Bump the all-dependencies group with 7 updates

[dependabot]

Bumps the all-dependencies group with 7 updates:

Package	From	To
Jint	4.0.0	4.0.1
Azure.Storage.Blobs	12.21.1	12.21.2
AWSSDK.S3	3.7.400.2	3.7.400.4
Microsoft.IdentityModel.Protocols.OpenIdConnect	7.6.2	8.0.1
JsonPath.Net	1.1.3	1.1.4
libphonenumber-csharp	8.13.42	8.13.43
BenchmarkDotNet	0.13.12	0.14.0

Updates Jint from 4.0.0 to 4.0.1

Release notes

Sourced from Jint's releases.

v4.0.1

What's Changed

• Update benchmarks results and README.md against v4 by @​lahma in sebastienros/jint#1928
• Upgrade NUnit3TestAdapter to version 4.6.0 by @​lahma in sebastienros/jint#1920
• Implement Atomics.pause by @​lahma in sebastienros/jint#1929
• Bump Meziantou.Analyzer from 2.0.161 to 2.0.162 in the all-dependencies group by @​dependabot in sebastienros/jint#1930
• Convert to using file-scoped namespaces by @​lahma in sebastienros/jint#1931
• Add .git-blame-ignore-revs by @​lahma in sebastienros/jint#1932
• Bump Meziantou.Analyzer from 2.0.162 to 2.0.163 in the all-dependencies group by @​dependabot in sebastienros/jint#1933
• Update test262 test suite and fix TypedArray.set issues by @​lahma in sebastienros/jint#1934
• Fix dynamic object member access logic by @​lahma in sebastienros/jint#1937
• Fix custom reference resolver argument by @​lahma in sebastienros/jint#1938

Full Changelog: sebastienros/jint@v4.0.0...v4.0.1

Commits

• a37f39c Fix custom reference resolver argument (#1938)
• 0ffda10 Fix dynamic object member access logic (#1937)
• e2b5c3b Update test262 test suite and fix TypedArray.set issues (#1934)
• 38ee8d0 Bump Meziantou.Analyzer in the all-dependencies group (#1933)
• a08f452 Add .git-blame-ignore-revs (#1932)
• 9079aef Convert to using file-scoped namespaces (#1931)
• 2f49299 Bump Meziantou.Analyzer from 2.0.161 to 2.0.162 in the all-dependencies group...
• 39f7c6f Implement Atomics.pause (#1929)
• 81babf2 Upgrade NUnit3TestAdapter to version 4.6.0 (#1920)
• 87ee86b Update benchmarks results and README.md against v4 (#1928)
• See full diff in compare view

Updates Azure.Storage.Blobs from 12.21.1 to 12.21.2

Release notes

Sourced from Azure.Storage.Blobs's releases.

Azure.Storage.Blobs_12.21.2

12.21.2 (2024-08-08)

Bugs Fixed

• Fixed [BUG] WrapKeyInternal to correctly call WrapKey in sync flow #42160

Commits

• 9995d33 version typo
• 2d968f1 Bumped version
• 4f323e0 Initial commit
• e340431 Changelog (#45422)
• 651c037 [Storage] Fixed WrapKeyInternal in Azure.Storage.Blobs to calls correct metho...
• See full diff in compare view

Updates AWSSDK.S3 from 3.7.400.2 to 3.7.400.4

Commits

• See full diff in compare view

Updates Microsoft.IdentityModel.Protocols.OpenIdConnect from 7.6.2 to 8.0.1

Release notes

Sourced from Microsoft.IdentityModel.Protocols.OpenIdConnect's releases.

8.0.1

Bug fixes

• IdentityModel now resolves the public key to EPK. See issue #1951 for details.
• Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.
• For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock. .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

8.0.0

CVE package updates

CVE-2024-30105

• See PR #2707 for details.

Breaking change:

Full list of breaking changes.

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.
• Make CollectionUtilities.IsNullOrEmpty internal. See issues Order is not preserved when returning documents from SQL query #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

• See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

• Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

• Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.
• Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
• The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
• The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.
• When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

• Remove code that was used in target frameworks that got removed. See PR #2673 for details.
• Rename local variables for better readability. See PR #2674 for details.
• Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.
• Fix flaky test. See issue #2683 for details.
• Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

• IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.
• Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.
• AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

... (truncated)

Changelog

Sourced from Microsoft.IdentityModel.Protocols.OpenIdConnect's changelog.

8.0.1

Bug fixes

• IdentityModel now resolves the public key to EPK. See issue #1951 for details.
• Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.
• For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock. .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

8.0.0

CVE package updates

CVE-2024-30105

• See PR #2707 for details.

Breaking change:

Full list of breaking changes.

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.
• Make CollectionUtilities.IsNullOrEmpty internal. See issues Order is not preserved when returning documents from SQL query #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

• See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

• Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

• Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.
• Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
• The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
• The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.
• When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

• Remove code that was used in target frameworks that got removed. See PR #2673 for details.
• Rename local variables for better readability. See PR #2674 for details.
• Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.
• Fix flaky test. See issue #2683 for details.
• Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

• IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.
• Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.
• AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

... (truncated)

Commits

• e67b25b Fix string comparison with differing timestamps (#2739)
• 1c3e895 8.0.1 changelog (#2740)
• ec39ddb Fixes 2737 (#2738)
• 49a3a95 Do not dispose SignatureProvider when AsymmetricAdapter faults. (#2682)
• ecc2b08 removing old code signing reference (#2727)
• a7ef799 Read Token: Remove Exceptions (#2702)
• 245c831 Transmit EPK and use as public key during decrypt (#2120)
• 7ef3263 Cache context switches (#2724)
• 8c5e456 Algorithm validation: Remove exceptions (#2719)
• 2e7c701 Update Saml2SecurityTokenHandler.cs (#2718)
• Additional commits viewable in compare view

Updates JsonPath.Net from 1.1.3 to 1.1.4

Commits

• See full diff in compare view

Updates libphonenumber-csharp from 8.13.42 to 8.13.43

Commits

• 9ca9181 feat: automatic upgrade to v8.13.43
• 794224b Merge pull request #262 from twcclegg/dependabot/nuget/csharp/PhoneNumbers.Ex...
• c98a579 Merge pull request #263 from twcclegg/dependabot/nuget/csharp/PhoneNumbers.Te...
• fbeee11 build(deps): bump the phonenumbers_test_minor_patch_updates group
• 074df4b build(deps): bump the phonenumbers_extensions_test_minor_patch_updates group
• See full diff in compare view

Updates BenchmarkDotNet from 0.13.12 to 0.14.0

Release notes

Sourced from BenchmarkDotNet's releases.

0.14.0

Full changelog: https://benchmarkdotnet.org/changelog/v0.14.0.html

Highlights

• Introduce BenchmarkDotNet.Diagnostics.dotMemory #2549: memory allocation profile of your benchmarks using dotMemory, see @​BenchmarkDotNet.Samples.IntroDotMemoryDiagnoser
• Introduce BenchmarkDotNet.Exporters.Plotting #2560: plotting via ScottPlot (initial version)
• Multiple bugfixes
• The default build toolchains have been updated to pass IntermediateOutputPath, OutputPath, and OutDir properties to the dotnet build command. This change forces all build outputs to be placed in a new directory generated by BenchmarkDotNet, and fixes many issues that have been reported with builds. You can also access these paths in your own .csproj and .props from those properties if you need to copy custom files to the output.

Bug fixes

• Fixed multiple build-related bugs including passing MsBuildArguments and .Net 8's UseArtifactsOutput.

Breaking Changes

• DotNetCliBuilder removed retryFailedBuildWithNoDeps constructor option.
• DotNetCliCommand removed RetryFailedBuildWithNoDeps property and BuildNoRestoreNoDependencies() and PublishNoBuildAndNoRestore() methods (replaced with PublishNoRestore()).

Commits

• cf882d3 Add macOS Sequoia in OsBrandStringHelper
• 17cf3b0 [docs] Prepare v0.14.0 changelog
• b3fbe7c Set next BenchmarkDotNet version: 0.14.0
• 23e6c52 Fix InvalidOperationException in DotMemoryDiagnoser
• 3d34edb Bump JetBrains.Profiler.SelfApi: 2.5.2->2.5.9
• bf0a49d fix(CI): Deprecation issues (#2605)
• 0275649 Fixed crash from TaskbarProgress when BuiltInComInteropSupport is disabled. ...
• 15200d4 [build] Add BenchmarkDotNet.Exporters.Plotting.Tests to unit-tests
• 834417a Improve logging in ScottPlotExporterTests
• f8082a2 Fix IntroSummaryStyle compilation
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Piedone]

This all looks good except for Microsoft.IdentityModel.Protocols.OpenIdConnect. I think the breaking changes there don't affect us, and I tested the OpenID module with content and tenants API calls and it works.

However:

Important: the version of the Microsoft.IdentityModel.Protocols.OpenIdConnect package MUST
match the IdentityModel version transitively referenced by OpenIddict to ensure we don't
accidentally end up referencing inconsistent versions (which is not supported by IM).
See #16057 for more information.

Going through the OpenID dependencies (you can start here), it seems that we're good:

Can you please also confirm this one time @kevinchalet?

[kevinchalet]

Can you please also confirm this one time @kevinchalet?

OpenIddict 5.8.0 - not yet released - will target IM 8: I didn't see any particular regression, so that should be good 👍🏻

[Piedone]

Yeah, though that's not an issue for us, since due to the open dependency declarations in the OpenIddict packages, in the end, we get v8.0.1 from the Microsoft.IdentityModel.* packages too.

We should be OK, then.

[kevinchalet]

We should be OK, then.

Note: I didn't test the MSFT OIDC handler with IM 8 (only the OpenIddict client): I wouldn't expect it to break but we never know. That said, since you mentioned it worked, I guess it's fine 😄

[Piedone]

Yeah, at least there's nothing obviously broken :).