chore(deps): update major backend dependencies (major) - autoclosed

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Confidence
Aspects.Universal (source)	1.0.2 -> 2.9.0
AutoMapper (source)	13.0.1 -> 15.0.1
Azure.Messaging.EventGrid (source)	4.31.0 -> 5.0.0
CsvHelper (source)	31.0.4 -> 33.1.0
FluentValidation (source)	11.11.0 -> 12.0.0
FluentValidation.DependencyInjectionExtensions (source)	11.11.0 -> 12.0.0
JWT	10.1.1 -> 11.0.0
JetBrains.Annotations (source)	2024.3.0 -> 2025.2.2
Medo.Uuid7	1.9.1 -> 3.1.0
Microsoft.Azure.Functions.Worker	1.24.0 -> 2.1.0
Microsoft.Azure.Functions.Worker.ApplicationInsights	1.4.0 -> 2.0.0
Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore	1.3.3 -> 2.0.2
Microsoft.Identity.Web	2.21.1 -> 3.14.1
Microsoft.IdentityModel.Tokens	7.7.1 -> 8.14.0
Microsoft.NET.Test.Sdk	17.14.1 -> 18.0.0
MockQueryable.Moq	7.0.3 -> 8.0.0
Semver	2.3.0 -> 3.0.0
Snapshooter.Xunit	0.15.0 -> 1.0.1
Swashbuckle.AspNetCore	7.3.2 -> 9.0.6
Swashbuckle.AspNetCore.Annotations	7.3.2 -> 9.0.6
Swashbuckle.AspNetCore.SwaggerGen	7.3.2 -> 9.0.6
System.IdentityModel.Tokens.Jwt	7.7.1 -> 8.14.0
System.Text.Json (source)	8.0.6 -> 9.0.9
linq2db.EntityFrameworkCore	8.1.0 -> 9.0.0
swashbuckle.aspnetcore.cli	7.3.2 -> 9.0.6

---

Release Notes

pamidur/aspect-injector (Aspects.Universal)

v2.9.0

Compare Source

Full Changelog: pamidur/aspect-injector@2.8.2...2.9.0

• Breaking change: resigning assemblies feature is retired as it no longer supported by MS
• Using MsBuild tasks now instead of binaries, should help with Mac M support
• Improvements to aspects libs

LuckyPennySoftware/AutoMapper (AutoMapper)

v15.0.1

What's Changed

• Removing public signing; fixes #​4545 by @​jbogard in #​4552
• Adding back missing overloads and reverting registering behavior by @​jbogard in #​4554

Full Changelog: LuckyPennySoftware/AutoMapper@v15.0.0...v15.0.1

This release supersedes the 15.0.0 release, reverting behavior and overloads so that the AddAutoMapper overloads separate the "scanning for maps" from the "scanning for dependencies". Unfortunately it's not really possible to combine these two together.

This also fixes a critical bug in #​4545 that does not work with .NET 4.x applications (as intended).

Because of this, the 15.0.0 will be delisted because of the breaking changes there.

v15.0.0

Full Changelog: LuckyPennySoftware/AutoMapper@v14.0.0...v15.0.0

• Added support for .NET Standard 2.0
• Requiring license key
• Moving from MIT license to dual commercial/OSS license

To set your license key:

services.AddAutoMapper(cfg => {
    cfg.LicenseKey = "<License key here>";
});

This also introduced a breaking change with MapperConfiguration requiring an ILoggerFactory for logging purposes:

public MapperConfiguration(MapperConfigurationExpression configurationExpression, ILoggerFactory loggerFactory)

Registering AutoMapper with services.AddAutoMapper will automatically supply this parameter. Otherwise you'll need to supply the logger factory.

You can obtain your license key at AutoMapper.io

v14.0.0

What's Changed

• Reverted the nullable annotations by @​lbargaoanu in AutoMapper#4390
• Fix polymorphic mapping when some derived types have explicit mappings and others do not by @​kev-andrews in AutoMapper#4402
• The default naming conventions for a profile should come from the glo… by @​lbargaoanu in AutoMapper#4428
• Fix Issue #​4502 - Confusing exception when trying to map types with … by @​Biotronic in AutoMapper#4503
• Target .net 8 and seal more classes by @​lbargaoanu in AutoMapper#4474
• Target .Net 9 in tests by @​lbargaoanu in AutoMapper#4507
• Changed lock-threads parameters by @​lbargaoanu in AutoMapper#4516
• Don't throw and catch on validation by @​lbargaoanu in AutoMapper#4526

