Skip to content

Update dependencies to clear security alerts and fix CI#1759

Open
IEvangelist wants to merge 3 commits into
mainfrom
dapine/security/open-alerts-2026-06-27
Open

Update dependencies to clear security alerts and fix CI#1759
IEvangelist wants to merge 3 commits into
mainfrom
dapine/security/open-alerts-2026-06-27

Conversation

@IEvangelist

@IEvangelist IEvangelist commented Jun 27, 2026

Copy link
Copy Markdown
Member

Summary

Fix the failing CI on this branch and refresh dependencies across the sample set so all open Dependabot alerts resolve to patched versions.

The CI Build & Test Samples jobs were red because .NET 10's NuGet audit (NuGetAuditMode=all) promotes transitive vulnerability warnings to errors under the repo's TreatWarningsAsErrors=true. The lockfile-only changes originally on this branch never touched .NET, so CI stayed red. This revision addresses the .NET audit findings, aligns dependencies, and repairs two out-of-sync JS lockfiles that were breaking npm ci in the integration tests.

.NET

  • Bump all Aspire SDK / packages / aspire.config.json 13.4.013.4.6 (the 13.4.6 graph pulls a patched MessagePack, clearing the apphost audit errors).
  • Pin Microsoft.OpenApi 2.9.0 in the four web projects that pulled the vulnerable transitive 2.0.0 via Microsoft.AspNetCore.OpenApi (GHSA-v5pm-xwqc-g5wc).
  • Align lagging packages: EF Core 10.0.9, Microsoft.Extensions.* 10.7.0, Microsoft.AspNetCore.OpenApi 10.0.9, Npgsql.EntityFrameworkCore.PostgreSQL 10.0.2, Scalar.AspNetCore 2.16.7, OpenTelemetry 1.16.0, SkiaSharp 4.148.0.

npm

  • Angular: add esbuild 0.28.1 override (nested vite esbuild was < 0.28.1).
  • React: rebuild the lockfile in sync with package.json (it had drifted to webpack 5.108.2 vs required ^5.108.3, breaking npm ci); pin http-proxy-middleware 2.0.10 and ws 8.21.0 via overrides.
  • Vite: rebuild the lockfile in sync (it was missing enhanced-resolve, breaking npm ci); pin @babel/core 7.29.7 via override.
  • Refresh golang-api, python-script, vite-csharp-postgres, and rag-document-qa-svelte lockfiles (brace-expansion DoS fix).

Python

  • Upgrade starlette to a patched 1.3.1 in samples/rag-document-qa-svelte/api/uv.lock.

Validation

  • Every .slnx and single-file apphost restores and builds clean with warnings-as-errors on both Ubuntu and Windows.
  • All 25 sample lockfiles pass npm ci; npm audit reports 0 findings across every JS sample.
  • All open Dependabot alerts resolve to patched versions in their lockfiles.
  • CI Build & Test Samples is green on both ubuntu-latest and windows-latest.

@IEvangelist IEvangelist force-pushed the dapine/security/open-alerts-2026-06-27 branch from 9a34d60 to f2ade2c Compare June 29, 2026 18:48
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@IEvangelist IEvangelist force-pushed the dapine/security/open-alerts-2026-06-27 branch from f2ade2c to b63a087 Compare July 1, 2026 11:08
IEvangelist and others added 2 commits July 1, 2026 09:04
The Build & Test CI job fails because .NET 10 NuGet audit (NuGetAuditMode=all)
promotes transitive vulnerability warnings to errors (samples TreatWarningsAsErrors).
Resolve the audited vulnerabilities and refresh dependencies across the board.

.NET
- Bump all Aspire SDK/packages/config 13.4.0 -> 13.4.6 (aligns CLI/SDK; the 13.4.6
  graph pulls a patched MessagePack >= 2.5.301, clearing the apphost audit errors).
- Pin Microsoft.OpenApi 2.9.0 in the four web projects that pulled the vulnerable
  transitive 2.0.0 via Microsoft.AspNetCore.OpenApi (GHSA-v5pm-xwqc-g5wc).
- Align lagging packages: EF Core 10.0.9, Microsoft.Extensions.* 10.7.0,
  Microsoft.AspNetCore.OpenApi 10.0.9, Npgsql.EntityFrameworkCore.PostgreSQL 10.0.2,
  Scalar.AspNetCore 2.16.7, OpenTelemetry 1.16.0, SkiaSharp 4.148.0.

npm
- Add esbuild 0.28.1 override to the Angular sample (nested vite esbuild was < 0.28.1).
- Refresh golang-api, python-script, vite-csharp-postgres and rag-document-qa-svelte
  lockfiles (brace-expansion DoS fix). All sample npm audits now report 0 findings.

All 23 open Dependabot alerts now resolve to patched versions; every .slnx and
single-file apphost restores/builds clean with warnings-as-errors.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The integration tests run `npm ci`, which fails when a lockfile and its
package.json are not in sync. The regenerated React and Vite lockfiles on this
branch had drifted:
  - React:  lock had webpack 5.108.2 but package.json requires ^5.108.3
  - Vite:   lock was missing enhanced-resolve required by the resolved tree

Rebuild both lockfiles from the in-sync base and pin the security fixes with
explicit overrides (matching the Angular sample's convention):
  - React: http-proxy-middleware 2.0.10 (GHSA-9gqv-wp59-fq42) and ws 8.21.0
    (GHSA-96hv-2xvq-fx4p memory-exhaustion DoS)
  - Vite:  @babel/core 7.29.7 (GHSA-67hx-6x53-jw92)

All 25 sample lockfiles now pass `npm ci`; every sample reports 0 npm audit
findings and all open Dependabot alerts resolve to patched versions.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@IEvangelist IEvangelist changed the title Address open security alerts across sample manifests Update dependencies to clear security alerts and fix CI Jul 1, 2026
@IEvangelist IEvangelist marked this pull request as ready for review July 1, 2026 15:45
Copilot AI review requested due to automatic review settings July 1, 2026 15:45

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refreshes dependencies across multiple Aspire samples to resolve security alerts and unblock CI failures caused by NuGet auditing and out-of-sync npm lockfiles.

Changes:

  • Bumps Aspire SDK/packages from 13.4.0 to 13.4.6 across AppHost projects and aspire.config.json files.
  • Updates .NET dependencies (notably OpenTelemetry, EF Core, ASP.NET OpenAPI/Scalar, SkiaSharp) to patched/aligned versions.
  • Regenerates/updates multiple package-lock.json files (e.g., esbuild 0.28.1, brace-expansion 5.0.6) and updates JS overrides where needed; updates Python uv.lock for a patched Starlette version.

Reviewed changes

Copilot reviewed 47 out of 62 changed files in this pull request and generated no comments.

Show a summary per file
File Description
samples/volume-mount/VolumeMount.ServiceDefaults/VolumeMount.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/volume-mount/VolumeMount.AppHost/VolumeMount.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/vite-yarp-static/package-lock.json Updates npm lockfile packages (incl. esbuild and brace-expansion).
samples/vite-yarp-static/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/vite-react-fastapi/package-lock.json Updates npm lockfile packages (incl. esbuild and brace-expansion).
samples/vite-react-fastapi/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/vite-csharp-postgres/package-lock.json Updates npm lockfile packages (incl. brace-expansion).
samples/vite-csharp-postgres/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/vite-csharp-postgres/api/Api.csproj Updates .NET package versions (EF Core/Npgsql/Scalar/OpenTelemetry/etc.).
samples/rag-document-qa-svelte/package-lock.json Updates npm lockfile packages (incl. brace-expansion).
samples/rag-document-qa-svelte/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/rag-document-qa-svelte/api/uv.lock Updates Python lockfile dependency versions (Starlette).
samples/python-script/package-lock.json Updates npm lockfile packages (incl. brace-expansion).
samples/python-script/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/python-openai-agent/package-lock.json Updates npm lockfile packages (incl. esbuild and brace-expansion).
samples/python-openai-agent/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/python-fastapi-postgres/package-lock.json Updates npm lockfile packages (incl. esbuild and brace-expansion).
samples/python-fastapi-postgres/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/polyglot-task-queue/worker-csharp/worker-csharp.csproj Updates Aspire/Extensions/OpenTelemetry package references.
samples/polyglot-task-queue/package-lock.json Updates npm lockfile packages (incl. esbuild and brace-expansion).
samples/polyglot-task-queue/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/orleans-voting/OrleansVoting.ServiceDefaults/OrleansVoting.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/orleans-voting/OrleansVoting.AppHost/OrleansVoting.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/node-express-redis/package-lock.json Updates npm lockfile packages (incl. esbuild and brace-expansion).
samples/node-express-redis/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/Metrics/ServiceDefaults/ServiceDefaults.csproj Pins Microsoft.OpenApi and updates OpenTelemetry packages.
samples/Metrics/MetricsApp.AppHost/MetricsApp.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/image-gallery/worker/worker.csproj Updates EF Core/SkiaSharp/OpenTelemetry/Aspire package references.
samples/image-gallery/apphost.cs Updates #:sdk/#:package directives to Aspire 13.4.6.
samples/image-gallery/api/api.csproj Updates EF Core/SkiaSharp/OpenTelemetry/Aspire package references.
samples/health-checks-ui/HealthChecksUI.ServiceDefaults/HealthChecksUI.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/health-checks-ui/HealthChecksUI.AppHost/HealthChecksUI.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/golang-api/package-lock.json Updates npm lockfile packages (incl. brace-expansion).
samples/golang-api/aspire.config.json Bumps Aspire SDK/packages to 13.4.6 for the sample.
samples/database-migrations/DatabaseMigrations.ServiceDefaults/DatabaseMigrations.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/database-migrations/DatabaseMigrations.AppHost/DatabaseMigrations.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/database-containers/DatabaseContainers.ServiceDefaults/DatabaseContainers.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/database-containers/DatabaseContainers.AppHost/DatabaseContainers.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/database-containers/DatabaseContainers.ApiService/DatabaseContainers.ApiService.csproj Pins Microsoft.OpenApi and updates related packages.
samples/custom-resources/CustomResources.AppHost/CustomResources.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/container-build/apphost.cs Updates #:sdk directive to Aspire 13.4.6.
samples/client-apps-integration/ClientAppsIntegration.ServiceDefaults/ClientAppsIntegration.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/client-apps-integration/ClientAppsIntegration.AppHost/ClientAppsIntegration.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/client-apps-integration/ClientAppsIntegration.AppDefaults/ClientAppsIntegration.AppDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/aspire-with-python/apphost.cs Updates #:sdk/#:package directives to Aspire 13.4.6.
samples/aspire-with-node/AspireWithNode.ServiceDefaults/AspireWithNode.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/aspire-with-node/AspireWithNode.AppHost/AspireWithNode.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/aspire-with-javascript/AspireJavaScript.Vite/package.json Adds npm overrides (pins @babel/core).
samples/aspire-with-javascript/AspireJavaScript.Vite/package-lock.json Updates lockfile to reflect overrides and package updates.
samples/aspire-with-javascript/AspireJavaScript.ServiceDefaults/AspireJavaScript.ServiceDefaults.csproj Updates OpenTelemetry package references to newer versions.
samples/aspire-with-javascript/AspireJavaScript.React/package.json Adds npm overrides for patched transitive dependencies.
samples/aspire-with-javascript/AspireJavaScript.React/package-lock.json Updates lockfile to reflect patched dependency versions.
samples/aspire-with-javascript/AspireJavaScript.MinimalApi/AspireJavaScript.MinimalApi.csproj Pins Microsoft.OpenApi to a patched version.
samples/aspire-with-javascript/AspireJavaScript.AppHost/AspireJavaScript.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/aspire-with-javascript/AspireJavaScript.Angular/package.json Adds/updates overrides (esbuild, @babel/core, etc.) for patched transitive deps.
samples/aspire-with-azure-functions/ImageGallery.AppHost/ImageGallery.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
samples/aspire-with-azure-functions/Directory.Packages.props Updates centralized package versions (OpenTelemetry, SkiaSharp, etc.).
samples/aspire-shop/AspireShop.ServiceDefaults/AspireShop.ServiceDefaults.csproj Updates OpenTelemetry package references (incl. GrpcNetClient beta bump).
samples/aspire-shop/AspireShop.CatalogService/AspireShop.CatalogService.csproj Pins Microsoft.OpenApi to a patched version.
samples/aspire-shop/AspireShop.AppHost/AspireShop.AppHost.csproj Bumps Aspire AppHost SDK version to 13.4.6.
Files not reviewed (13)
  • samples/aspire-with-javascript/AspireJavaScript.React/package-lock.json: Generated file
  • samples/aspire-with-javascript/AspireJavaScript.Vite/package-lock.json: Generated file
  • samples/aspire-with-python/frontend/package-lock.json: Generated file
  • samples/golang-api/package-lock.json: Generated file
  • samples/node-express-redis/package-lock.json: Generated file
  • samples/polyglot-task-queue/package-lock.json: Generated file
  • samples/python-fastapi-postgres/package-lock.json: Generated file
  • samples/python-openai-agent/package-lock.json: Generated file
  • samples/python-script/package-lock.json: Generated file
  • samples/rag-document-qa-svelte/package-lock.json: Generated file
  • samples/vite-csharp-postgres/package-lock.json: Generated file
  • samples/vite-react-fastapi/package-lock.json: Generated file
  • samples/vite-yarp-static/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants