[deps]: Update nuget minor

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
AWSSDK.KeyManagementService	[3.7.2.6] → [3.7.506.18]
Azure.Identity (source)	[1.11.4] → [1.21.0]
Azure.Security.KeyVault.Certificates (source)	[4.5.1] → [4.9.0]
Azure.Security.KeyVault.Keys (source)	[4.5.0] → [4.10.0]
Azure.Security.KeyVault.Secrets (source)	[4.5.0] → [4.11.0]
Azure.Storage.Blobs (source)	[12.19.1] → [12.29.0]
Google.Cloud.Kms.V1	[3.7.0] → [3.24.0]
Microsoft.AspNetCore.Authentication.JwtBearer (source)	[10.0.8] → [10.0.9]
Microsoft.AspNetCore.Mvc.Testing (source)	[10.0.8] → [10.0.9]
Microsoft.EntityFrameworkCore.Design (source)	[8.0.27] → [8.0.28]
Microsoft.EntityFrameworkCore.Relational (source)	[8.0.27] → [8.0.28]
Microsoft.EntityFrameworkCore.SqlServer (source)	[8.0.27] → [8.0.28]
Microsoft.EntityFrameworkCore.Sqlite (source)	[8.0.27] → [8.0.28]
Pkcs11Interop (source)	[5.1.2] → [5.3.0]
Serilog.Settings.Configuration	[10.0.0] → [10.0.1]
VaultSharp	[1.7.0] → [1.17.5.1]
dotnet-ef (source)	8.0.2 → 8.0.28

---

Release Notes

aws/aws-sdk-net (AWSSDK.KeyManagementService)

v3.7.506

v3.7.505

v3.7.504

v3.7.503

v3.7.502

v3.7.500

v3.7.403.1

Compare Source

v3.7.403

v3.7.402

Compare Source

v3.7.401

v3.7.400

v3.7.304

v3.7.303

v3.7.302

v3.7.301

v3.7.300

v3.7.200

v3.7.104

v3.7.103

v3.7.102

v3.7.101

v3.7.4

v3.7.3

Azure/azure-sdk-for-net (Azure.Identity)

v1.21.0

Compare Source

1.21.0 (2026-04-10)

Other Changes

• All Azure.Identity types have been moved to Azure.Core and are now available through TypeForwardedTo attributes. This is a non-breaking change — existing code continues to work transparently. The library's version number now aligns with that of Azure.Core. See the Migration Guide for details.

v1.20.0

Compare Source

1.20.0 (2026-03-30)

Features Added

• Added a JSON schema segment to the NuGet package that provides IntelliSense and validation for Azure.Identity credential configuration in appsettings.json.

Breaking Changes

• AddAzureClient, AddKeyedAzureClient, and WithAzureCredential return type changed from IHostApplicationBuilder to IClientBuilder to align with the IClientBuilder composition change in System.ClientModel.

v1.19.0

Compare Source

1.19.0 (2026-03-11)

Features Added

• Added support in ClientCertificateCredential to specify a path in the form of cert:/StoreLocation/StoreName/Thumbprint to refer to a certificate in the platform certificate store - such as the Windows Certificate Store on Windows, and the KeyChain on MacOS - instead of a file on disk. For example to load a certificate from the "My" store in the "CurrentUser" location use the path cert:/CurrentUser/My/E661583E8FABEF4C0BEF694CBC41C28FB81CD870 (A community contribution, courtesy of fowl2).

Other Changes

• Updated Microsoft.Identity.Client and Microsoft.Identity.Client.Extensions.Msal dependencies to version 4.83.1.

v1.18.0

Compare Source

1.18.0 (2026-02-25)

Features Added

• Added experimental Microsoft.Extensions.Configuration and Microsoft.Extensions.DependencyInjection integration for Azure SDK clients. For details, see the Configuration and Dependency Injection documentation.

• The WorkloadIdentityCredentialOptions.IsAzureProxyEnabled property, which enables Azure Kubernetes token proxy mode, is only available in beta releases of this package.

• AzureDeveloperCliCredential now parses JSON error output from azd auth token to extract clean error messages instead of including raw JSON in exceptions. Error messages like {"type":"consoleMessage","data":{"message":"ERROR: fetching token: ..."}} are now displayed as ERROR: fetching token: ....

v1.17.2

Compare Source

1.17.2 (2026-04-15)

Other Changes

• Updated Microsoft.Identity.Client and Microsoft.Identity.Client.Extensions.Msal dependencies to version 4.83.1.

v1.17.1

Compare Source

1.17.1 (2025-11-18)

Other Changes

• Updated Microsoft.Identity.Client and Microsoft.Identity.Client.Extensions.Msal dependencies to version 4.78.0.

v1.17.0

Compare Source

1.17.0 (2025-10-07)

Bugs Fixed

• TenantId is now configured via MSAL's WithTenantId instead of WithTenantIdFromAuthority to prevent malformed Uris to the authority.

Other Changes

• Deprecated BrowserCustomizationOptions.UseEmbeddedWebView property. This option requires additional dependencies on Microsoft.Identity.Client.Desktop and is no longer supported. Consider using brokered authentication instead.

v1.16.0

Compare Source

1.16.0 (2021-06-30)

Changed

• Added TenantId to the properties on TokenRequestContext to enable multi-tenant support in Azure.Identity.

v1.15.0

Compare Source

1.15.0 (2025-08-07)

Breaking Changes

Behavioral Breaking Changes

• Deprecated SharedTokenCacheCredential. The supporting credential (SharedTokenCacheCredential) was a legacy mechanism for authenticating clients using credentials provided to Visual Studio. For brokered authentication, consider using InteractiveBrowserCredential instead. The following changes have been made:
  • SharedTokenCacheCredential class is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheCredentialOptions class is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • DefaultAzureCredentialOptions.ExcludeSharedTokenCacheCredential property is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheUsername property is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheCredential is no longer included in the DefaultAzureCredential authentication flow

Bugs Fixed

• Tenant ID comparisons in credential options are now case-insensitive. This affects AdditionallyAllowedTenants values which will now be matched against tenant IDs without case sensitivity, making the authentication more resilient to case differences in tenant IDs returned from WWW-Authenticate challenges (#​51693).

Other Changes

• BrokerAuthenticationCredential has been renamed as BrokerCredential.

• Added the EditorBrowsable(Never) attribute to property VisualStudioCodeTenantId as TenantId is preferred. The VisualStudioCodeTenantId property exists only to provide backwards compatibility.

v1.14.2

Compare Source

1.14.2 (2025-07-10)

Other changes

• Updated Microsoft.Identity.Client dependency to version 4.73.1

v1.14.1

Compare Source

1.14.1 (2025-07-08)

Bugs Fixed

• Added support in AzurePowerShellCredential for the Az.Accounts 5.0.0+ (Az 14.0.0+) breaking change where Get-AzAccessToken returns PSSecureAccessToken with a SecureString Token property instead of plaintext.

v1.14.0

Compare Source

1.14.0 (2025-12-04)

Features Added

• Upgraded api-version tag from 'package-2025-01-01' to 'package-2025-03-01'. Tag detail available at https://github.com/Azure/azure-rest-api-specs/blob/4db9e81042ec3ffd1eee8df1bf2b8489a1e7fa0a/specification/network/resource-manager/readme.md.

v1.13.2

Compare Source

1.13.2 (2025-01-14)

Bugs Fixed

• Fixed an issue where setting DefaultAzureCredentialOptions.TenantId twice throws an InvalidOperationException (#​47035)
• Fixed an issue where ManagedIdentityCredential does not honor the CancellationToken passed to GetToken and GetTokenAsync. (#​47156)
• Fixed an issue where some credentials in DefaultAzureCredential would not fall through to the next credential in the chain under certain exception conditions.
• Fixed a regression in ManagedIdentityCredential when used in a ChainedTokenCredential where the invalid json responses do not fall through to the next credential in the chain. (#​47470)

v1.13.1

Compare Source

1.13.1 (2025-11-19)

Other Changes

• Updated Azure.Identity dependency to version 1.17.1

v1.13.0

Compare Source

1.13.0 (2021-04-07)

Key Bug Fixes

• Fixed NotSupportedException when running using Blazor in the browser.
• Disable the response caching and enable the streaming when running using Blazor in the browser.

v1.12.1

Compare Source

1.12.1 (2024-09-26)

Bugs Fixed

• Updated to version 4.65.0 of Microsoft.Identity.Client to address a bug preventing the use of alternate authority types such as dStS (4927) .

v1.12.0

Compare Source

1.12.0 (2021-04-06)

Added

• Added HttpPipeline.CreateHttpMessagePropertiesScope that can be used to inject scoped properties into HttpMessage.

googleapis/google-cloud-dotnet (Google.Cloud.Kms.V1)

v3.24.0: Google.Cloud.PubSub.V1 version 3.24.0

Compare Source

Changes in this release:

Documentation improvements

• Update documentation for JavaScriptUDF to indicate that the message_id metadata field is optional instead of required (commit 8127313)

v3.23.0: Google.Cloud.PubSub.V1 version 3.23.0

Compare Source

Changes in this release:

New features

• Add more logs on subscriber pull stream retries (commit ff5a39b)

v3.22.0: Google.Cloud.PubSub.V1 version 3.22.0

Compare Source

Changes in this release:

New features

• Deprecate enabled field for message transforms and add disabled field (commit d75a0b0)

Documentation improvements

• Deprecate enabled field for message transforms and add disabled field (commit d75a0b0)
• A comment for field code in message .google.pubsub.v1.JavaScriptUDF is changed (commit e82746a)

v3.21.0: Google.Cloud.PubSub.V1 version 3.21.0

Compare Source

Changes in this release:

New features

• Add support for message transforms to Topic and Subscription (commit 97502ea)

Documentation improvements

• Fix link for AnalyticsHubSubscriptionInfo (commit 97502ea)

v3.20.0: Google.Cloud.PubSub.V1 version 3.20.0

Compare Source

Changes in this release:

New features

• Add Kafka-based sources to IngestionDataSourceSettings proto and IngestionFailureEvent proto (commit 9324e45)

v3.19.0: Google.Cloud.Kms.V1 version 3.19.0

Compare Source

New features

• Support KEY_ENCAPSULATION purpose and quantum-safe algorithms ML_KEM_768, ML_KEM_1024 and KEM_XWING
• Add PublicKeyFormat enums XWING_RAW_BYTES (used for KEM_XWING) and DER

v3.18.0: Google.Cloud.Kms.V1 version 3.18.0

Compare Source

Documentation improvements

• A comment for enum value DESTROYED in enum CryptoKeyVersionState is changed

v3.17.0: Google.Cloud.Kms.V1 version 3.17.0

Compare Source

New features

• Adding eTag field to AutokeyConfig

Documentation improvements

• Updating docs for total_size field in KMS List APIs

v3.16.0: Google.Cloud.PubSub.V1 version 3.16.0

Compare Source

Changes in this release:

New features

• Add max messages batching for Cloud Storage subscriptions (commit 953eefe)

v3.15.0: Google.Cloud.PubSub.V1 version 3.15.0

Compare Source

Changes in this release:

New features

• Add use_topic_schema for Cloud Storage Subscriptions (commit d557116)

v3.14.0: Google.Cloud.PubSub.V1 version 3.14.0

Compare Source

Changes in this release:

Bug fixes

• Fix possible race condition when restarting the stream (commit 4410bb1)

New features

• Add service_account_email for export subscriptions (commit f73410e)
• Make StreamingPull fail after 100 consecutive failures (commit d9d658b)
• Improve Pub/Sub streaming pull retries (commit 8537ed4)

The last two of these features can cause user-visible changes. In particular:

• Persistently-failing streaming pulls will eventually cause a SubscriberClient to fail
• Authentication-based failures (e.g. using an expired service account) will now cause a SubscriberClient to fail
• SubscriberClient will retry immediately after a streaming pull stream is terminated server-side, if the pull was active for 45 seconds or more before being terminated. This should improve responsiveness in some situations.