New Contributors

• @​kev-andrews made their first contribution in AutoMapper#4402
• @​Biotronic made their first contribution in AutoMapper#4503

Full Changelog: LuckyPennySoftware/AutoMapper@v13.0.1...v14.0.0

Azure/azure-sdk-for-net (Azure.Messaging.EventGrid)

v5.0.0

Compare Source

5.0.0 (2025-06-26)

Features Added

• Added a dependency on the Azure.Messaging.EventGrid.SystemEvents package.
  The system events are now referenced via type forwarding. If you encounter any exceptions
  related to missing types, ensure that you dotnet clean and dotnet build your project. You should not
  use the Azure.Messaging.EventGrid.SystemEvents package with a version of Azure.Messaging.EventGrid prior to 5.0.0,
  as it will result in type conflicts.

Breaking Changes

• Various system events have been updated to reflect the actual service behavior.
  There are no binary breaks or compilation breaks, but there are behavior breaking changes. For instance,
  some properties that were previously incorrectly marked as optional, have been marked as required. If you
  are using the EventGridModelFactory methods to create such events, and you encounter ArgumentNullException when
  upgrading, you will need to update your code to provide the required properties.

JoshClose/CsvHelper (CsvHelper)

v33.1.0

Compare Source

v33.0.1

Compare Source

v33.0.0

Compare Source

v32.0.3

Compare Source

v32.0.2

Compare Source

v32.0.1

Compare Source

v32.0.0

Compare Source

JeremySkinner/fluentvalidation (FluentValidation)

v12.0.0

Compare Source

Release notes

Please read the upgrade guide if you are moving from 11.x to 12.x

Changes in 12.0.0

• Drops support for netstandard2.0, netstandard2.1, .net 5, .net 6 and .net 7. Minimum supported platform is now .net 8.
• Add support for dependent rules for custom rules (#​2170)
• Removes deprecated DI extensions
• Removes deprecated transform methods (#​2027)
• Remove the ability to disable the root-model null check (#​2069)
• Use Zomp.SyncMethodGenerator to clean up internal sync/async code paths and increase performance (#​2136)
• Add Serbian (Cyrillic) language; rename existing Serbian to Serbian (Latin) (#​2283)

Downloads

Binaries can be downloaded from nuget:

• FluentValidation - Main package

jwt-dotnet/jwt (JWT)

v11.0.0

• Updated System.Text.Json to version 9.0.0

JetBrains/JetBrains.Annotations (JetBrains.Annotations)

v2025.2.1

Compare Source

v2025.2.0

Compare Source

Azure/azure-functions-dotnet-worker (Microsoft.Azure.Functions.Worker)

v2.1.0

Compare Source

• AZURE_FUNCTIONS_ environment variables are now loaded correctly when using FunctionsApplicationBuilder. (#​2878)

v2.0.0: Microsoft.Azure.Functions.Worker 2.0.0

Compare Source

Microsoft.Azure.Functions.Worker (metapackage) 2.0.0

• Updating Microsoft.Azure.Functions.Worker.Core to 2.0.0
• Updating Microsoft.Azure.Functions.Worker.Grpc to 2.0.0
• Changed exception handling in function invocation path to ensure fatal exceptions bubble up.

Breaking Changes

• Dropping .NET 5 TFM support
• Capability IncludeEmptyEntriesInMessagePayload is now enabled by default (#​2701)
  • This means that empty entries will be included in the function trigger message payload by default.
  • To disable this capability and return to the old behaviour, set IncludeEmptyEntriesInMessagePayload to false in the worker options.
• ValidateScopes is enabled for development environments by default.

Microsoft.Azure.Functions.Worker.Core 2.0.0

• Updating Azure.Core to 1.41.0
• New APIs supporting IHostApplicationBuilder
• Updated service registrations for bootstrapping methods to ensure idempotency.

