Skip to content

Bump Microsoft.AspNetCore.Authentication.JwtBearer and 10 others#6

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/microsoft-extensions-8804b6fa1f
Closed

Bump Microsoft.AspNetCore.Authentication.JwtBearer and 10 others#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/microsoft-extensions-8804b6fa1f

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 14, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Pinned Microsoft.AspNetCore.Authentication.JwtBearer at 10.0.8.

Release notes

Sourced from Microsoft.AspNetCore.Authentication.JwtBearer's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Components.WebAssembly from 10.0.2 to 10.0.8.

Release notes

Sourced from Microsoft.AspNetCore.Components.WebAssembly's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Components.WebAssembly.DevServer from 10.0.2 to 10.0.8.

Release notes

Sourced from Microsoft.AspNetCore.Components.WebAssembly.DevServer's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.OpenApi from 10.0.2 to 10.0.8.

Release notes

Sourced from Microsoft.AspNetCore.OpenApi's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Extensions.Caching.Hybrid at 10.6.0.

Release notes

Sourced from Microsoft.Extensions.Caching.Hybrid's releases.

10.6.0

Version 10.6.0 stabilizes the response continuation token and background-response APIs in Microsoft.Extensions.AI.Abstractions. Most other AI work for May shipped in 10.5.1; this monthly release rolls those changes up alongside dependency updates and a small Resource Monitoring cleanup.

Experimental API Changes

Now Stable

  • ResponseContinuationToken and background-response APIs are now stable (previously MEAI001) #​7512

What's Changed

AI

  • Stabilize ResponseContinuationToken / background-response APIs #​7512 by @​jozkee (co-authored by @​Copilot)

Repository Infrastructure Updates

  • Update version to 10.6.0 #​7458 by @​jeffhandley
  • [main] Update dependencies from dotnet/arcade #​7451
  • Bump follow-redirects from 1.15.11 to 1.16.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport #​7469
  • Merge release/10.5 into main #​7470 by @​jeffhandley
  • Bump microsoft.visualstudio.slngen.tool from 12.0.13 to 12.0.32 #​7484
  • Bump postcss from 8.5.9 to 8.5.12 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7494
  • Bump dotnet-reportgenerator-globaltool from 5.5.7 to 5.5.9 #​7504
  • Rename release-notes skill to write-release-notes #​7511 by @​jeffhandley (co-authored by @​Copilot)

Acknowledgements

  • @​wtgodbe @​tarekgh @​peterwald @​JeremyLikness @​eiriktsarpalis @​ericstj @​evgenyfedorov2 reviewed pull requests

Full Changelog: dotnet/extensions@v10.5.2...v10.6.0

10.5.2

This patch release ships a single fix to Microsoft.Extensions.VectorData.Abstractions, correcting StorageName resolution when external serialization is enabled. Microsoft.Extensions.VectorData.ConformanceTests, Microsoft.Extensions.AI.Abstractions, Microsoft.Extensions.AI, and Microsoft.Extensions.AI.OpenAI are published alongside it for version coherency — they contain no code changes from 10.5.1.

Packages in this release

Package Version
Microsoft.Extensions.VectorData.Abstractions 10.5.2
Microsoft.Extensions.VectorData.ConformanceTests 10.5.2
Microsoft.Extensions.AI.Abstractions 10.5.2
Microsoft.Extensions.AI 10.5.2
Microsoft.Extensions.AI.OpenAI 10.5.2

What's Changed

Microsoft.Extensions.VectorData.Abstractions

  • Minor fixes to MEVD.Abstractions: correct StorageName behavior when external serialization is enabled, and disable a warning for net462. (by @​roji in #​7475)

Full Changelog: dotnet/extensions@v10.5.1...v10.5.2

10.5.1

Version 10.5.1 of the Microsoft.Extensions.AI packages stabilizes CodeInterpreter, WebSearch, and ImageGeneration tool content types. The release adds new experimental tool search and OpenAI request policy hooks. And the OpenTelemetry gen-ai semantic conventions are updated to align with v1.41.

The 'aiagent-webapi' project template in Microsoft.Agents.AI.ProjectTemplates is updated to align with v1.3.0 of Agent Framework, updating the OpenTelemetry dependencies within the template projects as well.

Packages in this release

Package Version
Microsoft.Extensions.AI 10.5.1
Microsoft.Extensions.AI.Abstractions 10.5.1
Microsoft.Extensions.AI.OpenAI 10.5.1
Microsoft.Extensions.AI.Templates 10.5.1-preview.3.26251.3
Microsoft.Agents.AI.ProjectTemplates 1.3.0-preview.1.26251.3

Experimental API Changes

Now Stable

The following types previously emitted the MEAI001 experimental diagnostic and are now stable.

