chore(deps): Bump Aspire.Hosting.PostgreSQL and 6 others

[dependabot]

Updated Aspire.Hosting.PostgreSQL from 13.4.4 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.PostgreSQL's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

• 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged — Aspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

• 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

• 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping

• 🚀 Bumped branding to 13.4.6 (#​18343)

---

Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

• 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
• 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
• 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

• 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

---

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

Commits viewable in compare view.

Updated Aspire.Hosting.RabbitMQ from 13.4.4 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.RabbitMQ's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

• 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged — Aspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

• 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

• 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping

• 🚀 Bumped branding to 13.4.6 (#​18343)

---

Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

• 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
• 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
• 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

• 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

---

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

Commits viewable in compare view.

Updated Aspire.Hosting.Redis from 13.4.4 to 13.4.6.

Release notes

Sourced from Aspire.Hosting.Redis's releases.

13.4.6

What's New in Aspire 13.4.6

Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service port collision in --isolated mode, and a MongoDB.Driver dependency update.

🐛 Fixes

• 🔗 Polyglot AppHost code generation silently failed when CLI and SDK versions diverged — Aspire.TypeSystem used a floating strong-name AssemblyVersion that changed with every build. When the installed Aspire CLI was built at a different version than the AppHost's SDK, the CLR couldn't satisfy the strong-name bind and every code generator (TypeScript, Python, Java, Go, Rust) was silently dropped, surfacing as No code generator found for language: <lang>. The AssemblyVersion is now frozen at a stable constant so any compatible CLI/SDK pair on 13.4 binds successfully. Relates to #​18110 and #​17910. (#​18160, @​sebastienros)

• 🔌 Multiple AppHosts started with --isolated collided on the resource service port — Both instances tried to bind to the same fixed port from ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL, causing an "address already in use" error on the second instance. DashboardServiceHost now binds to port 0 on loopback when RandomizePorts is true (set by --isolated), letting the OS assign a unique port per instance. (#​18341, @​JamesNK)

• 🍃 MongoDB.Driver updated to 3.9.0 — Removes a wrongly pinned SharpCompress transitive dependency and uses the corrected Snappier transitive. Fixes #​17981. (#​18279, @​Falco20019)

🏷️ Housekeeping

• 🚀 Bumped branding to 13.4.6 (#​18343)

---

Full Changelog: v13.4.5...v13.4.6

Full commit: 87fe259e4fc244c599019a7b1304c85a1488f248

Generated by Generate release notes for a new stable Aspire release · 131 AIC · ⌖ 13.5 AIC · ⊞ 37.4K

13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

• 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @​mitchdenny)
• 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @​mitchdenny)
• 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @​damianedwards)

🏷️ Housekeeping

• 📄 Refreshed the @​microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @​adamint)

---

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

Commits viewable in compare view.

Pinned JetBrains.Annotations at 2026.2.0.

Release notes

Sourced from JetBrains.Annotations's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Nerdbank.GitVersioning from 3.9.50 to 3.10.85.

Release notes

Sourced from Nerdbank.GitVersioning's releases.

3.10.85

What's Changed

• Avoid writing server.json multiple times in a single pack by @​AArnott in Avoid writing server.json multiple times in a single pack dotnet/Nerdbank.GitVersioning#1391

Full Changelog: dotnet/Nerdbank.GitVersioning@v3.10.70...v3.10.85

3.10.70

What's Changed

Fixes

• Fix case insensitivity for the managed engine on git worktrees, and implement for libgit2 by @​AArnott in Fix case insensitivity for the managed engine on git worktrees, and implement for libgit2 dotnet/Nerdbank.GitVersioning#1334
• Fix native heap corruption in GitPackIndexMappedReaderTests by @​AArnott in Fix native heap corruption in GitPackIndexMappedReaderTests dotnet/Nerdbank.GitVersioning#1360

Enhancements

• Add prerelease property to inheriting version.json files by @​Copilot in Add prerelease property to inheriting version.json files dotnet/Nerdbank.GitVersioning#1317
• Add NBGV_SetCloudBuildVersionVars property to disable cloud build variable output by @​Copilot in Add NBGV_SetCloudBuildVersionVars property to disable cloud build variable output dotnet/Nerdbank.GitVersioning#1324
• Add --what-if option to prepare-release command for simulating version changes by @​Copilot in Add --what-if option to prepare-release command for simulating version changes dotnet/Nerdbank.GitVersioning#1242
• Build nbgv CLI tool for .NET 9 and 10 by @​AArnott in Build nbgv CLI tool for .NET 9 and 10 dotnet/Nerdbank.GitVersioning#1369