Breaking Changes

• Capability EnableUserCodeException is now enabled by default (#​2702)
  • This means that exceptions thrown by user code will be surfaced to the Host as their original exception type, instead of being wrapped in an RpcException.
  • To disable this capability and return to the old behaviour, set EnableUserCodeException to false in the worker options.
  • The EnableUserCodeException property in WorkerOptions has been marked as obsolete and may be removed in a future release.
• Rename ILoggerExtensions to FunctionsLoggerExtensions to avoid naming conflict issues (#​2716)
• Removed the default value for HttpStatusCode in WriteAsJsonAsync (#​2720)
• Removed fallback command line argument reading code for grpc worker startup options. (#​1908)

Setting Worker Options Example

If you need to disable these capabilities and return to the old behaviour, you can set the worker options as follows:

var host = new HostBuilder()
.ConfigureFunctionsWorkerDefaults(options =>
{
    options.EnableUserCodeException = false;
    options.IncludeEmptyEntriesInMessagePayload = false;
})

Microsoft.Azure.Functions.Worker.Grpc 2.0.0

• Refer to metapackage

AzureAD/microsoft-identity-web (Microsoft.Identity.Web)

v3.14.1

=======

Bug fix

• Support client secrets with agent user identities. See #​3470 for details.

v3.14.0

=======

New features

• Support multi-tenant agent user identities. See #​3461 for details.
• Id Web now allows for passing of ExtraBodyParameters. See #​3463 for details.

v3.13.2

=======

Dependencies updates

• Updated MSAL.NET to version 4.76.0

v3.13.1

Compare Source

=======

Dependencies updates

• Microsoft.IdentityModel updated to version 8.14.0.

v3.13.0

Compare Source

=======

Dependencies updates

• Microsoft.IdentityModel updated to version 8.13.1.
• Microsoft.Abstractions updated to version 9.3.0 and using IAuthenticationSchemeInformationProvider from that library, deprecating the interface of the same name in Microsoft.Identity.Web (introduced in 3.12.0).

Bug fixes

• Fixed an issue with instantiation of TokenAcquirerFactory when AppContext.BaseDirectory is root path. See PR #​3443 for details.

Fundamentals

• Use cloud user in tests. See PR #​3441 and #​3442 for details.

v3.12.0

Compare Source

=======

Dependencies updates

• Updated MSAL to version 4.74.1 part of #​3398.

Bug fix

Reload certificates for all client credential based issues to solve the issue that when a bad certificate was installed on the machine and picked up, and subsequently rotated, a service restart was needed for the new certificate to be used. See issue #​3429 and PR #​3430

New features

• Include the thrown exception in CertificateChangeEventArg. See PR #​3428 for better supportabiliby.
• Support for Agent User identities. See PR #​3435

v3.11.0

Compare Source

=======

Dependencies updates

• Updated global.json to the latest .NET 9 runtime framework 9.0.108. See PR #​3422 for details.

Bug fixes

• Fix IDW10405 error when using managed identity with common tenant. See PR #​3415 for details.
• Fix OidcIdpSignedAssertionLoader to remove hard dependency on IConfiguration registration. See PR #​3414 for details.

New feature

• Add support for ExtraHeaderParameters and ExtraQueryParameters properties on DownstreamApiOptions to simplify adding custom headers and query parameters to downstream API requests. See PR #​3413 for details.
• Add better support for Azure SDK. For details see Readme-Azure and PR #​3416

v3.10.0

Compare Source

=======

Dependencies updates

• Updated MSAL to version 4.73.1 #​3398.
• Updated global.json to the latest .NET 9 runtime framework 9.0.107 #​3385.

New feature

• Added support for Agent Identities #​3396, #​3402.
  introducing the Microsoft.Identity.Web.AgentIdentities package .

Bug fixes

• Processed codeQL issues

Fundamentals

• improved unit tests for OidcFic with the new SignedAssertionFmiPath

v3.9.4

Compare Source

=======

Package updates

• Microsoft.IdentityModel updated to version 8.12.1.

Bug fix

• Updates the DefaultAuthorizationHeaderProvider to update the AcquireTokenOptions.LongRunningWebApiSessionKey after the token is acquired so that the key can be used in the next OBO call. See PR #​3381 for details.

Fundamentals

• Update .NET SDK version to 9.0.107 used when building or running the code. See #​3385 for details.
• Improved test coverage for managed identity flows. See #​3350 for details.

v3.9.3

Compare Source

=======

Package updates

• Microsoft.IdentityModel updated to version 8.12.0.

Fundamentals

• Add .clinerules to help with AI tooling.
• Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0
  Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added).
  For details see #​3379

v3.9.2

Compare Source

=======

Package updates

• Microsoft.IdentityModel updated to version 8.11.0.
• MSAL.NET updated to version MSAL.NET 4.72.1.

Fundamentals:

• Fix invalid comparisons in prop and csproj files. For details see #​3297.

v3.9.1

Compare Source

========

Package updates

• Microsoft.Identity.Abstractions updated to version 9.1.0.

Fundamentals

• Fix AoT warnings. For details see #​3366.

v3.9.0

Compare Source

========

Package updates

• Microsoft.IdentityModel updated to version 8.10.0.
• MSAL.NET updated to version MSAL.NET 4.72.0.

Bug fixes

• Fixed issue where RequiredScopeOrAppPermission extension method didn’t work with Minimal APIs. See #​3323.
• Resolved IL warnings from AddDownstreamApis in NativeAOT projects. See #​3355.
• Ensured AcquireTokenForConfidentialClient correctly passes MSAL exceptions. See #​3345.
• Prevented null reference when accessing MergedOptions instance. See #​3337.

New feature

• Added optional login_hint and domain_hint support to AccountController.SignIn endpoint. See #​3244 and #​3348.

Fundamentals

• Introduced Long-Term Support (LTS) policy. See #​3357.
• Added tests to validate xms_cc (client capability) forwarding in CCA flows. See #​3349.

External contributions

Thank you @​evan-buss for your contribution and fixing the issue where RequiredScopeOrAppPermission extension method didn’t work with Minimal APIs. See #​3323.
Thank you @​neha-bhargava for your contribution and ensuring AcquireTokenForConfidentialClient correctly passes MSAL exceptions. See #​3345.

v3.8.4

Compare Source

========

Package updates

• Microsoft.IdentityModel updated to version 8.9.0.
• MSAL.NET updated to version MSAL.NET 4.71.0.

Bug fixes

• Fixed the issue where FmiPath was not persisted when copying/reinitializing AcquireTokenOptions. See #​3336.

New feature

• Added support for Linux-friendly devcontainers. See #​3333 and #​3339.

Fundamentals

• Removed System.Text.Json as an explicit dependency for .NET Core targets. See #​3331.

v3.8.3

Compare Source

========

Package updates

• Updated to Microsoft.IdentityModel.* 8.8.0
• Updated to MSAL.NET 4.70.1

New feature

• TokenAcquistion.cs adds its service provider to the acquisition options. See issue #​3315 for details.

v3.8.2

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 9.0.0

New feature

• An exception is now thrown if MSAL TokenCacheNotificationArgs indicates that distributed cache is configured when it should not have been. See #​3304.
• Added support for federated identity credentials with AT_POP. See #​3299.

v3.8.1

Compare Source

========

New features

• Updated to Microsoft.IdentityModel.* 8.7.0

Bug fixes

• Pins Microsoft.Extensions.Http dependency version to 3.1.3 for .NET Framework and .NET Standard and uses inbox version for .NET Core. See #​3145.

v3.8.0

Compare Source

========

New feature

• Updated to Microsoft.IdentityModel.* 8.6.1
• Updated to MSAL.NET 4.69.1
• Updated the Json Schema to include extensibility for signed assertion providers. See #​3235
• Added support for Federation Identity Credential on any OIDC Idp (FIC+OIDC credential provider). See #​3255
• Support for acquiring token for Federation Managed Identity (FMI). Supports the FmiPath property of AcquireTokenOptions. See #​3247
• Downstream APIs now support Authorization headers with a custom SAML bearer syntax. See #​3273

Bug fixes

• TokenAcquirerFactory is now thread safe. See #​3274
• Fix a bug in the parsing of the token in the authority. See #​3261

Fundamentals

• Removed old Blazorwasm sample, wasm-tools and added new blazor web API: #​3259, #​3257, #​3254
• Modified the build so that, in CI/CD internal builds, the NuGet.org NuGet source is replaced by a managed Nuget source. More verbose information added. See #​3263
• Fixed CS8602 Warnings in Weather.razor (BlazorApp) – Handle Nullable forecasts and user.Identity. See #​3266,

New Contributors

• @​sthanu98 made their first contribution in #​3273. Thank you!

v3.7.1

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.5.0

v3.7.0

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 8.1.0
• Updated to Microsoft.IdentityModel.* 8.4.0

New Feature

• IdentityWeb now provides extensibility to DefaultCredentialsLoader so that partner teams, or an SDK on top of IdWeb, can bring their own credential providers. See #​3220 for details.

Bug fixes

• The merged options are now being passed to MSAL for the CCA ROPC scenario. See #​3207 for details.

v3.6.2

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 8.0.0

Fundamentals

• Clean-up the tests that were using properties removed in Abstractions 8.0.0. See issue #​3212 for details.

v3.6.1

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 7.2.1

v3.6.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.3.1
• Updated to MSAL.NET 4.67.2

Bug fixes

• Checks that B2C tokens don't contain the claims used by Identity Web to represent the home tenant and object ID (obtained from the UserInfo endpoint). See #​3131
• Remove explicit locking in OpenIdConnectCachingSecurityTokenProvider. See Issue #​3078

Fundamentals

• Fix Null Reference Exception in OwinTokenAcquirerFactory + other OWIN cleanup. See #​3183
• Re-add code coverage comments & scope to src files. See #​3177

v3.5.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.3.0

Bug fixes

• Ensure Singleton registration for TokenAcquisition Services when TokenAcquirerFactory is null. See #​3155
• Dont modify the merged options when building the confidential client. See #​3137

Fundamentals

• Install all .NET versions in pipeline, including .NET 9. See #​3152
• Upgrade to C# 13. See #​3138
• Specify sdk version in global.json. See #​3156
• Disable Coverage PR comments. See in #​3159

v3.4.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.2.1
• Updated to Microsoft.Identity.Abstractions 7.2.0

New features

• Add ROPC flow support for confidential client applications. See 3091, 3129, 3139.
• Allow multi-tenant applications to specify the AppHomeTenantId to be used for client credentials. See 3121, 3132.
• Update to use .NET 9 GA. See 3127.

v3.3.1

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.2.0

Supportability

• Added JSON schema support for Microsoft.Identity.Web configuration. This allows for schema validation in the appsettings.json, improving configuration accuracy and developer experience. To use it, add the following at the top of your appsettings.json:
  "$schema": "https://github.com/AzureAD/microsoft-identity-web/blob/master/JsonSchemas/microsoft-identity-web.json"
  This update enhances the configuration process by providing clear structure and validation for settings used in Microsoft.Identity.Web. See PR #​3119 for details.

Fundamentals

• Fix a flaky test in the L1L2Cache tests. See PR #​3122 for details.

v3.3.0

Compare Source

========

• Updated to Microsoft.Identity.Client 4.66.0
• Update system.Text.Json to 8.0.5 CVE-2024-43485
• Updated to .NET 9 RC2

New features

• Microsoft.Identity.Web token acquisition now provides an extensibility mechanism to enable non-standard features. For details, see #​2975

Fundamentals

• Split DownstreamApi methods between AoT compatible and incompatible methods by @​SaurabhMSFT in #​3090
• ASP.NET Core (and other) cross-link updates by @​guardrex in #​3096. Thank you!
• Onboarded to Threading Analyzers. For details, see #​3052
• display code coverage as PR comments
• Fix flaky EncryptionTestAsync on .NET 9.

v3.2.2

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.2

• Breaking change (without major version change. Sorry!)
  ClientAssertionProviderBase.GetSignedAssertion now takes an MSAL.NET AssertionRequestOptions and the method name has changed from GetSignedAssertion to GetClientAssertionAsync:

  var m = new ManagedIdentityClientAssertion("<some client id>");
  m.GetSignedAssertion(CancellationToken.None); // this method will break on v3.2.2

v3.2.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.1

v3.2.0

Compare Source

=========

• Updated to Microsoft.Identity.Abstractions 7.1.0
• Updated to Microsoft.IdentityModel.* 8.1.0
• Updated to Microsoft.Identity.Client 4.64.1
   

New features

• In .NET 8 and above, IDownstreamApi overloads take a JsonTypeInfo<T> parameter to enable source generated JSON deserialization. See issue #​2930 for details.

Bug fixes:

• Azure region is used while creating application keys when the TokenAcquisition service caches application objects, and the TokenAcquirerFactory caches TokenAcquirer. See #​3002 for details.
• Improved error messages for FIC. See issue #​3000 for details.

Fundamentals:

• Improved test coverage for GetCacheKey. See PR #​3020 for details.
• Update to .NET 9-RC1. See issue #​3025 for details.
• Fix static analysis warnings. See PR #​3024 for details.

v3.1.0

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

• Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #​2977 for details.

Bug fixes:

• For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #​2887 for details.
• Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #​2954 for details.
• Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #​2879 for details.
• Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #​2962 for details.

Fundamentals:

• Fix flakey tests: #​2972, #​2984, #​2982,
• Update to AzureKeyVault@2 in AzureDevOps, #​2981.
• Update to .NET 9-preview7, #​2980 and #​2991.
• It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #​2974, #​2990

========

See rel/v2 branch changelog for changes to all 2.x.x versions after 2.18.1.

The changes listed in the rel/v2 changelog are also in the 3.x.x versions of Id Web but are not listed here.

========

v3.0.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.1

v3.0.0

===

---

Configuration

📅 Schedule: Branch creation - "every 3 months" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.