Update Major backend dependencies (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
AutoMapper (source)	13.0.1 -> 14.0.0
CsvHelper (source)	31.0.4 -> 33.0.1
JWT	10.1.1 -> 11.0.0
Medo.Uuid7	1.9.1 -> 3.1.0
Microsoft.Azure.Functions.Worker	1.24.0 -> 2.0.0
Microsoft.Azure.Functions.Worker.ApplicationInsights	1.4.0 -> 2.0.0
Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore	1.3.3 -> 2.0.1
Microsoft.Azure.Functions.Worker.Sdk	1.18.1 -> 2.0.2
Microsoft.Identity.Web	2.21.1 -> 3.8.3
Microsoft.IdentityModel.Tokens	7.7.1 -> 8.8.0
Semver	2.3.0 -> 3.0.0
Snapshooter.Xunit	0.15.0 -> 1.0.1
Swashbuckle.AspNetCore	7.3.2 -> 8.1.1
Swashbuckle.AspNetCore.Annotations	7.3.2 -> 8.1.1
Swashbuckle.AspNetCore.SwaggerGen	7.3.2 -> 8.1.1
System.IdentityModel.Tokens.Jwt	7.7.1 -> 8.8.0
System.Memory.Data (source)	7.0.0 -> 9.0.4
System.Text.Json (source)	8.0.5 -> 9.0.4
linq2db.EntityFrameworkCore	8.1.0 -> 9.0.0
swashbuckle.aspnetcore.cli	7.3.2 -> 8.1.1

---

Release Notes

AutoMapper/AutoMapper (AutoMapper)

v14.0.0

What's Changed

• Reverted the nullable annotations by @​lbargaoanu in https://github.com/AutoMapper/AutoMapper/pull/4390
• Fix polymorphic mapping when some derived types have explicit mappings and others do not by @​kev-andrews in https://github.com/AutoMapper/AutoMapper/pull/4402
• The default naming conventions for a profile should come from the glo… by @​lbargaoanu in https://github.com/AutoMapper/AutoMapper/pull/4428
• Fix Issue #​4502 - Confusing exception when trying to map types with … by @​Biotronic in https://github.com/AutoMapper/AutoMapper/pull/4503
• Target .net 8 and seal more classes by @​lbargaoanu in https://github.com/AutoMapper/AutoMapper/pull/4474
• Target .Net 9 in tests by @​lbargaoanu in https://github.com/AutoMapper/AutoMapper/pull/4507
• Changed lock-threads parameters by @​lbargaoanu in https://github.com/AutoMapper/AutoMapper/pull/4516
• Don't throw and catch on validation by @​lbargaoanu in https://github.com/AutoMapper/AutoMapper/pull/4526

New Contributors

• @​kev-andrews made their first contribution in https://github.com/AutoMapper/AutoMapper/pull/4402
• @​Biotronic made their first contribution in https://github.com/AutoMapper/AutoMapper/pull/4503

Full Changelog: AutoMapper/AutoMapper@v13.0.1...v14.0.0

JoshClose/CsvHelper (CsvHelper)

v33.0.1

Compare Source

v33.0.0

Compare Source

v32.0.3

Compare Source

v32.0.2

Compare Source

v32.0.1

Compare Source

v32.0.0

Compare Source

jwt-dotnet/jwt (JWT)

v11.0.0

• Updated System.Text.Json to version 9.0.0

Azure/azure-functions-dotnet-worker (Microsoft.Azure.Functions.Worker)

v2.0.0: Microsoft.Azure.Functions.Worker 2.0.0

Compare Source

Microsoft.Azure.Functions.Worker (metapackage) 2.0.0

• Updating Microsoft.Azure.Functions.Worker.Core to 2.0.0
• Updating Microsoft.Azure.Functions.Worker.Grpc to 2.0.0
• Changed exception handling in function invocation path to ensure fatal exceptions bubble up.

Breaking Changes

• Dropping .NET 5 TFM support
• Capability IncludeEmptyEntriesInMessagePayload is now enabled by default (#​2701)
  • This means that empty entries will be included in the function trigger message payload by default.
  • To disable this capability and return to the old behaviour, set IncludeEmptyEntriesInMessagePayload to false in the worker options.
• ValidateScopes is enabled for development environments by default.

Microsoft.Azure.Functions.Worker.Core 2.0.0

• Updating Azure.Core to 1.41.0
• New APIs supporting IHostApplicationBuilder
• Updated service registrations for bootstrapping methods to ensure idempotency.

Breaking Changes

• Capability EnableUserCodeException is now enabled by default (#​2702)
  • This means that exceptions thrown by user code will be surfaced to the Host as their original exception type, instead of being wrapped in an RpcException.
  • To disable this capability and return to the old behaviour, set EnableUserCodeException to false in the worker options.
  • The EnableUserCodeException property in WorkerOptions has been marked as obsolete and may be removed in a future release.
• Rename ILoggerExtensions to FunctionsLoggerExtensions to avoid naming conflict issues (#​2716)
• Removed the default value for HttpStatusCode in WriteAsJsonAsync (#​2720)
• Removed fallback command line argument reading code for grpc worker startup options. (#​1908)

Setting Worker Options Example

If you need to disable these capabilities and return to the old behaviour, you can set the worker options as follows:

var host = new HostBuilder()
.ConfigureFunctionsWorkerDefaults(options =>
{
    options.EnableUserCodeException = false;
    options.IncludeEmptyEntriesInMessagePayload = false;
})

Microsoft.Azure.Functions.Worker.Grpc 2.0.0

• Refer to metapackage

AzureAD/microsoft-identity-web (Microsoft.Identity.Web)

v3.8.3

Compare Source

========

Package updates

• Updated to Microsoft.IdentityModel.* 8.8.0
• Updated to MSAL.NET 4.70.1

New feature

• TokenAcquistion.cs adds its service provider to the acquisition options. See issue #​3315 for details.

v3.8.2

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 9.0.0

New feature

• An exception is now thrown if MSAL TokenCacheNotificationArgs indicates that distributed cache is configured when it should not have been. See #​3304.
• Added support for federated identity credentials with AT_POP. See #​3299.

v3.8.1

Compare Source

========

New features

• Updated to Microsoft.IdentityModel.* 8.7.0

Bug fixes

• Pins Microsoft.Extensions.Http dependency version to 3.1.3 for .NET Framework and .NET Standard and uses inbox version for .NET Core. See #​3145.

v3.8.0

Compare Source

========

New feature

• Updated to Microsoft.IdentityModel.* 8.6.1
• Updated to MSAL.NET 4.69.1
• Updated the Json Schema to include extensibility for signed assertion providers. See #​3235
• Added support for Federation Identity Credential on any OIDC Idp (FIC+OIDC credential provider). See #​3255
• Support for acquiring token for Federation Managed Identity (FMI). Supports the FmiPath property of AcquireTokenOptions. See #​3247
• Downstream APIs now support Authorization headers with a custom SAML bearer syntax. See #​3273

Bug fixes

• TokenAcquirerFactory is now thread safe. See #​3274
• Fix a bug in the parsing of the token in the authority. See #​3261

Fundamentals

• Removed old Blazorwasm sample, wasm-tools and added new blazor web API: #​3259, #​3257, #​3254
• Modified the build so that, in CI/CD internal builds, the NuGet.org NuGet source is replaced by a managed Nuget source. More verbose information added. See #​3263
• Fixed CS8602 Warnings in Weather.razor (BlazorApp) – Handle Nullable forecasts and user.Identity. See #​3266,

New Contributors

• @​sthanu98 made their first contribution in #​3273. Thank you!

v3.7.1

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.5.0

v3.7.0

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 8.1.0
• Updated to Microsoft.IdentityModel.* 8.4.0

New Feature

• IdentityWeb now provides extensibility to DefaultCredentialsLoader so that partner teams, or an SDK on top of IdWeb, can bring their own credential providers. See #​3220 for details.

Bug fixes

• The merged options are now being passed to MSAL for the CCA ROPC scenario. See #​3207 for details.

v3.6.2

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 8.0.0

Fundamentals

• Clean-up the tests that were using properties removed in Abstractions 8.0.0. See issue #​3212 for details.

v3.6.1

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 7.2.1

v3.6.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.3.1
• Updated to MSAL.NET 4.67.2

Bug fixes

• Checks that B2C tokens don't contain the claims used by Identity Web to represent the home tenant and object ID (obtained from the UserInfo endpoint). See https://github.com/AzureAD/microsoft-identity-web/pull/3131
• Remove explicit locking in OpenIdConnectCachingSecurityTokenProvider. See Issue #​3078

Fundamentals

• Fix Null Reference Exception in OwinTokenAcquirerFactory + other OWIN cleanup. See https://github.com/AzureAD/microsoft-identity-web/pull/3183
• Re-add code coverage comments & scope to src files. See https://github.com/AzureAD/microsoft-identity-web/issues/3177

v3.5.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.3.0

Bug fixes

• Ensure Singleton registration for TokenAcquisition Services when TokenAcquirerFactory is null. See https://github.com/AzureAD/microsoft-identity-web/pull/3155
• Dont modify the merged options when building the confidential client. See https://github.com/AzureAD/microsoft-identity-web/pull/3137

Fundamentals

• Install all .NET versions in pipeline, including .NET 9. See https://github.com/AzureAD/microsoft-identity-web/pull/3152
• Upgrade to C# 13. See https://github.com/AzureAD/microsoft-identity-web/pull/3138
• Specify sdk version in global.json. See https://github.com/AzureAD/microsoft-identity-web/pull/3156
• Disable Coverage PR comments. See in https://github.com/AzureAD/microsoft-identity-web/pull/3159

v3.4.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.2.1
• Updated to Microsoft.Identity.Abstractions 7.2.0

New features

• Add ROPC flow support for confidential client applications. See 3091, 3129, 3139.
• Allow multi-tenant applications to specify the AppHomeTenantId to be used for client credentials. See 3121, 3132.
• Update to use .NET 9 GA. See 3127.

v3.3.1

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.2.0

Supportability

• Added JSON schema support for Microsoft.Identity.Web configuration. This allows for schema validation in the appsettings.json, improving configuration accuracy and developer experience. To use it, add the following at the top of your appsettings.json:
  "$schema": "https://github.com/AzureAD/microsoft-identity-web/blob/master/JsonSchemas/microsoft-identity-web.json"
  This update enhances the configuration process by providing clear structure and validation for settings used in Microsoft.Identity.Web. See PR #​3119 for details.

Fundamentals

• Fix a flaky test in the L1L2Cache tests. See PR #​3122 for details.

v3.3.0

Compare Source

========

• Updated to Microsoft.Identity.Client 4.66.0
• Update system.Text.Json to 8.0.5 CVE-2024-43485
• Updated to .NET 9 RC2

New features

• Microsoft.Identity.Web token acquisition now provides an extensibility mechanism to enable non-standard features. For details, see #​2975

Fundamentals

• Split DownstreamApi methods between AoT compatible and incompatible methods by @​SaurabhMSFT in https://github.com/AzureAD/microsoft-identity-web/pull/3090
• ASP.NET Core (and other) cross-link updates by @​guardrex in https://github.com/AzureAD/microsoft-identity-web/pull/3096. Thank you!
• Onboarded to Threading Analyzers. For details, see #​3052
• display code coverage as PR comments
• Fix flaky EncryptionTestAsync on .NET 9.

v3.2.2

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.2

• Breaking change (without major version change. Sorry!)
  ClientAssertionProviderBase.GetSignedAssertion now takes an MSAL.NET AssertionRequestOptions and the method name has changed from GetSignedAssertion to GetClientAssertionAsync:

  var m = new ManagedIdentityClientAssertion("<some client id>");
  m.GetSignedAssertion(CancellationToken.None); // this method will break on v3.2.2  

v3.2.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.1

v3.2.0

Compare Source

=========

• Updated to Microsoft.Identity.Abstractions 7.1.0
• Updated to Microsoft.IdentityModel.* 8.1.0
• Updated to Microsoft.Identity.Client 4.64.1
   

New features

• In .NET 8 and above, IDownstreamApi overloads take a JsonTypeInfo<T> parameter to enable source generated JSON deserialization. See issue #​2930 for details.

Bug fixes:

• Azure region is used while creating application keys when the TokenAcquisition service caches application objects, and the TokenAcquirerFactory caches TokenAcquirer. See #​3002 for details.
• Improved error messages for FIC. See issue #​3000 for details.

Fundamentals:

• Improved test coverage for GetCacheKey. See PR #​3020 for details.
• Update to .NET 9-RC1. See issue #​3025 for details.
• Fix static analysis warnings. See PR #​3024 for details.

v3.1.0

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

• Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #​2977 for details.

Bug fixes:

• For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #​2887 for details.
• Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #​2954 for details.
• Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #​2879 for details.
• Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #​2962 for details.

Fundamentals:

• Fix flakey tests: #​2972, #​2984, #​2982,
• Update to AzureKeyVault@2 in AzureDevOps, #​2981.
• Update to .NET 9-preview7, #​2980 and #​2991.
• It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #​2974, #​2990

========

See rel/v2 branch changelog for changes to all 2.x.x versions after 2.18.1.

The changes listed in the rel/v2 changelog are also in the 3.x.x versions of Id Web but are not listed here.

========

v3.0.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.1

v3.0.0

=========

CVE package updates

CVE-2024-30105

• See PR #​2929 for details.

• Updated to Microsoft.IdentityModel.* 8.0.0, Microsoft.Identity.Lab API 1.0.2, Microsoft.Identity.Abstractions 6.0.0

• See rel/v2 changelog for full list of added features to 3.0.0.

Fundamentals:

• Update lab cert and lab version. See PR #​2923 for details.