Full Changelog: dotnet/Nerdbank.GitVersioning@v3.9.50...v3.10.70

3.10.44-alpha

What's Changed

Fixes

• Fix case insensitivity for the managed engine on git worktrees, and implement for libgit2 by @​AArnott in Fix case insensitivity for the managed engine on git worktrees, and implement for libgit2 dotnet/Nerdbank.GitVersioning#1334

Enhancements

• Add --what-if option to prepare-release command for simulating version changes by @​Copilot in Add --what-if option to prepare-release command for simulating version changes dotnet/Nerdbank.GitVersioning#1242
• Add NBGV_SetCloudBuildVersionVars property to disable cloud build variable output by @​Copilot in Add NBGV_SetCloudBuildVersionVars property to disable cloud build variable output dotnet/Nerdbank.GitVersioning#1324

Dependency updates

• chore(deps): update dependency microsoft.build.locator to 1.11.2 by @​renovate[bot] in chore(deps): update dependency microsoft.build.locator to 1.11.2 dotnet/Nerdbank.GitVersioning#1304
• chore(deps): update dotnet monorepo by @​renovate[bot] in chore(deps): update dotnet monorepo dotnet/Nerdbank.GitVersioning#1309
• Update dotnet monorepo by @​renovate[bot] in Update dotnet monorepo dotnet/Nerdbank.GitVersioning#1338

Full Changelog: dotnet/Nerdbank.GitVersioning@v3.10.8-alpha...v3.10.44-alpha

3.10.8-alpha

What's Changed

• Add prerelease property to inheriting version.json files by @​Copilot in Add prerelease property to inheriting version.json files dotnet/Nerdbank.GitVersioning#1317

Full Changelog: dotnet/Nerdbank.GitVersioning@v3.9.50...v3.10.8-alpha

Commits viewable in compare view.

Updated PatternKit.Core from 0.147.3 to 0.147.5.

Release notes

Sourced from PatternKit.Core's releases.

0.147.5

What's Changed

• chore(deps): Bump EnricoMi/publish-unit-test-result-action from 2 to 2.23.0 in the github-actions-dependencies group by @​dependabot[bot] in chore(deps): Bump EnricoMi/publish-unit-test-result-action from 2 to 2.23.0 in the github-actions-dependencies group PatternKit#506

Full Changelog: JerrettDavis/PatternKit@v0.147.4...v0.147.5

0.147.4

What's Changed

• chore: harden grouped dependency updates by @​JerrettDavis in chore: harden grouped dependency updates PatternKit#505

Full Changelog: JerrettDavis/PatternKit@v0.147.3...v0.147.4

Commits viewable in compare view.

Updated Scalar.AspNetCore from 2.16.3 to 2.16.4.

Release notes

Sourced from Scalar.AspNetCore's releases.

No release notes found for this version range.

Commits viewable in compare view.

[github-actions]

Test Results

118 tests  ±0   118 ✅ ±0   6s ⏱️ ±0s
  2 suites ±0     0 💤 ±0 
  2 files   ±0     0 ❌ ±0 

Results for commit 3b3d194. ± Comparison against base commit 14982d4.

♻️ This comment has been updated with latest results.

[github-actions]

🔍 PR Validation Results

Version: 0.0.0-ga8c23f5c2e

📦 Detected NuGet Packages (17)

• Demo.JsonApi
• Demo.SoapApi
• QuickApiMapper.Application
• QuickApiMapper.Behaviors
• QuickApiMapper.Contracts
• QuickApiMapper.CustomTransformers
• QuickApiMapper.Extensions.RabbitMQ
• QuickApiMapper.Extensions.ServiceBus
• QuickApiMapper.Extensions.gRPC
• QuickApiMapper.Management.Contracts
• QuickApiMapper.MessageCapture.Abstractions
• QuickApiMapper.MessageCapture.InMemory
• QuickApiMapper.Persistence.Abstractions
• QuickApiMapper.Persistence.PostgreSQL
• QuickApiMapper.Persistence.SQLite
• QuickApiMapper.StandardTransformers
• QuickApiMapper.Tools.Migrator

🚀 Detected Executables (2)

• QuickApiMapper.Host.AppHost
• QuickApiMapper.Tools.Migrator

✅ Validation Steps

• Build solution
• Run unit tests
• Run integration tests
• Dry-run NuGet packaging
• Dry-run executable publishing

📊 Artifacts

Dry-run artifacts have been uploaded and will be available for 7 days.

---

This comment was automatically generated by the PR validation workflow.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[JerrettDavis]

@dependabot rebase

[JerrettDavis]

@dependabot rebase