Sync with main to resolve nuget audit advisory by GABRIELNGBTUC · Pull Request #5 · GABRIELNGBTUC/bicep

GABRIELNGBTUC · 2026-06-19T05:39:11Z

No description provided.

Update code to match the house style 😎 Co-authored-by: Bicep Automation <bicep@noreply.github.com>

Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.29.0 to 7.29.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases">@babel/core's releases</a>.</em></p> <blockquote> <h2>v7.29.7 (2026-05-25)</h2> <p>Re-release all packages with npm provenance attestations</p> <h2>v7.29.6 (2026-05-25)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/18014">#18014</a> Catchup source map position in preserveFormat (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> <li><code>babel-core</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/18001">#18001</a> [7.x packport]Improve input source map handling (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-core</code>, <code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17998">#17998</a> Preserve original identifier names from input sourcemaps (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/17992">#17992</a>) (<a href="https://github.com/Andarist"><code>@Andarist</code></a>)</li> </ul> </li> </ul> <h4>Committers: 3</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Mateusz Burzyński (<a href="https://github.com/Andarist"><code>@Andarist</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> <h2>v7.29.5 (2026-05-05)</h2> <h4>:house: Internal</h4> <ul> <li><code>babel-preset-env</code> <ul> <li>Update <code>@babel/*</code> dependencies</li> </ul> </li> </ul> <h2>v7.29.4 (2026-05-05)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-plugin-transform-modules-systemjs</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17974">#17974</a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h2>v7.29.3 (2026-04-30)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17923">#17923</a> Support flow extends bound (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helper-create-class-features-plugin</code>, <code>babel-plugin-proposal-decorators</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17931">#17931</a> fix(decorators): replace super within all removed static elements (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-register</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix thread synchronization issues in <code>@babel/register</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-compat-data</code>, <code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>, <code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add bugfix plugin for Safari array rest destructuring bug (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:nail_care: Polish</h4> <ul> <li><code>babel-parser</code></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/4fba7541180bf5f58256d8e358b544e3831ad090"><code>4fba754</code></a> v7.29.7</li> <li><a href="https://github.com/babel/babel/commit/04ea6b27fdac8f40c3481aec2080ac9678779509"><code>04ea6b2</code></a> v7.29.6</li> <li><a href="https://github.com/babel/babel/commit/99f498a9b9fa0b900d603fbe8f6601bb3b9e42bb"><code>99f498a</code></a> [7.x packport]Improve input source map handling (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/18001">#18001</a>)</li> <li><a href="https://github.com/babel/babel/commit/feba0a3654c596bd369d1ef1231f5d56666d56dc"><code>feba0a3</code></a> Preserve original identifier names from input sourcemaps (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/17992">#17992</a>) (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/17998">#17998</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.7/packages/babel-core">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@babel/core&package-manager=npm_and_yarn&previous-version=7.29.0&new-version=7.29.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19771) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [webpack-cli](https://github.com/webpack/webpack-cli) from 7.0.2 to 7.0.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack/webpack-cli/releases">webpack-cli's releases</a>.</em></p> <blockquote> <h2>webpack-cli@7.0.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>Improved CLI startup performance and reduced memory usage. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack-cli/pull/4765">#4765</a>)</p> </li> <li> <p>Reduced CLI startup CPU and memory usage by caching schema-derived argument metadata, registering only the options present in the arguments, and reading config directories once during default-config discovery. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack-cli/pull/4760">#4760</a>)</p> </li> <li> <p>Replace the <code>fastest-levenshtein</code> dependency with a small in-tree implementation used for command/option "did you mean" suggestions. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack-cli/pull/4762">#4762</a>)</p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/webpack/webpack-cli/blob/main/CHANGELOG.md">webpack-cli's changelog</a>.</em></p> <blockquote> <h2>7.0.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>Improved CLI startup performance and reduced memory usage. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack-cli/pull/4765">#4765</a>)</p> </li> <li> <p>Reduced CLI startup CPU and memory usage by caching schema-derived argument metadata, registering only the options present in the arguments, and reading config directories once during default-config discovery. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack-cli/pull/4760">#4760</a>)</p> </li> <li> <p>Replace the <code>fastest-levenshtein</code> dependency with a small in-tree implementation used for command/option "did you mean" suggestions. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack-cli/pull/4762">#4762</a>)</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/webpack/webpack-cli/commit/5fb92f3fd8f3e596ace374b8aa38106e19ac0384"><code>5fb92f3</code></a> chore(release): new release (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4711">#4711</a>)</li> <li><a href="https://github.com/webpack/webpack-cli/commit/00347eda8448066f1865fea100b0eb9d12a9a4c4"><code>00347ed</code></a> perf(webpack-cli): allocate Levenshtein buffer lazily (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4765">#4765</a>)</li> <li><a href="https://github.com/webpack/webpack-cli/commit/1b40b72d025cb5aed5da1d297639d56053d9dca9"><code>1b40b72</code></a> chore: update ejs (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4764">#4764</a>)</li> <li><a href="https://github.com/webpack/webpack-cli/commit/2bbb639f0b86754c9e152523eb17c9347593e844"><code>2bbb639</code></a> refactor(webpack-cli): replace fastest-levenshtein with in-tree implementatio...</li> <li><a href="https://github.com/webpack/webpack-cli/commit/a467d6e94e2e2c893a871acc09de730b84e52a47"><code>a467d6e</code></a> chore(deps): bump the dependencies group across 1 directory with 10 updates (...</li> <li><a href="https://github.com/webpack/webpack-cli/commit/183d0e678bc77af5fd6280f0616f6dae3efd966c"><code>183d0e6</code></a> perf(webpack-cli): cache schema arguments and use map lookups for options (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4">#4</a>...</li> <li><a href="https://github.com/webpack/webpack-cli/commit/5b33f70c039423f5d9e68fd0aa9ccf797a8e291c"><code>5b33f70</code></a> chore(deps-dev): bump sass-loader from 16.0.8 to 17.0.0 (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4756">#4756</a>)</li> <li><a href="https://github.com/webpack/webpack-cli/commit/59f362a3b916a9bd0f1966aaf96c384267658434"><code>59f362a</code></a> chore(deps): bump qs and express (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4758">#4758</a>)</li> <li><a href="https://github.com/webpack/webpack-cli/commit/eaffa0bdd1d7cf2b2a765d9cfd216990bf0795a6"><code>eaffa0b</code></a> chore(deps): bump codecov/codecov-action in the dependencies group (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4757">#4757</a>)</li> <li><a href="https://github.com/webpack/webpack-cli/commit/b3498b663db776679633b1b4ce34583b8e77e106"><code>b3498b6</code></a> chore(deps): bump the dependencies group with 3 updates (<a href="https://redirect.github.com/webpack/webpack-cli/issues/4754">#4754</a>)</li> <li>Additional commits viewable in <a href="https://github.com/webpack/webpack-cli/compare/webpack-cli@7.0.2...webpack-cli@7.0.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webpack-cli&package-manager=npm_and_yarn&previous-version=7.0.2&new-version=7.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19777) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…d.E2eTests (Azure#19773) Bumps [@vitest/eslint-plugin](https://github.com/vitest-dev/eslint-plugin-vitest) from 1.6.18 to 1.6.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitest-dev/eslint-plugin-vitest/releases">@vitest/eslint-plugin's releases</a>.</em></p> <blockquote> <h2>v1.6.19</h2> <p><em>No significant changes</em></p> <h5> <a href="https://github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19">View changes on GitHub</a></h5> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/28bc45fa548f4a88c50441db61de95fd27108daa"><code>28bc45f</code></a> chore: release v1.6.19</li> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/8566d7f6b5641078cac0cec570cd9bb9abc32860"><code>8566d7f</code></a> chore: prefer-called-with should report toHaveBeenCalledOnce() (<a href="https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/911">#911</a>)</li> <li>See full diff in <a href="https://github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@vitest/eslint-plugin&package-manager=npm_and_yarn&previous-version=1.6.18&new-version=1.6.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19773) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…eTests (Azure#19768) Bumps [@vitest/eslint-plugin](https://github.com/vitest-dev/eslint-plugin-vitest) from 1.6.18 to 1.6.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitest-dev/eslint-plugin-vitest/releases">@vitest/eslint-plugin's releases</a>.</em></p> <blockquote> <h2>v1.6.19</h2> <p><em>No significant changes</em></p> <h5> <a href="https://github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19">View changes on GitHub</a></h5> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/28bc45fa548f4a88c50441db61de95fd27108daa"><code>28bc45f</code></a> chore: release v1.6.19</li> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/8566d7f6b5641078cac0cec570cd9bb9abc32860"><code>8566d7f</code></a> chore: prefer-called-with should report toHaveBeenCalledOnce() (<a href="https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/911">#911</a>)</li> <li>See full diff in <a href="https://github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@vitest/eslint-plugin&package-manager=npm_and_yarn&previous-version=1.6.18&new-version=1.6.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19768) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…zure#19772) Bumps [terser-webpack-plugin](https://github.com/webpack/minimizer-webpack-plugin) from 5.6.0 to 5.6.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack/minimizer-webpack-plugin/releases">terser-webpack-plugin's releases</a>.</em></p> <blockquote> <h2>v5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>deduplicate extracted comments in linear time, so builds stay fast when an asset contains many distinct preserved comments (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/minimizer-webpack-plugin/pull/682">#682</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/webpack/minimizer-webpack-plugin/blob/main/CHANGELOG.md">terser-webpack-plugin's changelog</a>.</em></p> <blockquote> <h2>5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>deduplicate extracted comments in linear time, so builds stay fast when an asset contains many distinct preserved comments (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/minimizer-webpack-plugin/pull/682">#682</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/webpack/minimizer-webpack-plugin/commit/5207f9415bc0592d7a2d49a84fb5b1ee33cf5e9d"><code>5207f94</code></a> chore(release): new release (<a href="https://redirect.github.com/webpack/minimizer-webpack-plugin/issues/683">#683</a>)</li> <li><a href="https://github.com/webpack/minimizer-webpack-plugin/commit/06bda34502ffbd4201fd8c34e6a6fe9bf3a96d85"><code>06bda34</code></a> fix: dedupe extracted comments in linear time (<a href="https://redirect.github.com/webpack/minimizer-webpack-plugin/issues/682">#682</a>)</li> <li><a href="https://github.com/webpack/minimizer-webpack-plugin/commit/39fd982794217d5747a3bdf6541cdbada87eaecb"><code>39fd982</code></a> chore(deps): bump fast-uri from 3.1.0 to 3.1.2 (<a href="https://redirect.github.com/webpack/minimizer-webpack-plugin/issues/680">#680</a>)</li> <li>See full diff in <a href="https://github.com/webpack/minimizer-webpack-plugin/compare/v5.6.0...v5.6.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=terser-webpack-plugin&package-manager=npm_and_yarn&previous-version=5.6.0&new-version=5.6.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19772) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [Microsoft.Extensions.Logging](https://github.com/dotnet/dotnet) from 10.0.7 to 10.0.8. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Extensions.Logging's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Microsoft.Extensions.Logging&package-manager=nuget&previous-version=10.0.7&new-version=10.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19778) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…n /src/monarch (Azure#19766) Bumps [@babel/plugin-transform-modules-commonjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-commonjs) from 7.28.6 to 7.29.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases">@babel/plugin-transform-modules-commonjs's releases</a>.</em></p> <blockquote> <h2>v7.29.7 (2026-05-25)</h2> <p>Re-release all packages with npm provenance attestations</p> <h2>v7.29.6 (2026-05-25)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/18014">#18014</a> Catchup source map position in preserveFormat (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> <li><code>babel-core</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/18001">#18001</a> [7.x packport]Improve input source map handling (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-core</code>, <code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17998">#17998</a> Preserve original identifier names from input sourcemaps (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-commonjs/issues/17992">#17992</a>) (<a href="https://github.com/Andarist"><code>@Andarist</code></a>)</li> </ul> </li> </ul> <h4>Committers: 3</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Mateusz Burzyński (<a href="https://github.com/Andarist"><code>@Andarist</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> <h2>v7.29.5 (2026-05-05)</h2> <h4>:house: Internal</h4> <ul> <li><code>babel-preset-env</code> <ul> <li>Update <code>@babel/*</code> dependencies</li> </ul> </li> </ul> <h2>v7.29.4 (2026-05-05)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-plugin-transform-modules-systemjs</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17974">#17974</a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h2>v7.29.3 (2026-04-30)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17923">#17923</a> Support flow extends bound (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helper-create-class-features-plugin</code>, <code>babel-plugin-proposal-decorators</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17931">#17931</a> fix(decorators): replace super within all removed static elements (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-register</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix thread synchronization issues in <code>@babel/register</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-compat-data</code>, <code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>, <code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add bugfix plugin for Safari array rest destructuring bug (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:nail_care: Polish</h4> <ul> <li><code>babel-parser</code></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/4fba7541180bf5f58256d8e358b544e3831ad090"><code>4fba754</code></a> v7.29.7</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-commonjs">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…19779) [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Updated [Microsoft.NET.Sdk.WebAssembly.Pack](https://github.com/dotnet/dotnet) from 10.0.7 to 10.0.8. <details> <summary>Release notes</summary> _Sourced from [Microsoft.NET.Sdk.WebAssembly.Pack's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Microsoft.NET.Sdk.WebAssembly.Pack&package-manager=nuget&previous-version=10.0.7&new-version=10.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19779) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [System.Text.Json](https://github.com/dotnet/dotnet) from 10.0.5 to 10.0.8. <details> <summary>Release notes</summary> _Sourced from [System.Text.Json's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=System.Text.Json&package-manager=nuget&previous-version=10.0.5&new-version=10.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19784) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [System.CommandLine](https://github.com/dotnet/dotnet) from 2.0.5 to 2.0.8. <details> <summary>Release notes</summary> _Sourced from [System.CommandLine's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=System.CommandLine&package-manager=nuget&previous-version=2.0.5&new-version=2.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19782) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [System.Memory.Data](https://github.com/dotnet/dotnet) from 10.0.5 to 10.0.8. <details> <summary>Release notes</summary> _Sourced from [System.Memory.Data's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=System.Memory.Data&package-manager=nuget&previous-version=10.0.5&new-version=10.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19783) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Description Fixes the VS Code `Generate Parameters File` flow for json output when a compiled template JSON already exists next to the source bicep file. The LangServer `generateParams` command was targeting `<name>.json` for json output, while the VS Code command expected `<name>.parameters.json`. If `<name>.json` already existed, generation failed and vs code then attempted to open a non-existent `<name>.parameters.json` file. Fixes Azure#19696 ## Validation Run `dotnet src/Bicep.LangServer.IntegrationTests/bin/Debug/net10.0/Bicep.LangServer.IntegrationTests.dll --filter "Name=GenerateParams_command_should_generate_paramsfile_when_compiled_template_exists" --no-progress` without the fix in this PR, output will be; ```shell MSTest v3.9.2 (UTC 6/10/2025) [linux-x64 - .NET 10.0.3] Test Parallelization enabled for /workspaces/bicep/src/Bicep.LangServer.IntegrationTests/bin/Debug/net10.0/Bicep.LangServer.IntegrationTests.dll (Workers: 8, Scope: MethodLevel) failed GenerateParams_command_should_generate_paramsfile_when_compiled_template_exists (1s 956ms) Expected File.Exists(parametersJsonPath) to be True, but found False. at FluentAssertions.Execution.LateBoundTestFramework.Throw(String message) at FluentAssertions.Execution.TestFrameworkProvider.Throw(String message) at FluentAssertions.Execution.DefaultAssertionStrategy.HandleFailure(String message) at FluentAssertions.Execution.AssertionScope.FailWith(Func`1 failReasonFunc) at FluentAssertions.Execution.AssertionScope.FailWith(Func`1 failReasonFunc) at FluentAssertions.Execution.AssertionScope.FailWith(String message, Object[] args) at FluentAssertions.Primitives.BooleanAssertions`1.BeTrue(String because, Object[] becauseArgs) at Bicep.LangServer.IntegrationTests.GenerateParamsCommandTests.GenerateParams_command_should_generate_paramsfile_when_compiled_template_exists() in src/Bicep.LangServer.IntegrationTests/GenerateParamsCommandTests.cs:94 Standard output Debug Trace: Starting language server: Succeeded (Elapsed = 1480 ms) Building semantic model for /workspaces/bicep/src/Bicep.LangServer.IntegrationTests/bin/Debug/net10.0/TestResults/Deploy_vscode 20260529T135024_32811/In/d736f057-f1a2-4dd3-a777-0541cb0dc704/main.bicep (BicepFile). Using default built-in bicepconfig. TestContext Messages: Info: Bicep version: 0.43.109 (0a05ee8), OS: LINUX, Architecture: X64 Info: Running on processId 32811 Error output Test run summary: Failed! - src/Bicep.LangServer.IntegrationTests/bin/Debug/net10.0/Bicep.LangServer.IntegrationTests.dll (net10.0|x64) total: 1 failed: 1 succeeded: 0 skipped: 0 duration: 2s 201ms ``` Run the same `dotnet src/Bicep.LangServer.IntegrationTests/bin/Debug/net10.0/Bicep.LangServer.IntegrationTests.dll --filter "Name=GenerateParams_command_should_generate_paramsfile_when_compiled_template_exists" --no-progress` command with this PR, output will be; ```shell MSTest v3.9.2 (UTC 6/10/2025) [linux-x64 - .NET 10.0.3] Test Parallelization enabled for /workspaces/bicep/src/Bicep.LangServer.IntegrationTests/bin/Debug/net10.0/Bicep.LangServer.IntegrationTests.dll (Workers: 8, Scope: MethodLevel) Test run summary: Passed! - src/Bicep.LangServer.IntegrationTests/bin/Debug/net10.0/Bicep.LangServer.IntegrationTests.dll (net10.0|x64) total: 1 failed: 0 succeeded: 1 skipped: 0 duration: 2s 271ms ``` ## Checklist - [x] I have read and adhere to the [contribution guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md). ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19755)

The reported behavior in Azure#18455 appears to already be resolved by previous Bicep work, or the remaining symptom is on the Azure CLI deployment/error-reporting side rather than in Bicep emission. Bicep emits valid ARM JSON for Key Vault parameter references. The test I've added here confirms that `getSecret()`, `az.getSecret()`, and `kv.getSecret()` all compile correctly and produce the expected ARM template/parameters JSON representation. Adds regression coverage for Key Vault secret reference emission across the supported `getSecret` forms: - `.bicepparam` `getSecret(...)` - `.bicepparam` `az.getSecret(...)` - `.bicep` resource method `kv.getSecret(...)` The new test verifies these forms compile successfully and emit the expected ARM JSON Key Vault parameter reference shape, both with and without `secretVersion`. Closes Azure#18455 ## Validation ```bash dotnet test Bicep.Core.IntegrationTests.csproj --filter "Name=All_getSecret_forms_emit_keyVault_references" ``` ## Checklist - [x] I have read and adhere to the [contribution guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md). ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19714)

## Description Fixes a flaky VS Code extension e2e test for the `generateParams` command. The test creates a temporary Bicep file, runs `bicep.generateParams`, and then deletes the temp folder. The command opens the generated parameters file in VS Code, so Windows can briefly keep a file watcher/editor handle open. When cleanup runs before editors are closed, `fs.rmSync` can fail with `EPERM`. This change closes all editors before deleting the temp folder, avoiding the file lock race. To validate, run; ```shell cd src/vscode-bicep npm run build:e2e ``` ## Checklist - [x] I have read and adhere to the [contribution guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md). ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19790)

Monthly Bicep release — bumps `Azure.Bicep.Types.Az` from `0.2.859` to `0.2.871`. ## Changes - `src/Directory.Packages.props`: bumped `Azure.Bicep.Types.Az` to `0.2.871`. - Regenerated baselines via `./scripts/UpdateBaselines.ps1`: - `src/Bicep.Core.Samples/Files/baselines/Completions/resourceTypes.json` - `src/Bicep.Core.Samples/Files/baselines/Extensions_CRLF/main.json` - `src/Bicep.Core.Samples/Files/baselines/Extensions_CRLF/main.sourcemap.bicep` - `src/Bicep.Core.Samples/Files/baselines/Extensions_CRLF/main.symbolicnames.json` - `src/Bicep.Core.Samples/Files/baselines/InvalidResources_CRLF/Completions/virtualNetworksResourceTypes.json`

Increments the minor version number in `version.json` (0.43 -> 0.44) as part of the end-of-month release process. See [release checklist](https://github.com/Azure/bicep/blob/main/docs/release-checklist.md) step 3, example [here](Azure#9698). ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19791)

…h diff engine) (Azure#19757) ## Overview First slice of the **Bicep Visualizer MSAGL layout migration** — moving graph topology, metadata, and (eventually) layout from the client into the language server. This PR lands the design doc plus Phases 1, 3, and 4. It is **inert by default**: the new handler answers in shadow mode and nothing routes through it yet, so `main` stays shippable on the existing ELK path. See [docs/visualizer-msagl-layout-migration/plan.md](docs/visualizer-msagl-layout-migration/plan.md) for the full design. ## What's included **Phase 1 — Protocol contracts + feature flag** - C# + TypeScript protocol types for the `textDocument/visualizerGraphUpdate` request. - Feature flag `bicep.visualizer.serverLayout.enabled` (default `false`) gates whether the extension routes through the new path. - Node kind trimmed to `resource`/`module`; edges carry no kind. **Phase 3 — Server canonical graph builder** - `VisualizerGraphBuilder` builds the canonical graph from the live compilation, mirroring `BicepDeploymentGraphHandler` (BFS over semantic models, descends into modules, resolves resource/module metadata). No MSAGL yet. **Phase 4 — Patch diff engine + handler** - `VisualizerGraphDiffer` reconciles the client's rendered graph against the freshly built canonical graph and returns an ordered `GraphPatch[]` (a complete delta; empty means nothing changed). - `VisualizerGraphUpdateHandler` registered in **shadow mode** (always answers, not flag-gated) to enable end-to-end testing. - ELK still lays out on the client; `setNodeLayout` is not emitted yet. ## Design notes - **No revision tokens.** The request carries the client's current graph and each response is a complete delta from it, so responses need no shared version counter and need not be applied in order. - **Models named `CanonicalGraph` (server's source of truth) and `RenderedGraph` (what the webview currently shows)** for clarity. - **Survivors always get an idempotent `updateNode` + the response always ends with `setErrorCount`** — the minimal `RenderedGraph` omits metadata, so the server can't detect metadata equality and refreshes unconditionally. - **`GraphPatch` is self-describing on the wire.** It carries a class-level `[JsonConverter]` attribute so OmniSharp's typed Newtonsoft client can deserialize the discriminated union. A `[ThreadStatic]` re-entrancy guard prevents the inherited attribute from recursing when deserializing the concrete patch type. *(This was caught by the integration test below — without it the typed client throws `"Type is an interface or abstract class and cannot be instantiated"`.)* ## Tests - **Differ unit tests** — full add, deepest-first removal, reparent/kind-change as remove+add, metadata refresh, edge add/remove ordering, error-count-last. - **Serialization tests** — round-trip all 8 patches through OmniSharp's actual `LspSerializer` (camelCase, LSP model converters), plus unknown-op rejection. - **Handler integration tests** — drive the real LSP server end to end: initial full-add delta and matching-current metadata-only refresh. LangServer unit tests: **837 passed**. LangServer integration tests: **2046 passed, 0 failed**. ## Scoping - Phases 3 + 4 combined into this PR. - MSAGL adapter, applying server layout, single-flight hardening, and ELK removal are **follow-up phases** (5–9 in the plan). - Handler is intentionally **not** flag-gated (shadow mode) so it can be exercised in tests before the client is wired up. ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19757)