All of these changes should be "net positive", but if they cause any issues, please file a bug.

v3.13.0: Google.Cloud.Firestore version 3.13.0

Compare Source

New features

• Update documentation with .NET 10 compatibility workaround

v3.12.0: Google.Cloud.BigQuery.V2 version 3.12.0

Compare Source

New features

• Expose QueryId on row
• Add stateless query fast path optimization to ExecuteQuery
• Add stateless query execution
• Adding ConfigurationModifier action to CreateModelExtractJobOptions
• Add JobConfigurationModifier field to JobCreationOptions
• Add RequestModifier to Create, Get, Patch, Update DatasetOptions

Bug fixes

• Default UseInt64Timestamp to true

Documentation improvements

• Document WRITE_TRUNCATE_DATA

v3.11.0: Google.Cloud.PubSub.V1 version 3.11.0

Compare Source

Changes in this release:

New features

• Added TopicName and SubsciptionName resolution from container as an extension point. (issue 12215) (commit 73c457d)

v3.10.0: Google.Cloud.Kms.V1 version 3.10.0

Compare Source

Changes in this release:

New features

• Change netstandard2.1 target to netstandard2.0 (commit 82bea85)

v3.9.0: Google.Cloud.BigQuery.V2 version 3.9.0

Compare Source

Changes in this release:

New features

• Change netstandard2.1 target to netstandard2.0 (commit 82bea85)

v3.8.0: Google.Cloud.Kms.V1 version 3.8.0

Compare Source

Changes in this release:

Documentation improvements

• Update comments (commit 38d35cd)
• Minor formatting (commit 5f3c5d6)
• Minor formatting (commit 21481f5)

dotnet/dotnet (Microsoft.AspNetCore.Authentication.JwtBearer)

v10.0.9

Pkcs11Interop/Pkcs11Interop (Pkcs11Interop)

v5.3.0: Pkcs11Interop 5.3.0

• #​253 - Added support for MacCatalyst in MAUI apps
• #​254 - Allow automatic platform detection to be overridden
• #​256 - Use PKCS11-MOCK 2.0.0
• #​257 - Replaced AppVeyor with GitHub Actions
• #​258 - Fixed throwing in CK_VERSION::ToString
• #​259 - Removed Doxygen-generated documentation

v5.2.0: Pkcs11Interop 5.2.0

• #​198 - Updated to Visual Studio 2022
• #​243 - Updated dependencies and started using .NET 8 to run tests
• #​244 - Fixed handling of Minor part in CK_VERSION structure
• #​245 - Added missing CKA_NAME_HASH_ALGORITHM attribute
• #​248 - Documented usage of DllImportResolver on Linux
• #​249 - Updated and extended documentation

serilog/serilog-settings-configuration (Serilog.Settings.Configuration)

v10.0.1

What's Changed

• Support LevelAlias names in configuration parsing by @​mohammed-saalim in #​465
• Fix: Update ConditionalSink expression syntax in sample app by @​gyurebalint in #​470
• issue-468: Fix empty/whitespace string converting to array type by @​gyurebalint-CID in #​469
• Add WriteTo.FallbackChain and WriteTo.Fallible support in configuration by @​ArieGato in #​474
• Fix/issue 441 by @​gyurebalint in #​471
• Support C# 13 params collections (IEnumerable, List) by @​gyurebalint in #​478

New Contributors

• @​mohammed-saalim made their first contribution in #​465
• @​gyurebalint made their first contribution in #​470
• @​gyurebalint-CID made their first contribution in #​469
• @​ArieGato made their first contribution in #​474

Full Changelog: serilog/serilog-settings-configuration@v10.0.0...v10.0.1

rajanadar/VaultSharp (VaultSharp)

v1.17.5.1

BUG FIXES:

• ReadConnectionConfigAsync method uses the correct model object.

v1.17.5

BUG FIXES:

• GH-367 Update System.Text.Json to address known security vulnerability

v1.13.0.1

BUG FIXES:

• GH-312 Fix rotation_period deserialization issues in System.Text.Json. And all such duration fields that Vault allows in string and integer form.

v1.13.0

BUG FIXES:

• GH-312 Fix rotation_period deserialization issues in System.Text.Json. And all such duration fields that Vault allows in string and integer form.

v1.12.2.1

BREAKING CHANGES:

• secret/transit: Minor field changes across the apis to make it consistent with other backends. No functional changes.
• Backend APIs to tune mount config now take the NewBackendConfig object instead of BackendConfig object.
• auth/approle: PullSecretIdAsync method is renamed to PullNewSecretIdAsync
• auth/approle: ReadRoleAsync method uses a new type AppRoleRoleModel instead of AppRoleInfo.
• secret/alicloud: The GetCredentialsAsync method for assumed role changed the data type of Expiration field in AliCloudCredentials class from type string to DateTimeOffset
• secret/kv2: Minor field changes to FullSecretMetadata object. No functional changes.

FEATURES:

• secret/pki: Add new api to list revoked certificates
• secret/pki: Add new api to auto tidy certificates
• secret/pki: Add new api to get tidy status
• secret/pki: Add new api to cancel the tidy operation
• GH-293 secret/kv2: Add new api for create metadata
• GH-293 secret/kv2: Add new api for update metadata
• GH-294 secret/aws: All management apis
• auth/alicloud: All the AliCloud Auth apis.
• auth/approle: All the AppRole Auth apis.
• secret/alicloud: All the AliCloud Secret apis.
• secret/aws: Add new api to delete role
• secret/transit: All apis are now supported.
• secret/consul: All the apis
• secret/kv2: New apis to configure store wide settings

IMPROVEMENTS:

• GH-292 Add warning and other fields to seal status apis.
• GH-291 Add logger endpoints to System backend.
• Added several fields like plugin_version etc. to the Backend fetching System APIs.
• secret/pki: Added several new fields to the PKI Cert Tidy Request payload.
• secret/pki: Add revocation time rfc and issuer id fields to cert reads.
• GH-293 secret/kv2: Add new fields cas_required and custom_metadata in FullSecretMetadata class.

v1.12.2

BREAKING CHANGES:

• secret/transit: Minor field changes across the apis to make it consistent with other backends. No functional changes.
• Backend APIs to tune mount config now take the NewBackendConfig object instead of BackendConfig object.
• auth/approle: PullSecretIdAsync method is renamed to PullNewSecretIdAsync
• auth/approle: ReadRoleAsync method uses a new type AppRoleRoleModel instead of AppRoleInfo.
• secret/alicloud: The GetCredentialsAsync method for assumed role changed the data type of Expiration field in AliCloudCredentials class from type string to DateTimeOffset
• secret/kv2: Minor field changes to FullSecretMetadata object. No functional changes.

FEATURES:

• secret/pki: Add new api to list revoked certificates
• secret/pki: Add new api to auto tidy certificates
• secret/pki: Add new api to get tidy status
• secret/pki: Add new api to cancel the tidy operation
• GH-293 secret/kv2: Add new api for create metadata
• GH-293 secret/kv2: Add new api for update metadata
• GH-294 secret/aws: All management apis
• auth/alicloud: All the AliCloud Auth apis.
• auth/approle: All the AppRole Auth apis.
• secret/alicloud: All the AliCloud Secret apis.
• secret/aws: Add new api to delete role
• secret/transit: All apis are now supported.
• secret/consul: All the apis
• secret/kv2: New apis to configure store wide settings

IMPROVEMENTS:

• GH-292 Add warning and other fields to seal status apis.
• GH-291 Add logger endpoints to System backend.
• Added several fields like plugin_version etc. to the Backend fetching System APIs.
• secret/pki: Added several new fields to the PKI Cert Tidy Request payload.
• secret/pki: Add revocation time rfc and issuer id fields to cert reads.
• GH-293 secret/kv2: Add new fields cas_required and custom_metadata in FullSecretMetadata class.

v1.8.12

BREAKING CHANGES:

• secrets/gcp: Deprecated the /gcp/token/:roleset and /gcp/key/:roleset paths for generating secrets for rolesets. Use /gcp/roleset/:roleset/token and /gcp/roleset/:roleset/key instead.

FEATURES:

• secret/transit: Add entropy-source field to GenerateRandomBytes api.
• auth/okta: Adds support for Okta Verify TOTP MFA.

IMPROVEMENTS:

• Remove all references of whitelist/blacklist in code, docs etc.
• auth/okta: Okta login now supports the totp, provider and nonce fields.

v1.7.2.2

BREAKING CHANGES:

• [GH-288] Fix a ttl bug and use proper http verbs for aws credential generation.

IMPROVEMENTS:

• [GH-288] AWS Credentials supports role arn, role session name now.

v1.7.2.1

BUG FIXES:

• [GH-289] Fix InvalidOperationException related to Patch Content type for PatchSecretAsync method

v1.7.2

BREAKING CHANGES:

• [GH-288] Fix a ttl bug and use proper http verbs for aws credential generation.

IMPROVEMENTS:

• [GH-288] AWS Credentials supports role arn, role session name now.

v1.7.1

IMPROVEMENTS:

• [GH-243] Fix the framework issue with TargetMoniker

DOC IMPROVEMENTS:

• Real GH links on the Changelog file

v1.7.0.5

IMPROVEMENTS:

• [GH-223] Implemented support for Ed25519 Key type (Vault 1.9+ only)
• [GH-251] Implemented remaining Transit endpoints
• [GH-253] Update delete metadata async
• [GH-239] Ensure awaits are configured
• [GH-241] Enforce await configuration (CA2007)
• [GH-246] Added create, read, list & delete token role APIs

v1.7.0.4

BUG FIXES:

• [GH-235] Fix a deadlock when a particular internal path is chosen

DOC IMPROVEMENTS:

• [GH-236] Add section on Token-Renewal and DI Lifetime

v1.7.0.3

IMPROVEMENTS:

• .NET 6 Support

v1.7.0.2

IMPROVEMENTS:

• [GH-215] Certificate Auth now takes a chain of certificates.
• [GH-220] Improved the token initialization code by retrying when errors happen first time.
• Add support for AppRole Auth API endpoints
• Implemented AppRole auth endpoint to read role information by role name

v1.7.0.1

BREAKING CHANGES:

• The properties IssuingCACertificateContent and CAChainContent of the base class AbstractCertificateData has been moved to a subclass AbstractIssuedCertificateData.

FEATURES:

• Implemented PKI secret engine endpoint to read a certificate by key (serial number).
• Implemented PKI secret engine endpoint to retrieve a list of certificate keys (serial numbers).

IMPROVEMENTS:

• Changed type of property Expiration in CertificateCredentials from int to long.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "every 2nd week starting on the 2 week of the year before 4am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bitwarden-bot]

Checkmarx One – Scan Summary & Details – cc06b052-712e-43a1-958d-acd13914cd4b

No New Or Fixed Issues Found

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.96%. Comparing base (74b97ce) to head (9d6a23e).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #48   +/-   ##
=======================================
  Coverage   42.96%   42.96%           
=======================================
  Files          49       49           
  Lines        1834     1834           
  Branches       99       99           
=======================================
  Hits          788      788           
  Misses       1011     1011           
  Partials       35       35           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.