017: Support LINQ LeftJoin for joins and includes
  • CSHARP-3791: Allow hint for unacknowledged writes using OP_MSG when supported by the server
  • CSHARP-5826: Add $top, $bottom, $topN and $bottomN expression operators
  • CSHARP-6024: Support ReadOnlySet Serialization
  • CSHARP-6020: Add builders for the doesNotAffect field for in, range, equals and compound Atlas Search operators
  • CSHARP-4216: Support $topN and similar accumulators in $setWindowFields
  • CSHARP-5750: Add support for new QE prefix/substring/suffix aggregation expression operators
  • CSHARP-5495: Support $concatArrays and $setUnion aggregation accumulators
  • CSHARP-6041: Add $setWindowFields support for the $minMaxScaler window operator
  • CSHARP-6091: Support checked arithmetic operators in LINQ translation
  • CSHARP-5984: Add QE prefix+suffix GA and rename API to string
  • CSHARP-6105: Add QE substring GA
  • CSHARP-5693: Allow Instantiated MongoClients to Send Client Metadata On-Demand

Improvements:

  • CSHARP-6094: Use minimum supported wire version for CompatibilityLevel when null
  • CSHARP-5964: Investigate a way to read into BsonBinaryData property if it's missed in the stored document
  • CSHARP-6093: Compile one-shot LINQ eval lambdas with preferInterpretation
  • CSHARP-6096: Optimize AsyncCursor<> disposal to consume less resources

Fixes:

  • CSHARP-5816: Insonsistent behavior of EnsureNoMemberMapConflicts for discriminator convention
  • CSHARP-5740: Remove duplicate read concern for operations in snapshot sessions
  • CSHARP-5846: Global GuidSerializer settings ignored for object-typed properties
  • CSHARP-5658: Queries using Equals with different types throw
  • CSHARP-6066: FilteredMongoCollectionBase.FindOneAndUpdate throws NullReferenceException when options is null
  • CSHARP-6080: Pool clear with closeInUseConnections leaks raw ObjectDisposedException to the application instead of a retryable connection error

Maintenance:

  • CSHARP-5746: Update $lookup prose test for MONGOCRYPT-793
  • CSHARP-6062: Add empty permissions section to PR workflow
  • CSHARP-6007: Mark Server version 4.2 as EOL from driver's PoV (Min server version as 4.4, minWireVersion as 9)
  • CSHARP-5992: Add LINQ translation benchmark suite
  • CSHARP-6030: Add case and diacritic sensitivity prose tests for text explicit encryption
  • CSHARP-5943: Add per-area AGENTS.md files and reviewer sub-agents
  • CSHARP-6071: Script to create a local Docker container with a single replica set
  • CSHARP-6100: Clarify status and semver treatment for shipped IWM driver APIs

The full list of issues resolved in this release is available at CSHARP JIRA project.
... (truncated)

Commits viewable in compare view.

Updated NSubstitute from 5.3.0 to 6.0.0.

Release notes

Sourced from NSubstitute's releases.

6.0.0

ℹ️ No changes from Release Candidate 1.

NSubstitute v6.0.0

From RC1 notes:

  • [NEW] ArgMatchers.Matching predicate matcher as an alternative to Is(Expression<Predicate<T>>. (.NET6 and above.)
  • [UPDATE] Improved support for custom argument matchers. Arg.Is now accepts arg matchers.
  • [UPDATE][BREAKING] Update target frameworks: .NET8, .NET Standard 2.0
  • [UPDATE][BREAKING] Remove legacy obsolete API
  • [UPDATE][BREAKING] Mark as obsolete api CompatArg with pre c# 7.0 support
  • [UPDATE][BREAKING] Nullability is enabled for public api for .NET 8+ TFMs
  • [UPDATE] Migrate documentation to docfx platform and update samples to NUnit 4
  • [NEW] Added NuGet Package README file.

Full change list

6.0.0-rc.1

NSubstitute v6.0.0 Release Candidate 1

Due to the large number of changes in this release, we wanted to start with a release candidate to ensure we've correctly captured breaking changes.

  • [NEW] ArgMatchers.Matching predicate matcher as an alternative to Is(Expression<Predicate<T>>. (.NET6 and above.)
  • [UPDATE] Improved support for custom argument matchers. Arg.Is now accepts arg matchers.
  • [UPDATE][BREAKING] Update target frameworks: .NET8, .NET Standard 2.0
  • [UPDATE][BREAKING] Remove legacy obsolete API
  • [UPDATE][BREAKING] Mark as obsolete api CompatArg with pre c# 7.0 support
  • [UPDATE][BREAKING] Nullability is enabled for public api for .NET 8+ TFMs
  • [UPDATE] Migrate documentation to docfx platform and update samples to NUnit 4
  • [NEW] Added NuGet Package README file.

Full change list

Commits viewable in compare view.

Updated OpenTelemetry.Instrumentation.Runtime from 1.15.1 to 1.16.0.

Release notes

Sourced from OpenTelemetry.Instrumentation.Runtime's releases.

1.16.0

1.16.0-rc.1

  • NuGet: OpenTelemetry.Instrumentation.Process v1.16.0-rc.1

    • Updated semantic conventions to
      v1.42.0.
      (#​4602)

      • Breaking Change: The process.cpu.time metric attribute process.cpu.state
        was renamed to cpu.mode.
      • Added the process.uptime metric.
      • Added the process.windows.handle.count metric (Windows only).
      • Added the process.unix.file_descriptor.count metric (Linux only).
    • Assemblies are now digitally signed using cosign.
      (#​4637)

    • Updated semantic conventions to
      v1.43.0
      and marked package as release candidate.
      (#​4675)

    See CHANGELOG for details.

1.16.0-beta.1

1.16.0-alpha.1

1.15.2

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps Auth0.AspNetCore.Authentication from 1.8.0 to 1.9.0
Bumps MongoDB.Bson from 3.9.0 to 3.10.0
Bumps MongoDB.Driver from 3.9.0 to 3.10.0
Bumps NSubstitute from 5.3.0 to 6.0.0
Bumps OpenTelemetry.Instrumentation.Runtime from 1.15.1 to 1.16.0

---
updated-dependencies:
- dependency-name: Auth0.AspNetCore.Authentication
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: MongoDB.Bson
  dependency-version: 3.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: MongoDB.Driver
  dependency-version: 3.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: NSubstitute
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: OpenTelemetry.Instrumentation.Runtime
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies nuget Dependabot NuGet dependency updates labels Jul 12, 2026
@github-actions github-actions Bot added squad Squad triage inbox — Lead will assign to a member squad:boromir Assigned to Boromir (DevOps / Infra) labels Jul 12, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Dependency Update PR

This PR was opened by dependabot[bot] and has been automatically labeled for Boromir (DevOps) to review.

Labels applied:

  • squad:boromir — Assigned to DevOps for dependency updates
  • squad — In triage queue

Dependency and infrastructure updates are owned by the DevOps team.

@github-actions

Copy link
Copy Markdown
Contributor

Test Results Summary

0 tests   - 556   0 ✅  - 518   0s ⏱️ -15s
0 suites  -   6   0 💤  -  38 
0 files    -   6   0 ❌ ±  0 

Results for commit 792e90a. ± Comparison against base commit 53d758e.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies nuget Dependabot NuGet dependency updates squad:boromir Assigned to Boromir (DevOps / Infra) squad Squad triage inbox — Lead will assign to a member

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants