Update dependencies to clear security alerts and fix CI#1759
Open
IEvangelist wants to merge 3 commits into
Open
Update dependencies to clear security alerts and fix CI#1759IEvangelist wants to merge 3 commits into
IEvangelist wants to merge 3 commits into
Conversation
9a34d60 to
f2ade2c
Compare
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
f2ade2c to
b63a087
Compare
The Build & Test CI job fails because .NET 10 NuGet audit (NuGetAuditMode=all) promotes transitive vulnerability warnings to errors (samples TreatWarningsAsErrors). Resolve the audited vulnerabilities and refresh dependencies across the board. .NET - Bump all Aspire SDK/packages/config 13.4.0 -> 13.4.6 (aligns CLI/SDK; the 13.4.6 graph pulls a patched MessagePack >= 2.5.301, clearing the apphost audit errors). - Pin Microsoft.OpenApi 2.9.0 in the four web projects that pulled the vulnerable transitive 2.0.0 via Microsoft.AspNetCore.OpenApi (GHSA-v5pm-xwqc-g5wc). - Align lagging packages: EF Core 10.0.9, Microsoft.Extensions.* 10.7.0, Microsoft.AspNetCore.OpenApi 10.0.9, Npgsql.EntityFrameworkCore.PostgreSQL 10.0.2, Scalar.AspNetCore 2.16.7, OpenTelemetry 1.16.0, SkiaSharp 4.148.0. npm - Add esbuild 0.28.1 override to the Angular sample (nested vite esbuild was < 0.28.1). - Refresh golang-api, python-script, vite-csharp-postgres and rag-document-qa-svelte lockfiles (brace-expansion DoS fix). All sample npm audits now report 0 findings. All 23 open Dependabot alerts now resolve to patched versions; every .slnx and single-file apphost restores/builds clean with warnings-as-errors. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The integration tests run `npm ci`, which fails when a lockfile and its package.json are not in sync. The regenerated React and Vite lockfiles on this branch had drifted: - React: lock had webpack 5.108.2 but package.json requires ^5.108.3 - Vite: lock was missing enhanced-resolve required by the resolved tree Rebuild both lockfiles from the in-sync base and pin the security fixes with explicit overrides (matching the Angular sample's convention): - React: http-proxy-middleware 2.0.10 (GHSA-9gqv-wp59-fq42) and ws 8.21.0 (GHSA-96hv-2xvq-fx4p memory-exhaustion DoS) - Vite: @babel/core 7.29.7 (GHSA-67hx-6x53-jw92) All 25 sample lockfiles now pass `npm ci`; every sample reports 0 npm audit findings and all open Dependabot alerts resolve to patched versions. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refreshes dependencies across multiple Aspire samples to resolve security alerts and unblock CI failures caused by NuGet auditing and out-of-sync npm lockfiles.
Changes:
- Bumps Aspire SDK/packages from
13.4.0to13.4.6across AppHost projects andaspire.config.jsonfiles. - Updates .NET dependencies (notably OpenTelemetry, EF Core, ASP.NET OpenAPI/Scalar, SkiaSharp) to patched/aligned versions.
- Regenerates/updates multiple
package-lock.jsonfiles (e.g.,esbuild 0.28.1,brace-expansion 5.0.6) and updates JS overrides where needed; updates Pythonuv.lockfor a patched Starlette version.
Reviewed changes
Copilot reviewed 47 out of 62 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| samples/volume-mount/VolumeMount.ServiceDefaults/VolumeMount.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/volume-mount/VolumeMount.AppHost/VolumeMount.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/vite-yarp-static/package-lock.json | Updates npm lockfile packages (incl. esbuild and brace-expansion). |
| samples/vite-yarp-static/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/vite-react-fastapi/package-lock.json | Updates npm lockfile packages (incl. esbuild and brace-expansion). |
| samples/vite-react-fastapi/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/vite-csharp-postgres/package-lock.json | Updates npm lockfile packages (incl. brace-expansion). |
| samples/vite-csharp-postgres/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/vite-csharp-postgres/api/Api.csproj | Updates .NET package versions (EF Core/Npgsql/Scalar/OpenTelemetry/etc.). |
| samples/rag-document-qa-svelte/package-lock.json | Updates npm lockfile packages (incl. brace-expansion). |
| samples/rag-document-qa-svelte/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/rag-document-qa-svelte/api/uv.lock | Updates Python lockfile dependency versions (Starlette). |
| samples/python-script/package-lock.json | Updates npm lockfile packages (incl. brace-expansion). |
| samples/python-script/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/python-openai-agent/package-lock.json | Updates npm lockfile packages (incl. esbuild and brace-expansion). |
| samples/python-openai-agent/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/python-fastapi-postgres/package-lock.json | Updates npm lockfile packages (incl. esbuild and brace-expansion). |
| samples/python-fastapi-postgres/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/polyglot-task-queue/worker-csharp/worker-csharp.csproj | Updates Aspire/Extensions/OpenTelemetry package references. |
| samples/polyglot-task-queue/package-lock.json | Updates npm lockfile packages (incl. esbuild and brace-expansion). |
| samples/polyglot-task-queue/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/orleans-voting/OrleansVoting.ServiceDefaults/OrleansVoting.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/orleans-voting/OrleansVoting.AppHost/OrleansVoting.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/node-express-redis/package-lock.json | Updates npm lockfile packages (incl. esbuild and brace-expansion). |
| samples/node-express-redis/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/Metrics/ServiceDefaults/ServiceDefaults.csproj | Pins Microsoft.OpenApi and updates OpenTelemetry packages. |
| samples/Metrics/MetricsApp.AppHost/MetricsApp.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/image-gallery/worker/worker.csproj | Updates EF Core/SkiaSharp/OpenTelemetry/Aspire package references. |
| samples/image-gallery/apphost.cs | Updates #:sdk/#:package directives to Aspire 13.4.6. |
| samples/image-gallery/api/api.csproj | Updates EF Core/SkiaSharp/OpenTelemetry/Aspire package references. |
| samples/health-checks-ui/HealthChecksUI.ServiceDefaults/HealthChecksUI.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/health-checks-ui/HealthChecksUI.AppHost/HealthChecksUI.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/golang-api/package-lock.json | Updates npm lockfile packages (incl. brace-expansion). |
| samples/golang-api/aspire.config.json | Bumps Aspire SDK/packages to 13.4.6 for the sample. |
| samples/database-migrations/DatabaseMigrations.ServiceDefaults/DatabaseMigrations.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/database-migrations/DatabaseMigrations.AppHost/DatabaseMigrations.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/database-containers/DatabaseContainers.ServiceDefaults/DatabaseContainers.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/database-containers/DatabaseContainers.AppHost/DatabaseContainers.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/database-containers/DatabaseContainers.ApiService/DatabaseContainers.ApiService.csproj | Pins Microsoft.OpenApi and updates related packages. |
| samples/custom-resources/CustomResources.AppHost/CustomResources.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/container-build/apphost.cs | Updates #:sdk directive to Aspire 13.4.6. |
| samples/client-apps-integration/ClientAppsIntegration.ServiceDefaults/ClientAppsIntegration.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/client-apps-integration/ClientAppsIntegration.AppHost/ClientAppsIntegration.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/client-apps-integration/ClientAppsIntegration.AppDefaults/ClientAppsIntegration.AppDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/aspire-with-python/apphost.cs | Updates #:sdk/#:package directives to Aspire 13.4.6. |
| samples/aspire-with-node/AspireWithNode.ServiceDefaults/AspireWithNode.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/aspire-with-node/AspireWithNode.AppHost/AspireWithNode.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/aspire-with-javascript/AspireJavaScript.Vite/package.json | Adds npm overrides (pins @babel/core). |
| samples/aspire-with-javascript/AspireJavaScript.Vite/package-lock.json | Updates lockfile to reflect overrides and package updates. |
| samples/aspire-with-javascript/AspireJavaScript.ServiceDefaults/AspireJavaScript.ServiceDefaults.csproj | Updates OpenTelemetry package references to newer versions. |
| samples/aspire-with-javascript/AspireJavaScript.React/package.json | Adds npm overrides for patched transitive dependencies. |
| samples/aspire-with-javascript/AspireJavaScript.React/package-lock.json | Updates lockfile to reflect patched dependency versions. |
| samples/aspire-with-javascript/AspireJavaScript.MinimalApi/AspireJavaScript.MinimalApi.csproj | Pins Microsoft.OpenApi to a patched version. |
| samples/aspire-with-javascript/AspireJavaScript.AppHost/AspireJavaScript.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/aspire-with-javascript/AspireJavaScript.Angular/package.json | Adds/updates overrides (esbuild, @babel/core, etc.) for patched transitive deps. |
| samples/aspire-with-azure-functions/ImageGallery.AppHost/ImageGallery.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
| samples/aspire-with-azure-functions/Directory.Packages.props | Updates centralized package versions (OpenTelemetry, SkiaSharp, etc.). |
| samples/aspire-shop/AspireShop.ServiceDefaults/AspireShop.ServiceDefaults.csproj | Updates OpenTelemetry package references (incl. GrpcNetClient beta bump). |
| samples/aspire-shop/AspireShop.CatalogService/AspireShop.CatalogService.csproj | Pins Microsoft.OpenApi to a patched version. |
| samples/aspire-shop/AspireShop.AppHost/AspireShop.AppHost.csproj | Bumps Aspire AppHost SDK version to 13.4.6. |
Files not reviewed (13)
- samples/aspire-with-javascript/AspireJavaScript.React/package-lock.json: Generated file
- samples/aspire-with-javascript/AspireJavaScript.Vite/package-lock.json: Generated file
- samples/aspire-with-python/frontend/package-lock.json: Generated file
- samples/golang-api/package-lock.json: Generated file
- samples/node-express-redis/package-lock.json: Generated file
- samples/polyglot-task-queue/package-lock.json: Generated file
- samples/python-fastapi-postgres/package-lock.json: Generated file
- samples/python-openai-agent/package-lock.json: Generated file
- samples/python-script/package-lock.json: Generated file
- samples/rag-document-qa-svelte/package-lock.json: Generated file
- samples/vite-csharp-postgres/package-lock.json: Generated file
- samples/vite-react-fastapi/package-lock.json: Generated file
- samples/vite-yarp-static/package-lock.json: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix the failing CI on this branch and refresh dependencies across the sample set so all open Dependabot alerts resolve to patched versions.
The CI
Build & Test Samplesjobs were red because .NET 10's NuGet audit (NuGetAuditMode=all) promotes transitive vulnerability warnings to errors under the repo'sTreatWarningsAsErrors=true. The lockfile-only changes originally on this branch never touched .NET, so CI stayed red. This revision addresses the .NET audit findings, aligns dependencies, and repairs two out-of-sync JS lockfiles that were breakingnpm ciin the integration tests..NET
aspire.config.json13.4.0→13.4.6(the 13.4.6 graph pulls a patchedMessagePack, clearing the apphost audit errors).Microsoft.OpenApi2.9.0in the four web projects that pulled the vulnerable transitive2.0.0viaMicrosoft.AspNetCore.OpenApi(GHSA-v5pm-xwqc-g5wc).10.0.9,Microsoft.Extensions.*10.7.0,Microsoft.AspNetCore.OpenApi10.0.9,Npgsql.EntityFrameworkCore.PostgreSQL10.0.2,Scalar.AspNetCore2.16.7, OpenTelemetry1.16.0, SkiaSharp4.148.0.npm
esbuild0.28.1override (nestedviteesbuild was< 0.28.1).package.json(it had drifted towebpack 5.108.2vs required^5.108.3, breakingnpm ci); pinhttp-proxy-middleware2.0.10andws8.21.0via overrides.enhanced-resolve, breakingnpm ci); pin@babel/core7.29.7via override.golang-api,python-script,vite-csharp-postgres, andrag-document-qa-sveltelockfiles (brace-expansion DoS fix).Python
starletteto a patched1.3.1insamples/rag-document-qa-svelte/api/uv.lock.Validation
.slnxand single-file apphost restores and builds clean with warnings-as-errors on both Ubuntu and Windows.npm ci;npm auditreports 0 findings across every JS sample.Build & Test Samplesis green on bothubuntu-latestandwindows-latest.