…ts (Azure#19855) [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.60.1 to 8.61.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/releases">typescript-eslint's releases</a>.</em></p> <blockquote> <h2>v8.61.0</h2> <h2>8.61.0 (2026-06-08)</h2> <h3>🚀 Features</h3> <ul> <li><strong>ast-spec:</strong> change type of <code>UnaryExpression.prefix</code> to always <code>true</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12372">#12372</a>)</li> <li><strong>ast-spec:</strong> tighten types of <code>ArrowFunction</code>, <code>YieldExpression</code>, <code>TSTypePredicate</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12373">#12373</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>rule-schema-to-typescript-types:</strong> respect ECMAScript line terminators (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12374">#12374</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>lumir</li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md">typescript-eslint's changelog</a>.</em></p> <blockquote> <h2>8.61.0 (2026-06-08)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/typescript-eslint/typescript-eslint/commit/16a5b247affc32af21b695cf96dfd75d7ded50a3"><code>16a5b24</code></a> chore(release): publish 8.61.0</li> <li>See full diff in <a href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/typescript-eslint">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=typescript-eslint&package-manager=npm_and_yarn&previous-version=8.60.1&new-version=8.61.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19855) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…d.E2eTests (Azure#19856) [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [@vitest/eslint-plugin](https://github.com/vitest-dev/eslint-plugin-vitest) from 1.6.19 to 1.6.20. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitest-dev/eslint-plugin-vitest/releases">@vitest/eslint-plugin's releases</a>.</em></p> <blockquote> <h2>v1.6.20</h2> <h3> 🐞 Bug Fixes</h3> <ul> <li><strong>hoisted-apis-on-top</strong>: Detect vitest.mock and aliased vi/vitest mock calls - by <a href="https://github.com/spokodev"><code>@spokodev</code></a> in <a href="https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/909">vitest-dev/eslint-plugin-vitest#909</a> <a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/8fff969">(8fff9)</a></li> <li><strong>require-test-timeout</strong>: Treat imported bindings as explicit timeouts - by <a href="https://github.com/spokodev"><code>@spokodev</code></a> in <a href="https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/906">vitest-dev/eslint-plugin-vitest#906</a> <a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/bd82c7d">(bd82c)</a></li> <li><strong>valid-expect</strong>: Treat .finally() as part of async assertion promise chains - by <a href="https://github.com/spokodev"><code>@spokodev</code></a> in <a href="https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/908">vitest-dev/eslint-plugin-vitest#908</a> <a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/7c697f8">(7c697)</a></li> </ul> <h5> <a href="https://github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.19...v1.6.20">View changes on GitHub</a></h5> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/9cca3c31e355d41e615964dcf7ffd7a9df338ab6"><code>9cca3c3</code></a> chore: release v1.6.20</li> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/7c697f8a53d7d7551b00ef11217d58cd45a0cf7d"><code>7c697f8</code></a> fix(valid-expect): treat .finally() as part of async assertion promise chains...</li> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/8fff9690c0c4008f93a636a62425dbe520ec7ce7"><code>8fff969</code></a> fix(hoisted-apis-on-top): detect vitest.mock and aliased vi/vitest mock calls...</li> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/7606e1d71e31333fc2fc4faaa8716646e77b2d4b"><code>7606e1d</code></a> docs(no-large-snapshots): describe <code>allowSnapshots</code> as a map (<a href="https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/916">#916</a>)</li> <li><a href="https://github.com/vitest-dev/eslint-plugin-vitest/commit/bd82c7df3bd4d524a4c1411638f8a8d5cef85106"><code>bd82c7d</code></a> fix(require-test-timeout): treat imported bindings as explicit timeouts (<a href="https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/906">#906</a>)</li> <li>See full diff in <a href="https://github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.19...v1.6.20">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@vitest/eslint-plugin&package-manager=npm_and_yarn&previous-version=1.6.19&new-version=1.6.20)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19856) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…zure#19852) Bumps [vite-plugin-static-copy](https://github.com/sapphi-red/vite-plugin-static-copy) from 4.1.0 to 4.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sapphi-red/vite-plugin-static-copy/releases">vite-plugin-static-copy's releases</a>.</em></p> <blockquote> <h2>vite-plugin-static-copy@4.1.1</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/sapphi-red/vite-plugin-static-copy/pull/240">#240</a> <a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/671579bcf3de6071983669dedd02aa20baabe737"><code>671579b</code></a> Thanks <a href="https://github.com/saif-shines"><code>@saif-shines</code></a>! - Use each environment's resolved <code>build.outDir</code> when copying static assets during build. Previously the plugin kept only the last <code>configResolved</code> config, so multi-environment setups (for example Astro with separate client and SSR output directories) could copy files into the wrong folder.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sapphi-red/vite-plugin-static-copy/blob/main/CHANGELOG.md">vite-plugin-static-copy's changelog</a>.</em></p> <blockquote> <h2>4.1.1</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/sapphi-red/vite-plugin-static-copy/pull/240">#240</a> <a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/671579bcf3de6071983669dedd02aa20baabe737"><code>671579b</code></a> Thanks <a href="https://github.com/saif-shines"><code>@saif-shines</code></a>! - Use each environment's resolved <code>build.outDir</code> when copying static assets during build. Previously the plugin kept only the last <code>configResolved</code> config, so multi-environment setups (for example Astro with separate client and SSR output directories) could copy files into the wrong folder.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/63dd788ed97366514dc7f82be71d1bed88fdf872"><code>63dd788</code></a> chore: update versions (<a href="https://redirect.github.com/sapphi-red/vite-plugin-static-copy/issues/259">#259</a>)</li> <li><a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/671579bcf3de6071983669dedd02aa20baabe737"><code>671579b</code></a> fix: use environment-specific outDir in build plugin for Vite 6 (<a href="https://redirect.github.com/sapphi-red/vite-plugin-static-copy/issues/240">#240</a>)</li> <li><a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/01757de2c889dfa3b3dfea7ee20018c2af472b67"><code>01757de</code></a> chore(deps): update pnpm to v11</li> <li><a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/707a0fe62c6ae921e841b552640d6e2cca0a16af"><code>707a0fe</code></a> ci: pin actions</li> <li><a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/f0df2ad3577810b077ce65dffd538d9863b17b63"><code>f0df2ad</code></a> fix(deps): update all non-major dependencies (<a href="https://redirect.github.com/sapphi-red/vite-plugin-static-copy/issues/257">#257</a>)</li> <li><a href="https://github.com/sapphi-red/vite-plugin-static-copy/commit/efb0d503db895a169245b100dfe99e1fdfce7104"><code>efb0d50</code></a> fix(deps): update all non-major dependencies (<a href="https://redirect.github.com/sapphi-red/vite-plugin-static-copy/issues/255">#255</a>)</li> <li>See full diff in <a href="https://github.com/sapphi-red/vite-plugin-static-copy/compare/vite-plugin-static-copy@4.1.0...vite-plugin-static-copy@4.1.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vite-plugin-static-copy&package-manager=npm_and_yarn&previous-version=4.1.0&new-version=4.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19852) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…9844) [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [prettier](https://github.com/prettier/prettier) from 3.8.3 to 3.8.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/prettier/prettier/releases">prettier's releases</a>.</em></p> <blockquote> <h2>3.8.4</h2> <ul> <li>Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (<a href="https://redirect.github.com/prettier/prettier/pull/17746">prettier/prettier#17746</a> by <a href="https://github.com/byplayer"><code>@byplayer</code></a>)</li> </ul> <p>🔗 <a href="https://github.com/prettier/prettier/blob/3.8.4/CHANGELOG.md#384">Changelog</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md">prettier's changelog</a>.</em></p> <blockquote> <h1>3.8.4</h1> <p><a href="https://github.com/prettier/prettier/compare/3.8.3...3.8.4">diff</a></p> <h4>Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (<a href="https://redirect.github.com/prettier/prettier/pull/17746">#17746</a> by <a href="https://github.com/byplayer"><code>@byplayer</code></a>)</h4> <p>Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.</p>  <pre lang="markdown"><code> - a <ul> <li> <p>b</p> </li> <li> <p>c</p> <ul> <li>d</li> </ul> </li> </ul> <p></p> <ul> <li>a <ul> <li>b</li> </ul> </li> <li>c <ul> <li>d</li> </ul> </li> </ul> <p></p> <ul> <li> <p>a</p> <ul> <li>b</li> </ul> </li> <li> <p>c</p> <ul> <li>d<br /> </code></pre></li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/prettier/prettier/commit/1c6ba5539141552e0e8e22d401ea620d8fdff468"><code>1c6ba55</code></a> Release 3.8.4</li> <li><a href="https://github.com/prettier/prettier/commit/4a673dc9b59ddf7296bbab9822093d2971da84a8"><code>4a673dc</code></a> Fix blank lines between list items and nested sub-lists being removed in Mark...</li> <li><a href="https://github.com/prettier/prettier/commit/074aaedbb052a288e89d15eb0a4214de37a08866"><code>074aaed</code></a> Replace <code>main</code> branch in changelog link with tags (<a href="https://redirect.github.com/prettier/prettier/issues/19054">#19054</a>)</li> <li><a href="https://github.com/prettier/prettier/commit/c22a003ae97917c5043e8685b4fdff0f93e978f9"><code>c22a003</code></a> Bump Prettier dependency to 3.8.3</li> <li><a href="https://github.com/prettier/prettier/commit/07bad1f04536e9799927007baf466e67151576f0"><code>07bad1f</code></a> Clean changelog_unreleased</li> <li>See full diff in <a href="https://github.com/prettier/prettier/compare/3.8.3...3.8.4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=prettier&package-manager=npm_and_yarn&previous-version=3.8.3&new-version=3.8.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19844) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [Google.Protobuf](https://github.com/protocolbuffers/protobuf) from 3.34.1 to 3.35.1. <details> <summary>Release notes</summary> _Sourced from [Google.Protobuf's releases](https://github.com/protocolbuffers/protobuf/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/protocolbuffers/protobuf/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Google.Protobuf&package-manager=nuget&previous-version=3.34.1&new-version=3.35.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19871) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [Grpc.Tools](https://github.com/grpc/grpc) from 2.81.0 to 2.81.1. <details> <summary>Release notes</summary> _Sourced from [Grpc.Tools's releases](https://github.com/grpc/grpc/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/grpc/grpc/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Grpc.Tools&package-manager=nuget&previous-version=2.81.0&new-version=2.81.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19872) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [Markdig](https://github.com/xoofx/markdig) from 1.2.0 to 1.3.0. <details> <summary>Release notes</summary> _Sourced from [Markdig's releases](https://github.com/xoofx/markdig/releases)._ ## 1.3.0 # Changes ## 🐛 Bug Fixes - Fix CJK emphasis after HTML entity newlines (#941) (fcbf8170) - Fix pipe table cells with unmatched subscript (#932) (0f98267a) - Fix roundtrip autolink URLs (#919) (b8364135) - Fix configurable nesting depth limit (#892) (d7f13b03) - Fix NormalizeRenderer auto identifiers output (#930) (9dffce52) - Fix blockquote ordered list parsing (#887) (bc4e3990) ## 📚 Documentation - add InferColumnWidthsFromSeparator docs (PR #939) by @SimonCropp ## 🧰 Misc - Update readme with Alert extension details (PR #940) by @AndrewTriesToCode - Update AGENTS.md (5dca4149) **Full Changelog**: [1.2.0...1.3.0](xoofx/markdig@1.2.0...1.3.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> Commits viewable in [compare view](xoofx/markdig@1.2.0...1.3.0). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Markdig&package-manager=nuget&previous-version=1.2.0&new-version=1.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19873) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…9867) Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.60.1 to 8.61.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/releases">typescript-eslint's releases</a>.</em></p> <blockquote> <h2>v8.61.0</h2> <h2>8.61.0 (2026-06-08)</h2> <h3>🚀 Features</h3> <ul> <li><strong>ast-spec:</strong> change type of <code>UnaryExpression.prefix</code> to always <code>true</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12372">#12372</a>)</li> <li><strong>ast-spec:</strong> tighten types of <code>ArrowFunction</code>, <code>YieldExpression</code>, <code>TSTypePredicate</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12373">#12373</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>rule-schema-to-typescript-types:</strong> respect ECMAScript line terminators (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12374">#12374</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>lumir</li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md">typescript-eslint's changelog</a>.</em></p> <blockquote> <h2>8.61.0 (2026-06-08)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/typescript-eslint/typescript-eslint/commit/16a5b247affc32af21b695cf96dfd75d7ded50a3"><code>16a5b24</code></a> chore(release): publish 8.61.0</li> <li>See full diff in <a href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/typescript-eslint">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…zure#19868) Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 8.60.1 to 8.61.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/releases">@typescript-eslint/parser's releases</a>.</em></p> <blockquote> <h2>v8.61.0</h2> <h2>8.61.0 (2026-06-08)</h2> <h3>🚀 Features</h3> <ul> <li><strong>ast-spec:</strong> change type of <code>UnaryExpression.prefix</code> to always <code>true</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12372">#12372</a>)</li> <li><strong>ast-spec:</strong> tighten types of <code>ArrowFunction</code>, <code>YieldExpression</code>, <code>TSTypePredicate</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12373">#12373</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>rule-schema-to-typescript-types:</strong> respect ECMAScript line terminators (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12374">#12374</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>lumir</li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md">@typescript-eslint/parser's changelog</a>.