  • CodeInterpreter and WebSearch tool content types are now stable #​7493
    • CodeInterpreterToolCallContent
    • CodeInterpreterToolResultContent
    • WebSearchToolCallContent
    • WebSearchToolResultContent
  • ImageGeneration tool content types and tool are now stable #​7476
    • ImageGenerationToolCallContent
    • ImageGenerationToolResultContent
    • HostedImageGenerationTool
    • ImageGenerationOptions
    • ImageGenerationResponseFormat (the Hosted enum value remains experimental)
    • IImageGenerator and the rest of the image generation infrastructure also remain experimental

New Experimental APIs

The following new APIs emit the MEAI001 experimental diagnostic.

  • New experimental API: HostedToolSearchTool with DeferredTools for tool-search-driven deferred tool loading #​7471
  • New experimental API: OpenAIRequestPolicies extension hook for appending System.ClientModel.PipelinePolicy instances to outgoing OpenAI requests #​7495

Breaking Changes to Experimental APIs

  • WebSearchToolResultContent.Results was renamed to Outputs as part of the stabilization in #​7493, aligning with CodeInterpreterToolResultContent.Outputs. The original Results property was included in version 10.4.0 and 10.5.0; this is a binary breaking change and consumers need to update to consume the updated property.

    WebSearchToolResultContent content = ...;
- IList<AIContent>? items = content.Results;
+ IList<AIContent>? items = content.Outputs;

... (truncated)

Commits viewable in compare view.

Pinned Microsoft.Extensions.Caching.StackExchangeRedis at 10.0.8.

Release notes

Sourced from Microsoft.Extensions.Caching.StackExchangeRedis's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore at 10.0.8.

Release notes

Sourced from Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Extensions.Hosting.Abstractions at 10.0.8.

Release notes

Sourced from Microsoft.Extensions.Hosting.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Extensions.Http.Resilience at 10.6.0.

Release notes

Sourced from Microsoft.Extensions.Http.Resilience's releases.

10.6.0

Version 10.6.0 stabilizes the response continuation token and background-response APIs in Microsoft.Extensions.AI.Abstractions. Most other AI work for May shipped in 10.5.1; this monthly release rolls those changes up alongside dependency updates and a small Resource Monitoring cleanup.

Experimental API Changes

Now Stable

  • ResponseContinuationToken and background-response APIs are now stable (previously MEAI001) #​7512

What's Changed

AI

  • Stabilize ResponseContinuationToken / background-response APIs #​7512 by @​jozkee (co-authored by @​Copilot)

Repository Infrastructure Updates

  • Update version to 10.6.0 #​7458 by @​jeffhandley
  • [main] Update dependencies from dotnet/arcade #​7451
  • Bump follow-redirects from 1.15.11 to 1.16.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport #​7469
  • Merge release/10.5 into main #​7470 by @​jeffhandley
  • Bump microsoft.visualstudio.slngen.tool from 12.0.13 to 12.0.32 #​7484
  • Bump postcss from 8.5.9 to 8.5.12 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #​7494
  • Bump dotnet-reportgenerator-globaltool from 5.5.7 to 5.5.9 #​7504
  • Rename release-notes skill to write-release-notes #​7511 by @​jeffhandley (co-authored by @​Copilot)

Acknowledgements

  • @​wtgodbe @​tarekgh @​peterwald @​JeremyLikness @​eiriktsarpalis @​ericstj @​evgenyfedorov2 reviewed pull requests

Full Changelog: dotnet/extensions@v10.5.2...v10.6.0

10.5.2

This patch release ships a single fix to Microsoft.Extensions.VectorData.Abstractions, correcting StorageName resolution when external serialization is enabled. Microsoft.Extensions.VectorData.ConformanceTests, Microsoft.Extensions.AI.Abstractions, Microsoft.Extensions.AI, and Microsoft.Extensions.AI.OpenAI are published alongside it for version coherency — they contain no code changes from 10.5.1.

Packages in this release

Package Version
Microsoft.Extensions.VectorData.Abstractions 10.5.2
Microsoft.Extensions.VectorData.ConformanceTests 10.5.2
Microsoft.Extensions.AI.Abstractions 10.5.2
Microsoft.Extensions.AI 10.5.2
Microsoft.Extensions.AI.OpenAI 10.5.2

What's Changed

Microsoft.Extensions.VectorData.Abstractions

  • Minor fixes to MEVD.Abstractions: correct StorageName behavior when external serialization is enabled, and disable a warning for net462. (by @​roji in #​7475)

Full Changelog: dotnet/extensions@v10.5.1...v10.5.2

10.5.1

Version 10.5.1 of the Microsoft.Extensions.AI packages stabilizes CodeInterpreter, WebSearch, and ImageGeneration tool content types. The release adds new experimental tool search and OpenAI request policy hooks. And the OpenTelemetry gen-ai semantic conventions are updated to align with v1.41.

The 'aiagent-webapi' project template in Microsoft.Agents.AI.ProjectTemplates is updated to align with v1.3.0 of Agent Framework, updating the OpenTelemetry dependencies within the template projects as well.

Packages in this release

Package Version
Microsoft.Extensions.AI 10.5.1
Microsoft.Extensions.AI.Abstractions 10.5.1
Microsoft.Extensions.AI.OpenAI 10.5.1
Microsoft.Extensions.AI.Templates 10.5.1-preview.3.26251.3
Microsoft.Agents.AI.ProjectTemplates 1.3.0-preview.1.26251.3

Experimental API Changes

Now Stable

The following types previously emitted the MEAI001 experimental diagnostic and are now stable.

  • CodeInterpreter and WebSearch tool content types are now stable #​7493
    • CodeInterpreterToolCallContent
    • CodeInterpreterToolResultContent
    • WebSearchToolCallContent
    • WebSearchToolResultContent
  • ImageGeneration tool content types and tool are now stable #​7476
    • ImageGenerationToolCallContent
    • ImageGenerationToolResultContent
    • HostedImageGenerationTool
    • ImageGenerationOptions
    • ImageGenerationResponseFormat (the Hosted enum value remains experimental)
    • IImageGenerator and the rest of the image generation infrastructure also remain experimental

New Experimental APIs

The following new APIs emit the MEAI001 experimental diagnostic.

  • New experimental API: HostedToolSearchTool with DeferredTools for tool-search-driven deferred tool loading #​7471
  • New experimental API: OpenAIRequestPolicies extension hook for appending System.ClientModel.PipelinePolicy instances to outgoing OpenAI requests #​7495

Breaking Changes to Experimental APIs

  • WebSearchToolResultContent.Results was renamed to Outputs as part of the stabilization in #​7493, aligning with CodeInterpreterToolResultContent.Outputs. The original Results property was included in version 10.4.0 and 10.5.0; this is a binary breaking change and consumers need to update to consume the updated property.

    WebSearchToolResultContent content = ...;
- IList<AIContent>? items = content.Results;
+ IList<AIContent>? items = content.Outputs;

... (truncated)

10.5.0

HTTP Logging Middleware APIs in Microsoft.AspNetCore.Diagnostics.Middleware are now stable. This release also transfers Microsoft.Extensions.VectorData.Abstractions and Microsoft.Extensions.VectorData.ConformanceTests from the Semantic Kernel repository into dotnet/extensions, jumping from 10.1.0 to 10.5.0 for consistent versioning. The release also delivers fixes across the AI libraries, AI Evaluation, and Service Discovery.

Breaking Changes

  1. Rename VectorStoreVectorAttribute constructor parameter #​7460
    • The Dimensions parameter was renamed to dimensions (lowercase). This is a source-breaking change only — binary compatibility is preserved.
    • If you use the named argument syntax new VectorStoreVectorAttribute(Dimensions: 1536), update it to new VectorStoreVectorAttribute(dimensions: 1536).

Experimental API Changes

Now Stable

  • HTTP Logging Middleware APIs are now stable (previously EXTEXP0013): AddHttpLogEnricher<T>, IHttpLogEnricher, and RequestHeadersLogEnricherOptions.HeadersDataClasses #​7380

What's Changed

AI

  • Fix OpenAIResponsesChatClient to respect "store":false in responses #​7417 by @​stephentoub
  • Fix InvalidOperationException in CoalesceWebSearchToolCallContent #​7419 by @​stephentoub
  • Handle F# optional parameters in AIFunctionFactory schema generation #​7439 by @​eiriktsarpalis
  • Fix ComputerCallResponseItem using Item.Id instead of CallId #​7446 by @​jozkee
  • Fix HostedFileContent with image MIME type sent as input_file instead of input_image #​7438 by @​stephentoub (co-authored by @​copilot)
  • Guard Activity.Current restore with null check in OpenTelemetry streaming clients #​7443 by @​stephentoub (co-authored by @​copilot)
  • Enable stateless mode in remote MCP server template (released as v1.2.0 on 2026-04-01) #​7441 by @​jeffhandley

Vector Data

  • Move Microsoft.Extensions.VectorData.Abstractions over from Semantic Kernel #​7434 by @​roji
  • Rename VectorStoreVectorAttribute dimensions constructor parameter #​7460 by @​roji

AI Evaluation

  • Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore #​7397 by @​peterwald
  • Update brace-expansion for CVE-2026-33750 #​7457 by @​SamMonoRT

ASP.NET Core Extensions

  • Removing experimental attribute from Http logging middleware #​7380 by @​mariamgerges

Service Discovery

  • Implement RFC6761 reserved DNS names handling #​6924 by @​rzikm

Documentation Updates

  • Remove per-library CHANGELOG.md files #​7413 by @​jeffhandley

Test Improvements

... (truncated)

10.4.1

This release of the Microsoft.Extensions.AI packages adds new experimental APIs for Realtime client sessions and Text-to-Speech, along with OpenTelemetry and middleware improvements.

Packages in this release

Package Version
Microsoft.Extensions.AI.Abstractions 10.4.1
Microsoft.Extensions.AI 10.4.1
Microsoft.Extensions.AI.OpenAI 10.4.1

Experimental API Changes

New Experimental APIs

  • New experimental API: Realtime Client Sessions #​7285 and #​7399
  • New experimental API: Text-to-Speech Client #​7381

Changes to Experimental APIs

  • Hosted File Download Stream: write-path methods now explicitly throw NotSupportedException #​7394

What's Changed

AI

  • Add ITextToSpeechClient abstraction, middleware, and OpenAI implementation #​7381 by @​stephentoub
  • Realtime Client Proposal #​7285 by @​tarekgh
  • Add VoiceActivityDetection options to realtime session abstractions #​7399 by @​tarekgh
  • Make UriContent mediaType parameter optional with inference from URI file extension #​7398 by @​stephentoub (co-authored by @​Copilot)
  • Emit gen_ai.client.operation.exception via ILogger LoggerMessage on OpenTelemetry instrumentation classes #​7379 by @​stephentoub (co-authored by @​Copilot)
  • Support invoke_workflow as an equivalent parent span to invoke_agent in FunctionInvokingChatClient #​7382 by @​stephentoub (co-authored by @​Copilot)
  • Make HostedFileDownloadStream explicitly read-only #​7394 by @​stephentoub (co-authored by @​Copilot)

Documentation Updates

  • Document JSON schema derivation for return types in AIFunctionFactory #​7400 by @​stephentoub (co-authored by @​Copilot)

Test Improvements

  • Fix test warnings #​7369 by @​jozkee
  • Add tests for JSON deserialization of serializable types #​7373 by @​stephentoub (co-authored by @​Copilot)

Repository Infrastructure Updates

  • Update Package Validation Baseline to 10.4.0 #​7389 by @​jeffhandley (co-authored by @​Copilot)
  • Update ModelContextProtocol libraries to version 1.0.0 #​7340 by @​stephentoub (co-authored by @​Copilot)

Acknowledgements

  • @​eiriktsarpalis @​ericstj @​CodeBlanch @​lmolkova @​adamsitnik @​joperezr reviewed pull requests
    ... (truncated)

10.4.0

This release advances the AI abstractions with new hosted file, web search, and reasoning content types, stabilizes MCP and tool approval APIs, adds streaming latency metrics to OpenTelemetry instrumentation, and delivers bug fixes across caching, data ingestion, and resource monitoring.

Experimental API Changes

Now Stable

  • MCP Server Tool Content and Function Call Approval APIs are now stable (previously MEAI001) #​7299
  • FakeLogCollector.GetLogsAsync(CancellationToken) is now stable (previously EXTEXP0003) #​7332

New Experimental APIs

  • New experimental AddExtendedHttpClientLogging overloads with wrapHandlersPipeline parameter (EXTEXP0013) #​7231

Removed Experimental APIs

  • AI Tool Reduction experimental APIs removed (was experimental under MEAI001) #​7353

What's Changed

AI

  • Add IHostedFileClient and friends #​7269 by @​stephentoub
  • Add web search tool call content #​7276 by @​stephentoub (co-authored by @​Copilot)
  • Surface OpenAI-compatible reasoning_content as TextReasoningContent #​7295 by @​stephentoub
  • MCP/Approvals/Tool Contents stabilization #​7299 by @​jozkee
  • Implement time_to_first_chunk and time_per_output_chunk streaming metrics in OpenTelemetryChatClient #​7325 by @​stephentoub (co-authored by @​Copilot)
  • Add openai.api.type telemetry attribute to OpenAI IChatClient implementations #​7316 by @​stephentoub (co-authored by @​Copilot)
  • Update OpenTelemetry Gen AI semantic conventions to v1.40 #​7322 by @​stephentoub (co-authored by @​Copilot)
  • Fix tool definitions emission regardless of sensitivity setting #​7346 by @​stephentoub (co-authored by @​Copilot)
  • Honor [Required] attribute in AI function parameter JSON schema generation #​7272 by @​stephentoub (co-authored by @​Copilot)
  • AddAIContentType automatically registers content type against every base in the inheritance chain up to AIContent #​7358 by @​jozkee (co-authored by @​Copilot)
  • Auto-mark server-handled FunctionCallContent as InformationalOnly #​7314 by @​stephentoub (co-authored by @​Copilot)
  • Map ReasoningEffort.None and ExtraHigh to none and xhigh in OpenAI IChatClient implementations #​7319 by @​stephentoub (co-authored by @​Copilot)
  • Handle DynamicMethod reflection limitations in AIFunctionFactory #​7287 by @​stephentoub (co-authored by @​Copilot)
  • Fix Activity.Current nulled during streaming tool invocation #​7321 by @​flaviocdc (co-authored by @​Copilot)
  • Handle FunctionCallOutputResponseItem in streaming response conversion #​7307 by @​stephentoub (co-authored by @​Copilot)
  • Fix serialization of response continuation tokens #​7356 by @​stephentoub
  • Remove AI Tool Reduction experimental APIs #​7353 by @​stephentoub (co-authored by @​Copilot)
  • Update OpenAI to 2.9.1 #​7349 by @​stephentoub

Telemetry and Observability

  • Introduce support for the Gauge metric type #​7203 by @​rainsxng
  • Update logging source generator to support generic methods #​7331 by @​svick (co-authored by @​Copilot)
  • Update logging source generator to match runtime PR #​124589 (ref readonly/params/scoped) #​7333 by @​svick (co-authored by @​Copilot)
  • Promote FakeLogCollector.GetLogsAsync(CancellationToken) from experimental to stable #​7332 by @​Demo30
  • Remove obsolete CS1591 warning suppression from generated file preamble #​7308 by @​luissena

HTTP Resilience and Diagnostics

... (truncated)

10.3.0

Experimental API Changes

Now Stable

  • IChatReducer interface — graduated from experimental to stable. The interface is now stable; concrete implementations (MessageCountingChatReducer, SummarizingChatReducer, ReducingChatClient) remain experimental. #​7235 by @​jeffhandley
  • FunctionCallContent and FunctionResultContent unsealed — changed from sealed class to class, enabling derivation. #​7229 by @​stephentoub (co-authored by @​Copilot)

Breaking Changes to Experimental APIs

  • Experimental diagnostic ID reorganization — the blanket MEAI001 diagnostic ID was split into feature-specific constants. OpenAI-specific experimental APIs now use OPENAI001, OPENAI002, or SCME0001 instead of MEAI001. Consumers who suppressed MEAI001 for OpenAI APIs may need to suppress OPENAI001/OPENAI002 instead. #​7116 by @​jeffhandley (co-authored by @​Copilot), #​7235 by @​jeffhandley

New Experimental APIs

  • Chat reduction implementationsMessageCountingChatReducer, SummarizingChatReducer, ReducingChatClient, and UseChatReducer builder extension. #​7235 by @​jeffhandley
  • OpenAI Responses/Assistants/Realtime/Image/Audio integrations — assigned feature-specific experimental diagnostic IDs (OPENAI001, OPENAI002). #​7235 by @​jeffhandley
  • ImageGenerationToolCallContent and ImageGenerationToolResultContent — added to JSON serialization infrastructure. #​7275 by @​stephentoub (co-authored by @​Copilot)

What's Changed

AI

  • Add ReasoningOptions to ChatOptions #​7252 by @​stephentoub (co-authored by @​Copilot)
  • Add LoadFromAsync and SaveToAsync helper methods to DataContent #​7159 by @​stephentoub (co-authored by @​Copilot)
  • Add FunctionCallContent.InformationalOnly property #​7126, #​7262 by @​stephentoub (co-authored by @​Copilot)
  • Add server tool call support to OpenTelemetryChatClient per semantic conventions #​7240 by @​stephentoub (co-authored by @​Copilot)
  • Add ImageGenerationToolCallContent and ImageGenerationToolResultContent to JSON serialization infrastructure #​7275 by @​stephentoub (co-authored by @​Copilot)
  • Add logging to FunctionInvokingChatClient for approval flow, error handling, and loop control #​7228 by @​stephentoub (co-authored by @​Copilot)
  • Allow FunctionResultContent pass-through when CallId matches #​7229 by @​stephentoub (co-authored by @​Copilot)
  • Remove AIFunctionDeclaration tools on last iteration in FunctionInvokingChatClient #​7207 by @​stephentoub (co-authored by @​Copilot)
  • Propagate CachedInputTokenCount in OpenTelemetry telemetry #​7234 by @​stephentoub (co-authored by @​Copilot)
  • Categorize MEAI001 experimental APIs #​7116 by @​jeffhandley (co-authored by @​Copilot)
  • MEAI: Update Experimental / Preview Features #​7235 by @​jeffhandley
  • ToChatResponse: Merge AdditionalProperties into ChatMessage instead of ChatResponse #​7194 by @​stephentoub (co-authored by @​Copilot)
  • Fix FunctionInvokingChatClient to respect ChatOptions.Tools modifications by function tools #​7218 by @​stephentoub (co-authored by @​Copilot)
  • Fix FunctionInvokingChatClient invoke_agent span detection with exact match or space delimiter #​7224 by @​stephentoub (co-authored by @​Copilot)
  • Fix approval request/response correlation in FunctionInvokingChatClient #​7261 by @​stephentoub (co-authored by @​Copilot)
  • Fix DataUriParser to default to text/plain;charset=US-ASCII per RFC 2397 #​7247 by @​stephentoub (co-authored by @​Copilot)
  • Fix NRT resolution for AIFunction parameters #​7200 by @​eiriktsarpalis
  • Preserve extra JSON schema properties in ToolJson serialization #​7250 by @​stephentoub (co-authored by @​Copilot)
  • Fix token metric unit to use UCUM format {token} #​7241 by @​stephentoub
  • Fix OpenAI responses streaming to preserve encrypted reasoning content #​7266 by @​stephentoub
  • Update OpenAIResponsesChatClient to handle streaming code interpreter content #​7267 by @​stephentoub

Diagnostics, Health Checks, and Resource Monitoring

  • [5752] FakeLogCollector waiting capabilities #​6228 by @​Demo30
  • Bring new cpu.requests formula from Kubernetes #​7239 by @​amadeuszl

Service Discovery

... (truncated)

10.2.0

What's Changed

New Contributors

Full Changelog: dotnet/extensions@v10.1...v10.2.0

Commits viewable in compare view.

Pinned Microsoft.Extensions.Logging.Abstractions at 10.0.8.

Release notes

Sourced from Microsoft.Extensions.Logging.Abstractions's releases.

10.0.0-preview.6.25358.103

You can build .NET 10.0 Preview 6 from the repository by cloning the release tag v10.0.0-preview.6.25358.103 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.5.25277.114

You can build .NET 10.0 Preview 5 from the repository by cloning the release tag v10.0.0-preview.5.25277.114 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.4.25258.110

You can build .NET 10.0 Preview 4 from the repository by cloning the release tag v10.0.0-preview.4.25258.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.3.25171.5

You can build .NET 10.0 Preview 3 from the repository by cloning the release tag v10.0.0-preview.3.25171.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.2.25163.2

You can build .NET 10.0 Preview 2 from the repository by cloning the release tag v10.0.0-preview.2.25163.2 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.1.25080.5

You can build .NET 10.0 Preview 1 from the repository by cloning the release tag v10.0.0-preview.1.25080.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.117

You can build .NET 9.0 from the repository by cloning the release tag v9.0.117 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.116

You can build .NET 9.0 from the repository by cloning the release tag v9.0.116 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.115

You can build .NET 9.0 from the repository by cloning the release tag v9.0.115 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.114

You can build .NET 9.0 from the repository by cloning the release tag v9.0.114 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached is the PGP signature for the GitHub generated tarball. You can find the public key at https://dot.net/release-key-2023

9.0.113

You can build .NET 9.0 from the repository by cloning the release tag v9.0.113 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.112

You can build .NET 9.0 from the repository by cloning the release tag v9.0.112 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.111

You can build .NET 9.0 from the repository by cloning the release tag v9.0.111 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.110

You can build .NET 9.0 from the repository by cloning the release tag v9.0.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.109

You can build .NET 9.0 from the repository by cloning the release tag v9.0.109 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.101

You can build .NET 9.0 from the repository by cloning the release tag v9.0.101 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.7

You can build .NET 9.0 from the repository by cloning the release tag v9.0.7 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.6

You can build .NET 9.0 from the repository by cloning the release tag v9.0.6 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.5

You can build .NET 9.0 from the repository by cloning the release tag v9.0.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.4

You can build .NET 9.0 from the repository by cloning the release tag v9.0.4 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.3

You can build .NET 9.0 from the repository by cloning the release tag v9.0.3 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.2

You can build .NET 9.0 from the repository by cloning the release tag v9.0.2 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.1

You can build .NET 9.0 from the repository by cloning the release tag v9.0.1 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0

You can build .NET 9.0 from the repository by cloning the release tag v9.0.0 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-rc.2.24473.5

You can build NET 9.0 RC2 from the repository by cloning the release tag v9.0.0-rc.2.24473.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-rc.1.24431.7

You can build .NET 9.0 RC1 from the repository by cloning the release tag v9.0.0-rc.1.24431.7 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-preview.7.24405.7

You can build .NET 9.0 Preview 7 from the repository by cloning the release tag v9.0.0-preview.7.24405.7 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-preview.6.24327.7

You can build .NET 9.0 Preview 6 from the repository by cloning the release tag v9.0.0-preview.6.24327.7 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-preview.5.24306.7

You can build .NET 9.0 Preview 5 from the repository by cloning the release tag v9.0.0-preview.5.24306.7 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-preview.4.24266.19

You can build .NET 9.0 Preview 4 from the repository by cloning the release tag v9.0.0-preview.4.24266.19 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-preview.3.24172.9

You can build .NET 9.0 Preview 3 from the repository by cloning the release tag v9.0.0-preview.3.24172.9 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-preview.2.24128.5

You can build .NET 9.0 Preview 2 from the repository by cloning the release tag v9.0.0-preview.2.24128.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.0-preview.1.24080.9

You can build .NET 9.0 Preview 1 from the repository by cloning the release tag v9.0.0-preview.1.24080.9 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.127

You can build .NET 8.0 from the repository by cloning the release tag v8.0.127 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.126

You can build .NET 8.0 from the repository by cloning the release tag v8.0.126 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.125

You can build .NET 8.0 from the repository by cloning the release tag v8.0.125 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.124

You can build .NET 8.0 from the repository by cloning the release tag v8.0.124 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.123

You can build .NET 8.0 from the repository by cloning the release tag v8.0.123 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.122

You can build .NET 8.0 from the repository by cloning the release tag v8.0.122 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.121

