Update Major backend dependencies (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
CsvHelper (source)	31.0.4 -> 33.0.1
Medo.Uuid7	1.9.1 -> 2.0.0
Microsoft.Identity.Web	2.21.1 -> 3.2.2
Microsoft.IdentityModel.Tokens	7.7.1 -> 8.1.2
Semver	2.3.0 -> 3.0.0
System.IdentityModel.Tokens.Jwt	7.7.1 -> 8.1.2

---

Release Notes

JoshClose/CsvHelper (CsvHelper)

v33.0.1

Compare Source

v33.0.0

Compare Source

v32.0.3

Compare Source

v32.0.2

Compare Source

v32.0.1

Compare Source

v32.0.0

Compare Source

AzureAD/microsoft-identity-web (Microsoft.Identity.Web)

v3.2.2

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.2

v3.2.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.1

v3.2.0

Compare Source

=========

• Updated to Microsoft.Identity.Abstractions 7.1.0
• Updated to Microsoft.IdentityModel.* 8.1.0
• Updated to Microsoft.Identity.Client 4.64.1
   

New features

• In .NET 8 and above, IDownstreamApi overloads take a JsonTypeInfo<T> parameter to enable source generated JSON deserialization. See issue #​2930 for details.

Bug fixes:

• Azure region is used while creating application keys when the TokenAcquisition service caches application objects, and the TokenAcquirerFactory caches TokenAcquirer. See #​3002 for details.
• Improved error messages for FIC. See issue #​3000 for details.

Fundamentals:

• Improved test coverage for GetCacheKey. See PR #​3020 for details.
• Update to .NET 9-RC1. See issue #​3025 for details.
• Fix static analysis warnings. See PR #​3024 for details.

v3.1.0

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

• Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #​2977 for details.

Bug fixes:

• For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #​2887 for details.
• Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #​2954 for details.
• Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #​2879 for details.
• Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #​2962 for details.

Fundamentals:

• Fix flakey tests: #​2972, #​2984, #​2982,
• Update to AzureKeyVault@2 in AzureDevOps, #​2981.
• Update to .NET 9-preview7, #​2980 and #​2991.
• It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #​2974, #​2990

========

See rel/v2 branch changelog for changes to all 2.x.x versions after 2.18.1.

The changes listed in the rel/v2 changelog are also in the 3.x.x versions of Id Web but are not listed here.

========

v3.0.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.1

v3.0.0

=========

CVE package updates

CVE-2024-30105

• See PR #​2929 for details.

• Updated to Microsoft.IdentityModel.* 8.0.0, Microsoft.Identity.Lab API 1.0.2, Microsoft.Identity.Abstractions 6.0.0

• See rel/v2 changelog for full list of added features to 3.0.0.

Fundamentals:

• Update lab cert and lab version. See PR #​2923 for details.

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (Microsoft.IdentityModel.Tokens)

v8.1.2

Compare Source

=====

Bug fixes

• CaseSensitiveClaimsIdentity.Clone() now returns a CaseSensitiveClaimsIdentity as expected. See 2879
• Multiple unused and unusable (for the moment) public APIs were removed. These were introduced by mistake leaking from the work done on logging and exception handling. See 2888. No major version changed needed as these APIs were not usable per se.

Fundamentals

• Enabled PublicApiAnalyzers to better understand and trace changes to the public API. See2782

v8.1.1

Compare Source

=====

Bug fixes

• Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.

v8.1.0

Compare Source

=====

Performance improvements

• Improves performance during issuer validation by replacing string comparison with span comparison. See PR #​2826.

New features

• Add optional check to prevent using keys that are shared across multiple clouds. See issue #​2832 for details.

Bug fixes

• JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue #​2695 for details.

Fundamentals

• Fix flaky tests. See #​2793 for details.
• Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR #​2796 for details.
• Onhboard to code coverage in ADO. See PR #​2798.
• Use IsTargetFrameworkCompatible(*) so AOT is forward-compatible with .NET 9 and beyond. See PR #​2790 for details.
• Fix a merge conflict impacting dev. See PR #​2819.
• Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error.
  [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #​2820.
• Remove perl dependency. See PR #​2830.

Work related to redesign of IdentityModel's token validation logic #​2711

• #​2794
• #​2800
• #​2810
• #​2811
• #​2816
• #​2822
• #​2815
• #​2818
• #​2813
• #​2827

v8.0.2

Compare Source

=====

Security fundamentals

• Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors. See PR #​2778 for details.

