@azure/keyvault-certificates_4.11.0-beta.1

[keyvault-certificates] Add support for 2026-03-01-preview API versio…

@azure/communication-common_2.4.2

[core] prepare for June 2026 release (#38788)

- update release date in CHANGELOG
- add PR links

@azure/arm-resourcesdeploymentstacks_2.0.0

[AutoPR @azure-arm-confidentialledger]-generated-from-SDK Generation …

@azure/arm-computelimit_1.1.0

[AutoPR @azure-arm-postgresqlhsc]-generated-from-SDK Generation - JS-…

@azure/arm-support_4.0.0-beta.1

[core] prepare for June 2026 release (#38788)

- update release date in CHANGELOG
- add PR links

@azure/arm-powerbidedicated_5.0.0-beta.1

[monitor-opentelemetry-exporter] Fix the redirect auth issues (#38772)

# Description

Fixes the [MSRC
119493](https://portal.microsofticm.com/imp/v5/incidents/details/31000000623459/summary)
defect family in the Node.js exporter, mirroring the Python fix in
[Azure/azure-sdk-for-python#47265](https://github.com/Azure/azure-sdk-for-python/pull/47265).

## Defect

`sdk/monitor/monitor-opentelemetry-exporter` disables
`@azure/core-rest-pipeline`'s `redirectPolicy` (`httpSender.ts`) and
handles 30x responses itself in `baseSender.ts`. On any 307/308 the
previous `handlePermanentRedirect`:

- accepted **any** `Location` host with no origin allowlist;
- mutated `appInsightsClientOptions.host` and rebuilt the
`ApplicationInsightsClient`, persisting the new host for the lifetime of
the exporter; and
- on the recursive `exportEnvelopes` call, the rebuilt pipeline still
contained `bearerTokenAuthenticationPolicy` (when a `credential` is
configured), so a freshly-signed AAD token for
`https://monitor.azure.com/.default` plus the telemetry envelope were
POSTed to the redirect target.

This is the same code-shape MSRC paid out against the Python exporter
(#119493), the .NET exporter (researcher Finding #12), and the Java
exporter (researcher Finding #14).

## Fix

- New `ALLOWED_REDIRECT_DOMAIN_SUFFIXES` constant
(`Declarations/Constants.ts`) listing the canonical Azure Monitor /
Application Insights ingestion suffixes across public, US Gov, and China
clouds (identical list to the Python PR).
- New `isSameRegisteredDomain(currentHost, redirectHost)` helper
(`utils/redirectUtils.ts`) that returns `true` only when the redirect
target is an **exact host match** for the configured ingestion host, or
when **both** hosts live under the **same** trusted suffix. Customers
with a custom ingestion host therefore still get the single-hop
"remember the redirect" UX for an exact-host redirect, but server-issued
cross-host redirects are refused.
- `HttpSender.handlePermanentRedirect` now returns a `boolean`: `false`
(without mutating any state) when the redirect would cross the trust
boundary, `true` otherwise. The abstract signature on `BaseSender` is
updated to match.
- `BaseSender.exportEnvelopes` treats a `false` return as a
non-retriable failure: it does **not** recurse into another `send`,
surfaces an `ExportResultCode.FAILED` with a `Refused cross-origin
redirect` error, and counts the exception via
`networkStatsbeat.countException` /
`customerSDKStatsMetrics.countDroppedItems(DropCode.CLIENT_EXCEPTION,
..., ExceptionType.CLIENT_EXCEPTION)`.
- Diag log added at `error` level when a refusal occurs so operators can
identify the misbehaving server / proxy.

## Tests

- New `test/internal/redirectUtils.spec.ts` covering exact-match,
same-suffix, cross-suffix, untrusted-parent (PoC scenario),
trusted↔untrusted, empty inputs, user-info / port, and case /
trailing-dot normalization.
- New `BaseSender` test: `should refuse cross-origin redirects without
retrying` — asserts `send` is invoked exactly once, the result is
`FAILED` with `Refused cross-origin redirect`, and
`networkStatsbeat.countException` is called.
- New `HttpSender` test: `should refuse a cross-origin redirect and not
leak telemetry to a foreign host` — uses `nock` to assert the exporter
does **not** POST to the attacker host and that `appInsightsClient.host`
remains the originally configured `DEFAULT_BREEZE_ENDPOINT` (no
persistent host poisoning).
- Existing `HttpSender` redirect tests that redirected from
`dc.services.visualstudio.com` to
`ukwest-0.in.applicationinsights.azure.com` (which crosses trusted
suffixes and would now be refused) are retargeted to
`westus.services.visualstudio.com`, matching the Python PR's analogous
test update.
- Existing `BaseSender` test mock returns `true` by default so legacy
positive-path tests continue to exercise the success branch; the
circular-redirect test is unaffected (refusal is gated by
`numConsecutiveRedirects < 10`).

## Verification

- `pnpm turbo build --filter @azure/monitor-opentelemetry-exporter...
--token 1` — green.
- `pnpm format` / `npm run lint` — green (only pre-existing warnings,
none from new code).
- Full vitest suite: **20 files, 347 tests, all passing.**

## Version

Bumps `@azure/monitor-opentelemetry-exporter` from `1.0.0-beta.42` to
`1.0.0-beta.43`.

## Checklist

- [x] **The pull request does not introduce [breaking changes]** — the
only public surface change is `handlePermanentRedirect`'s return type on
`BaseSender`, which is `@internal`.
- [x] CHANGELOG updated under `1.0.0-beta.43 (Unreleased)`.
- [x] Tests added for the security-relevant behavior.

Co-authored-by: Jackson Weber <jacwebe@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@azure/arm-postgresqlhsc_1.0.0-beta.1

[core] prepare for June 2026 release (#38788)

- update release date in CHANGELOG
- add PR links

@azure/arm-datadog_4.0.0-beta.1

[AutoPR @azure-arm-datadog]-generated-from-SDK Generation - JS-637639…

@azure/arm-databox_6.0.0-beta.1

[AutoPR @azure-arm-confidentialledger]-generated-from-SDK Generation …

@azure/arm-containerservicefleet_2.1.0-beta.4

[core] prepare for June 2026 release (#38788)

- update release date in CHANGELOG
- add PR links