You can build .NET 8.0 from the repository by cloning the release tag v8.0.121 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.120

You can build .NET 8.0 from the repository by cloning the release tag v8.0.120 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.119

You can build .NET 8.0 from the repository by cloning the release tag v8.0.119 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.100-preview.1

8.0.18

You can build .NET 8.0 from the repository by cloning the release tag v8.0.18 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.17

You can build .NET 8.0 from the repository by cloning the release tag v8.0.17 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.16

You can build .NET 8.0 from the repository by cloning the release tag v8.0.16 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.15

You can build .NET 8.0 from the repository by cloning the release tag v8.0.15 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.14

You can build .NET 8.0 from the repository by cloning the release tag v8.0.14 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.13

You can build .NET 8.0 from the repository by cloning the release tag v8.0.13 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

8.0.12

You can build .NET 8.0 from the repository by cloning the release tag v8.0.12 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the [dotnet/dotnet repos...

Description has been truncated

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 14, 2026

Labels

The following labels could not be found: dependencies, nuget. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot
Bump Microsoft.AspNetCore.Authentication.JwtBearer and 10 others
dacb3d6 
Bumps Microsoft.AspNetCore.Authentication.JwtBearer from 10.0.2 to 10.0.8
Bumps Microsoft.AspNetCore.Components.WebAssembly from 10.0.2 to 10.0.8
Bumps Microsoft.AspNetCore.Components.WebAssembly.DevServer from 10.0.2 to 10.0.8
Bumps Microsoft.AspNetCore.OpenApi from 10.0.2 to 10.0.8
Bumps Microsoft.Extensions.Caching.Hybrid from 10.5.0 to 10.6.0
Bumps Microsoft.Extensions.Caching.StackExchangeRedis from 10.0.2 to 10.0.8
Bumps Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore from 10.0.2 to 10.0.8
Bumps Microsoft.Extensions.Hosting.Abstractions from 10.0.7 to 10.0.8
Bumps Microsoft.Extensions.Http.Resilience from 10.1.0 to 10.6.0
Bumps Microsoft.Extensions.Logging.Abstractions to 10.0.8
Bumps Microsoft.Extensions.ServiceDiscovery from 10.1.0 to 10.6.0

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.Authentication.JwtBearer
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.AspNetCore.Components.WebAssembly
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.AspNetCore.Components.WebAssembly.DevServer
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.AspNetCore.OpenApi
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.Extensions.Caching.Hybrid
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.Extensions.Caching.StackExchangeRedis
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.Extensions.Hosting.Abstractions
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.Extensions.Http.Resilience
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft-extensions
- dependency-name: Microsoft.Extensions.ServiceDiscovery
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-extensions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump the microsoft-extensions group with 11 updates Bump Microsoft.AspNetCore.Authentication.JwtBearer and 10 others May 19, 2026
@dependabot dependabot Bot force-pushed the dependabot/nuget/microsoft-extensions-8804b6fa1f branch from ff53584 to dacb3d6 Compare May 19, 2026 10:05
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 22, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/nuget/microsoft-extensions-8804b6fa1f branch May 22, 2026 15:22
This was referenced May 23, 2026
Merged
Merged
emeraldleaf added a commit that referenced this pull request May 24, 2026
@emeraldleaf @claude
fix(service-defaults): security trio — middleware order, JWT, error t… (
6f0242f 
#25)

* fix(service-defaults): security trio — middleware order, JWT, error trace ID

Three small but distinct security hardening fixes in ServiceDefaults
(addresses architecture-review findings #3, #5, #6).

1. MIDDLEWARE ORDER — CorrelationIdMiddleware after UseAuthentication

The middleware reads ClaimTypes.NameIdentifier from context.User to populate
the UserId logger scope key. Pre-auth, context.User is empty, so UserId was
silently always null for every authenticated request — defeating half the
context-propagation pipeline. UserId never made it into log scopes from the
HTTP entry point and never reached Wolverine envelope headers via the
ActivityBaggage → OutgoingContextMiddleware path.

Reordered: UseExceptionHandler → UseAuthentication → UseAuthorization →
CorrelationIdMiddleware. ExceptionHandler stays first so it still wraps
everything below it.

2. JWT — explicit ValidateIssuerSigningKey + tightened ClockSkew

ValidateIssuerSigningKey was implicit (JWT Bearer's default validates
against JWKS-discovered keys). Made explicit so it's auditable + prevents
a future config change from silently disabling it.

ClockSkew defaulted to 5 MINUTES. Revoked/expired tokens were accepted for
5 extra minutes — material on typical 15-minute access-token lifetimes.
Set to 30 seconds: covers reasonable inter-server clock drift, doesn't
give attackers a long replay window.

3. EXCEPTION HANDLER — TraceId only, not full Activity.Id

Activity.Current?.Id returns the full W3C traceparent
("00-<trace>-<span>-<flags>") and we were embedding that in every
ProblemDetails response. The span ID is information about server-side
handler call structure that clients have no business seeing. Switched to
Activity.Current?.TraceId.ToString() — same correlation utility, no leak
of internal call graph.

None of the three needed any consumer changes; all are internal to
ServiceDefaults. Build clean (the one CS0436 warning is the pre-existing
benchmarks Program-conflict; unaffected).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(service-defaults): place CorrelationIdMiddleware between Auth and Authz

CodeRabbit (PR #25) flagged that the previous fix moved the middleware too
far down — to AFTER UseAuthorization — which works for populating UserId
but drops the audit trail for 401/403 unauthorized-attempt logs.

Correct placement is BETWEEN UseAuthentication and UseAuthorization:

  app.UseExceptionHandler();
  app.UseAuthentication();          // populates context.User
  app.UseMiddleware<CorrelationIdMiddleware>();  // reads User, opens scope
  app.UseAuthorization();           // any 401/403 here has UserId in scope

Two reasons:
  1. CorrelationIdMiddleware needs context.User populated to read
     NameIdentifier (the original ordering bug — pre-auth, User was empty
     and UserId was always null).
  2. Placing it BEFORE Authorization means the UserId scope is active
     during the authorization decision. If a user is rejected, the log
     line says "user X tried Y and was denied" — the audit trail we need.
     My previous fix dropped this by placing the middleware after
     Authorization, which would only attribute requests that actually
     passed authorization.

Build clean. Single-line move of one app.UseMiddleware call.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* test(service-defaults): unit tests for JWT options + GlobalExceptionHandler

Covers the production-code changes in this PR so Codecov's patch-coverage
gate stops complaining (was 8.33%; the prior fixes were uncovered because
ServiceDefaults had no dedicated tests).

GlobalExceptionHandlerTests (3):
  - TryHandleAsync_WhenActivityIsActive_ReturnsTraceIdOnly_NotFullActivityId:
    pins the security-critical change (Activity.Id → TraceId.ToString()).
    Asserts the response traceId equals activity.TraceId.ToString(), NOT
    activity.Id (which is the full W3C traceparent including span ID).
    Also asserts no hyphens — distinguishes the bare trace from the full
    "00-trace-span-flags" format.
  - TryHandleAsync_WhenNoActivity_FallsBackToHttpContextTraceIdentifier:
    covers the null-coalesce path.
  - TryHandleAsync_AlwaysReturnsProblemDetailsWithGenericDetail_NeverExceptionMessage:
    defense against information disclosure (CLAUDE.md "Error Handling").
    Asserts the raw exception message doesn't appear in the response body
    even when the message contains sensitive-looking content like SQL.

ServiceDefaultsJwtTests (3):
  - AddServiceDefaults_WhenAuthorityConfigured_SetsExplicitSigningKeyValidation
  - AddServiceDefaults_WhenAuthorityConfigured_SetsTightClockSkew
  - AddServiceDefaults_WhenAuthorityConfigured_RetainsCoreValidations
  All three boot a real Host.CreateApplicationBuilder + AddServiceDefaults
  with a configured authority, resolve the IOptionsMonitor<JwtBearerOptions>,
  and assert the TokenValidationParameters. Pins both the new hardening
  (ClockSkew=30s, ValidateIssuerSigningKey=true) AND the pre-existing core
  validations (Audience/Issuer/Lifetime) so a future refactor can't drop
  either silently.

All 6 tests pass in 0.7s. Build clean (the one CS0436 warning is the
pre-existing benchmarks Program-conflict; unaffected).

Test placement follows the existing convention — ServiceDefaults tests
live in service-test projects (OrderService.Tests.Unit/Application/
already has ContextPropagationMiddlewareTests, CorrelationIdMiddlewareTests,
OutgoingContextMiddlewareTests). Not ideal long-term (duplication risk
across the 4 service test projects), but matches the established pattern.

The middleware-ordering change in Extensions.cs is harder to unit-test —
it requires booting WebApplicationFactory and asserting the order of
middleware execution at request time. Filed as a project-board issue for
later; the JWT and ExceptionHandler tests cover the highest-risk lines
of this PR (security hardening that could silently regress).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
emeraldleaf added a commit that referenced this pull request May 25, 2026
@emeraldleaf @claude
docs(STATUS): record the simplicity refactor (drop repo wrappers in V…
b5179d2 
…SA services)

Adds an entry to "Recently landed" capturing:
- Motivation (Anton Martyniuk's "6 .NET Trends" #5 + #6, simplicity-team
  reviewer optics)
- What changed across each service (rules → OrderService → ShippingService
  → PaymentService → NotificationService → CatalogService carve-out)
- The PaymentRecoveryJob outbox-atomic wrap that got inlined
- The CatalogService Clean-Architecture carve-out and why it's load-bearing
- Test coverage: 23 mocked-repo handler tests deleted (existing integration
  suite covers most; remaining gap acknowledged for Shipping + Payment
  integration projects)
- Walkthrough updates

Updates "Last updated" timestamp to reflect this change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emeraldleaf