Bug fixes

• IdentityModel now allows the JWT payload to be an empty string. See issue #​2656 for details.
• Cache UseRfcDefinitionOfEpkAndKid switch. See PR #​2747 for details.
• Method was named DoNotFailOnMissingTid in 7x and DontFailOnMissingTid in 8x, adding the method for back compat. See issue #​2750 for details.
• Metadata is now updated on a background thread. See #​2780 for details.
• JsonWebKeySet stores the original string it was created with. See PR #​2755 for details.
• Restore AOT compatibility. See #​2711.
• Fix OpenIdConnect parsing bug. See #​2772 for details.
• Remove the lock on creating a SignatureProvider. See #​2788 for details.

Fundamentals

• Test clean up #​2742.
• Use only FxCop in .NET framework targets #​2693.
• Add rule to add file headers automatically #​2748.
• Code analysis updates #​2746.
• Include README packages in NuGet #​2752.
• Update projects inside WilsonUnix solution #​2768.
• Code style enforced in build #​2603.
• CodeQL update #​2767.
• Update build pipeline to new one release build format #​2777.
• Update GitHub actions to 9.0.100-preview.7.24407.12 and add <NoWarn>$(NoWarn);SYSLIB0057</NoWarn> due to breaking changes in preview7. #​2786.

Work relating to #​2711

• #​2725, #​2729, #​2753, #​2758, #​2759, #​2757, #​2759, #​2764, #​2759, #​2771, #​2759, and #​2779.

v8.0.1

Compare Source

=====

Bug fixes

• IdentityModel now resolves the public key to EPK. See issue #​1951 for details.
• Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #​2682 for details.
• For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #​2737 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock.
  .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #​2722 for details.

v8.0.0

Compare Source

=====

CVE package updates

CVE-2024-30105

• See PR #​2707 for details.

Breaking change:

Full list of breaking changes.

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #​2700 for details.
• Make CollectionUtilities.IsNullOrEmpty internal. See issues**https://redirect.github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2651dotnet/issues/2651) and #​1722 for details.

Overall improvements to the validation in IdentityModel:

• See design proposal #​2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

• Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #​2698 for details.

Bug fixes:

• Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #​2680 for details.
• Continuation of #​2637 and #​2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
• The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
  
• The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #​2524 for details.
• When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #​1970.

Fundamentals

• Remove code that was used in target frameworks that got removed. See PR #​2673 for details.
• Rename local variables for better readability. See PR #​2674 for details.
• Refactor XML comments for improved clarity. See PR #​2676, #​2677, #​2678, #​2689 and #​2703 for details.
• Fix flaky test. See issue #​2683 for details.
• Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #​2661

WalkerCodeRanger/semver (Semver)

v3.0.0: semver v3.0.0

A major release to support arbitrary-sized version numbers, prevent invalid version numbers, remove obsolete functionality, and strong name the assembly.

Breaking Changes:

• SemVersion.Parse and SemVersion.TryParse now default to strict parsing. Use SemVersionStyles to control parsing
• SemVersion.Major, SemVersion.Minor, SemVersion.Patch, and PrereleaseIdentifier.NumericValue properties are now BigInteger (#​73)
• Removed obsolete methods (#​70, #​47), including:
  • Implicit conversion from string (#​47). Use SemVersion.Parse instead
  • SemVersion(int major, int minor = 0, int patch = 0, string prerelease = "", string build = "") constructor. Use another constructor or SemVersion.ParsedFrom instead
  • SemVersion.Parse and SemVersion.TryParse overloads with the strict parameter. They now default to strict. Use SemVersionStyles to control parsing
  • Comparison with SemVersion.CompareTo, SemVersion.Compare, SemVersion.CompareByPrecedence, <, <=, >, >=, or SemVersion.PrecedenceMatches. Use SemVersion.ComparePrecedenceTo, SemVersion.CompareSortOrderTo, SemVersion.ComparePrecedence, or SemVersion.CompareSortOrder instead.
  • SemVersion.Build. Use SemVersion.Metadata instead
  • SemVersion.Change. Use SemVersion.With or SemVersion.WithX methods instead
  • SemVersion(Version) constructor. Use SemVersion.FromVersion instead
• SemVersion no longer implements IComparable<SemVersion> or IComparable. Use SemVersion.PrecedenceComparer or SemVersion.SortOrderComparer instead
• Added strong name to assembly (#​23)
• Dropped support for frameworks older than .NET Standard 2.0 (i.e., .NET Framework < 4.6.2 & .NET Core < 2.0) (#​68)
• Construction of versions with negative major, minor, or patch is no longer allowed (#​40)
• Negative maxLength parameter values now throw ArgumentOutOfRangeException (#​72)

Other Changes:

• Arbitrary-sized version numbers are now supported, including in prerelease identifiers (#​73)

---

Configuration

📅 Schedule: Branch creation - "every 3 months" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.