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (Microsoft.IdentityModel.Tokens)

v8.8.0

Compare Source

=====

New Features

• Adds the ability for the metadata refresh to be done as a blocking call, as per 8.0.1 behavior. This is done through the Switch.Microsoft.IdentityModel.UpdateConfigAsBlocking switch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR #​3193 for details.
• Identity.Model updates some log and error messages (IDX10214, IDX10215). If the information is needed for debugging purposes, it can be reverted via the Switch.Microsoft.IdentityModel.DoNotScrubExceptions AppContextSwitch. See PR #​3195 and https://aka.ms/identitymodel/app-context-switches for details.
• Change all plain object locks to System.Thread.Lock objects for .NET 9 or greater. See PRs #​3185 and #​3189 for details.

v8.7.0

Compare Source

=====

Bug Fixes

• Add back internal methods IsRecoverableException and IsRecoverableExceptionType whose signatures were changed in the previous version. See #​3181.

New Features

• Make Cnf class public and move it to Microsoft.IdentityModel.Tokens package. See #​3165.

v8.6.1

Compare Source

=====

Bug fix

• Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue #​3148 for details.
• Fix a bug in JsonWebTokenHandler where JwtTokenDecryptionParameters's Alg and Enc were not set during token decryption, causing IDX10611 and IDX10619 errors to show null values in the messages. See issue #​3003 for details.

Fundamentals

• For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue #​2995 for details.

v8.6.0

Compare Source

=====

New Features

• TokenValidationParameters has a new boolean property TryAllDecryptionKeys that let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to true (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See #​3128
• Promote KeyInfo.MatchesKey from internal to protected internal virtual to enable SAML extensibility (for CoreWcf). See #​3140

Fundamentals

• Update dependency on Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2 to avoid package downgrade in apps on .NET 9 using a netstandard2.0 library referencing logging.abstractions. See 3143
• Add more tests for encrypted tokens. See #​3139

v8.5.0

Compare Source

=====

Reverting previous breaking change

• The Configuration Manager has been reverted to version 8.3.1. The changes made in 8.4.0 assume the configuration manager is used as a singleton, which is similar to marking the type as disposable. We have since learned that adding IDisposable is a breaking change, so we are following semver guidance and reverting and releasing a minor version (8.5.0).
• Cherry-picked Changes: Included changes from PR #​3022 and #​3104.

v8.4.0

Compare Source

=====

New Features

• App context switch allows blocking or non-blocking calls for configuration. See PR #​3106 for details and issue #​3082 for details.
• IdentityModel now enables symmetric and asymmetric keys to be created publicly with JWK. See #​3094 for details.
• IdentityModel now allows specifying the HTTP protocol version and version policy. See #​2808 for details.

Repair items

• Add request count and duration telemetry for configuration requests. See #​3022 for details.
• KeyID should be present in exception messages and is no longer PII. See #​3104 for details.

Fundamentals

• Fix spelling issues in xml comments. See #​3117 for details.
• Fix comment coverage in PR builds. See #​3079 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

• See #​3056. #​3100, #​3017, and #​3111.
• Add internal virtual on TokenHandler. See #​3084 for details.

v8.3.1

Compare Source

=====

Bug Fixes

• Respect TVP.RequireAudience when set to false. See #​3055
• For net4.6.2 select RSACng for PSS support. See #​3097
• Fix package downgrade in consuming libraries. See#​3062
• Fix integer overflow in AuthenticationEncryptionProvider.cs. See #​3063

Fundamentals

• Removed unused property on JsonWebToken ClaimsIdentity. See #​3071 for details.
• Upgrade to C# 13. See #​2998
• Use new Base64Url API. See #​22817
• Add warning quality check. See #​3067
• Update dotnet actions. see #​3074
• Fix warnings. See #​3081
• Test updates in JsonWebToken. See #​3080.

Work related to redesign of IdentityModel's token validation logic #​2711

• #​3027, #​3028, #​3051, #​3054

v8.3.0

Compare Source

=====

New features

Work related to redesign of IdentityModel's token validation logic #​2711

• SAML and SAML2 new model validation: Token Replay. See #​2994
• Extensibility tests: Token Type - JWT (#​3030), Issuer - SAML and SAML2 (#​3026), Algorithm and Signature - JWT, SAML and SAML2 (#​3034), Token Replay - JWT, SAML and SAML2 (#​3032), Issuer signing key - JWT, SAML and SAML2 (#​3029)
• Avoid code duplication in extensibility testing. See #​3041
• Extensibility Testing: Refactor. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3011
• Remove duplicate code in extensibility tests. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3044

Bug fixes

• Fix bug with AadIssuerValidator. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3042
• Fixed SignedHttpRequest flaky test. See #​3037

Fundamentals

• Install all .NET versions in pipeline to fix run tests task. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3018
• Changelog for 8.2.1. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3009
• Remove unnecessary AoT test project. See in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3045
• Fix powershell script for nuget update. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3046
• Update to next version. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3010
• Disable Coverage PR comments. See [https://github.com/Disable Coverage PR comments AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#3048](https://redirect.github.com/AzureAD/azure-activedirectory-identitymodel-extensions-fo

---

Configuration

📅 Schedule: Branch creation - "every 3 months" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.