</em></p> <blockquote> <h2>8.61.0 (2026-06-08)</h2> <p>This was a version bump only for parser to align it with other projects, there were no code changes.</p> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/typescript-eslint/typescript-eslint/commit/16a5b247affc32af21b695cf96dfd75d7ded50a3"><code>16a5b24</code></a> chore(release): publish 8.61.0</li> <li>See full diff in <a href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/parser">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [Spectre.Console](https://github.com/spectreconsole/spectre.console) from 0.56.0 to 0.57.0. <details> <summary>Release notes</summary> _Sourced from [Spectre.Console's releases](https://github.com/spectreconsole/spectre.console/releases)._ ## 0.57.0 ## What's Changed * Make source generator output deterministic (LF, no BOM) by [@phil-scott-78](https://github.com/phil-scott-78) in [#2143](spectreconsole/spectre.console#2143) * Add new box border styles including beveled, dashed, dotted, heavy, and rounded variants by [@phil-scott-78](https://github.com/phil-scott-78) in [#2142](spectreconsole/spectre.console#2142) * Should preserve auto links when wrapped in grid by [@patriksvensson](https://github.com/patriksvensson) in [#2149](spectreconsole/spectre.console#2149) **Full Changelog**: spectreconsole/spectre.console@0.56.0...0.57.0 Commits viewable in [compare view](spectreconsole/spectre.console@0.56.0...0.57.0). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Spectre.Console&package-manager=nuget&previous-version=0.56.0&new-version=0.57.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19878) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [System.Collections.Immutable](https://github.com/dotnet/dotnet) from 10.0.8 to 10.0.9. <details> <summary>Release notes</summary> _Sourced from [System.Collections.Immutable's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=System.Collections.Immutable&package-manager=nuget&previous-version=10.0.8&new-version=10.0.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19880) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Update code to match the house style 😎 Co-authored-by: Bicep Automation <bicep@noreply.github.com>

…scode-bicep (Azure#19845) Bumps [@microsoft/vscode-azext-azureutils](https://github.com/Microsoft/vscode-azuretools) from 4.2.0 to 4.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Microsoft/vscode-azuretools/releases">@microsoft/vscode-azext-azureutils's releases</a>.</em></p> <blockquote> <h2>microsoft-vscode-azext-azureappservice v4.2.4</h2> <h2>What's Changed</h2> <ul> <li>all: fix npm security vulnerabilities via npm audit fix by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/microsoft/vscode-azuretools/pull/2255">microsoft/vscode-azuretools#2255</a></li> <li>appservice: Use functionDebugLink for Functions apps in remote debugging by <a href="https://github.com/nturinski"><code>@nturinski</code></a> in <a href="https://redirect.github.com/microsoft/vscode-azuretools/pull/2256">microsoft/vscode-azuretools#2256</a></li> </ul> <h2>microsoft-vscode-azext-azureappservice v4.2.3</h2> <ul> <li>Add appInsights to the resources that need to check for relatedNames <a href="https://redirect.github.com/microsoft/vscode-azuretools/pull/2250">microsoft/vscode-azuretools#2250</a></li> <li>Bump <code>picomatch</code> in /appservice <a href="https://redirect.github.com/microsoft/vscode-azuretools/pull/2240">microsoft/vscode-azuretools#2240</a></li> <li>npm audit fix in all package subfolders <a href="https://redirect.github.com/microsoft/vscode-azuretools/pull/2235">microsoft/vscode-azuretools#2235</a></li> </ul> <h2>microsoft-vscode-azext-azureauth v4.2.2</h2> <ul> <li><a href="https://redirect.github.com/microsoft/vscode-azuretools/pull/2073">#2073</a> Changes to adjust to proposed API changes</li> </ul> <h2>microsoft-vscode-azext-azureappservice v4.2.2</h2> <p>No release notes provided.</p> <h2>microsoft-vscode-azext-azureauth v4.2.1</h2> <ul> <li><a href="https://redirect.github.com/microsoft/vscode-azuretools/pull/2068">#2068</a> Changes to adjust to proposed API changes</li> </ul> <h2>microsoft-vscode-azext-azureappservice v4.2.1</h2> <p>No release notes provided.</p> <h2>microsoft-vscode-azext-azureutils v4.2.1</h2> <p>No release notes provided.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Microsoft/vscode-azuretools/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@microsoft/vscode-azext-azureutils&package-manager=npm_and_yarn&previous-version=4.2.0&new-version=4.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19845) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [tmp](https://github.com/raszi/node-tmp) from 0.2.6 to 0.2.7. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/raszi/node-tmp/commit/8ea1f37d75c67569e0f151448330d52f7babf211"><code>8ea1f37</code></a> Bump up the version</li> <li><a href="https://github.com/raszi/node-tmp/commit/8f24f788a356b5d45c9bec894632bd4931338153"><code>8f24f78</code></a> Merge commit from fork</li> <li><a href="https://github.com/raszi/node-tmp/commit/ce787f37aaacccad921ae90990c9da33481fe59c"><code>ce787f3</code></a> Reject non-string prefix, postfix, template</li> <li>See full diff in <a href="https://github.com/raszi/node-tmp/compare/v0.2.6...v0.2.7">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tmp&package-manager=npm_and_yarn&previous-version=0.2.6&new-version=0.2.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Azure/bicep/network/alerts). </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19881) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) and [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react). These dependencies needed to be updated together. Updates `react` from 19.2.6 to 19.2.7 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/facebook/react/releases">react's releases</a>.</em></p> <blockquote> <h2>19.2.7 (June 1st, 2026)</h2> <h2>React Server Components</h2> <ul> <li>Fixed missing <code>FormData</code> entries in Server Actions which regressed in 19.2.6 (<a href="https://redirect.github.com/facebook/react/pull/36566">#36566</a> by <a href="https://github.com/unstubbable"><code>@unstubbable</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/react/react/commit/6117d7cca4906492c51fe6a03381e35adfd86e7d"><code>6117d7c</code></a> Version 19.2.7 (<a href="https://github.com/facebook/react/tree/HEAD/packages/react/issues/36591">#36591</a>)</li> <li>See full diff in <a href="https://github.com/facebook/react/commits/v19.2.7/packages/react">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for react since your current version.</p> </details> <br /> Updates `@types/react` from 19.2.15 to 19.2.17 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anthony Martin <38542602+anthony-c-martin@users.noreply.github.com>

Updated [Sarif.Sdk](https://github.com/Microsoft/sarif-sdk) from 4.6.4 to 5.0.9. <details> <summary>Release notes</summary> _Sourced from [Sarif.Sdk's releases](https://github.com/Microsoft/sarif-sdk/releases)._ ## 4.6.5 ## **v4.6.5** [Sdk](https://www.nuget.org/packages/Sarif.Sdk/v4.6.5) | [Driver](https://www.nuget.org/packages/Sarif.Driver/v4.6.5) | [Converters](https://www.nuget.org/packages/Sarif.Converters/v4.6.5) | [Multitool](https://www.nuget.org/packages/Sarif.Multitool/v4.6.5) | [Multitool Library](https://www.nuget.org/packages/Sarif.Multitool.Library/v4.6.5) * BUG: Fix `AccessViolationException` in `EnumeratedArtifact.RetrieveDataFromStream` when the caller-provided stream's `Seek` re-enters native code (e.g. ASP.NET WebAPI's `SeekableBufferedRequestStream` over IIS's `HttpBufferlessInputStream`). Always rewind via `PeekableStream` instead of trusting `Stream.CanSeek`. Commits viewable in [compare view](https://github.com/Microsoft/sarif-sdk/commits). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Sarif.Sdk&package-manager=nuget&previous-version=4.6.4&new-version=5.0.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19876) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anthony Martin <38542602+anthony-c-martin@users.noreply.github.com>

Updated [SharpYaml](https://github.com/xoofx/SharpYaml) from 2.1.4 to 3.10.0. <details> <summary>Release notes</summary> _Sourced from [SharpYaml's releases](https://github.com/xoofx/SharpYaml/releases)._ ## 3.10.0 # Changes ## 🧰 Misc - Support conditional YamlIgnore (#146) (a52926d2) - Emit static source for attribute branches (df481f41) **Full Changelog**: [3.9.0...3.10.0](xoofx/SharpYaml@3.9.0...3.10.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.9.0 # Changes ## 🐛 Bug Fixes - Fix YamlNode deserialization location preservation (#144) (c6fc4f27) ## 🧰 Misc - Expose YamlValue scalar event (#145) (59c83b63) **Full Changelog**: [3.8.0...3.9.0](xoofx/SharpYaml@3.8.0...3.9.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.8.0 # Changes ## ✨ New Features - Add block sequence item style controls (#142) (66c0590f) **Full Changelog**: [3.7.2...3.8.0](xoofx/SharpYaml@3.7.2...3.8.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.7.2 # Changes ## 🐛 Bug Fixes - Fix support YamlNode in source-generated contexts (#143) (835c70a9) **Full Changelog**: [3.7.1...3.7.2](xoofx/SharpYaml@3.7.1...3.7.2) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.7.1 # Changes ## ✨ New Features - Add inheritance test (ec342ea3) ## 🐛 Bug Fixes - Fix source-gen YAML null strings (056e1e2e) **Full Changelog**: [3.7.0...3.7.1](xoofx/SharpYaml@3.7.0...3.7.1) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.7.0 # Changes ## 🐛 Bug Fixes - Apply UnknownDerivedTypeHandling.Fail to tag-based polymorphism (PR #133) by @fdcastel - Suppress SHARPYAML002 when a converter handles the type (PR #140) by @fdcastel ## 🚀 Enhancements - Clarify tag-only YamlDerivedType does not set default derived type (PR #134) by @fdcastel - Add YamlSerializerContext.CreateOptions for per-call option overrides (PR #138) by @fdcastel ## 📚 Documentation - Expand converter documentation with registration methods and priority (PR #137) by @fdcastel ## 🧰 Misc - Support C# `required` keyword in source generation and reflection (PR #139) by @fdcastel **Full Changelog**: [3.6.0...3.7.0](xoofx/SharpYaml@3.6.0...3.7.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.6.0 # Changes ## 🚀 Enhancements - Add support for OrderedDictionary<TKey, TValue> (.NET 9+) (PR #131) by @fdcastel - feat: add runtime derived type registration for cross-project polymorphism (PR #132) by @fdcastel ## 🧰 Misc - Avoid materializing dictionaries when serializing (0d973b53) - Deduplicate dictionary converter helpers (ebe1f709) - Eliminate source generator build warnings (e1b7f244) - Implement cross-project polymorphism (07592b22) **Full Changelog**: [3.5.0...3.6.0](xoofx/SharpYaml@3.5.0...3.6.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.5.0 # Changes ## ✨ New Features - Add object creation handling support (66710dab) **Full Changelog**: [3.4.0...3.5.0](xoofx/SharpYaml@3.4.0...3.5.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.4.0 # Changes ## ✨ New Features - Add YAML max depth guard (1535fb06) **Full Changelog**: [3.3.0...3.4.0](xoofx/SharpYaml@3.3.0...3.4.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.3.0 # Changes ## ✨ New Features - Add unmapped-member handling migration support (681a2de6) ## 🐛 Bug Fixes - Fix schema-aware scalar resolution (1e6500b0) ## 🧰 Misc - Harden nullable generator regression tests (bc51718a) **Full Changelog**: [3.2.0...3.3.0](xoofx/SharpYaml@3.2.0...3.3.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.2.0 # Changes ## ✨ New Features - Add back link to Tomlyn (98f6bd64) ## 🐛 Bug Fixes - Fix YAML source-generation root attributes (32e33360) ## 🧰 Misc - Support constructor attributes across serializers (84911d51) **Full Changelog**: [3.1.0...3.2.0](xoofx/SharpYaml@3.1.0...3.2.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.1.0 # Changes ## 🚀 Enhancements - Preallocate dictionaries with expected capacity (PR #125) by @SimonCropp ## 🧰 Misc - Use TryGetValue to avoid double dictionary lookup (PR #126) by @SimonCropp - Use file scope namespace (21f6daca) - Docs: convert API references to xref (7a0b9eae) - Support default derived type without discriminator for polymorphic deserialization (8575ff6c) - Support UnknownDerivedTypeHandling on YamlPolymorphicAttribute (b34654c7) - Support integer discriminators and ensure Json/Yaml attribute parity for polymorphism (93c1b768) **Full Changelog**: [3.0.0...3.1.0](xoofx/SharpYaml@3.0.0...3.1.0) <sub>Published with [dotnet-releaser](https://github.com/xoofx/dotnet-releaser/)</sub> ## 3.0.0 # Changes ## ✨ New Features - Add instructions (bb5669ef) - Add SharpYaml3 specification (719972bd) - Add v3 serializer API skeleton and docs (a4207490) - Add source generator baseline and JSON attribute support (b0d00f30) - Add lossless syntax tree API with spans and tests (dc9c8be6) - Add v3 golden-file serializer coverage (5fdb8d67) - Add NativeAOT smoke sample project (63eb9a97) - Add YAML converter API surface (e9920ba9) - Add polymorphism via discriminator and tags (4ff9f17c) - Add net10 benchmark suite vs YamlDotNet (f44b8b1e) - Add core YAML scalar and mapping serializer tests (3d5a4064) - Add parser/scanner error-path coverage tests (3c24a48d) - Add Emitter edge-case tests (4b2971f0) - Add comprehensive YAML 1.2 spec edge case tests (713efcbf) - Add YamlAttribute base class (5c12b356) - Add lifecycle callbacks for YAML serialization (2ea55f29) - Add YamlExtensionData support for overflow properties (15aae5c2) - Add YamlConverterAttribute for custom converters (289a4d8e) - Add svg logo (a3229804) - Add benchmark results (7d4373b7) - Add netstandard2.0 target (PolySharp + conditional System.Text.Json) (32f3d46b) - Add built-in DateTime/Guid/TimeSpan converters (0fe77904) - Add site.yml workflow (0996915a) - Add IBufferWriter<char> serialization overloads (7cf50ce0) - Add collection and non-string dictionary support (reflection) (8dcf1951) - Add merge key (<<) support for Core/Extended (cef01b1b) - Add net8.0 target framework (4e4c41b9) ## 🐛 Bug Fixes - Fix YAML writer escaping for control chars (9361d1fe) - Fix warnings in YamlSerializerOptions (ab23407e) - Fix: accept YAML 1.2 %YAML directives (ef0c9138) - Fix: improve EventReader.Expect exception message (59b0f632) - Fix: allow ':' in flow plain scalars (56535768) - Fix: stream TextReader deserialization (9366fe84) - Fix: make InsertionQueue internal (4c758ce3) - Fix anchor handling for immutable collections (40cb7294) - Fix site readme.md (4dd6c7bc) - Fix icons (ec9e0390) - Fix package readme inclusion (da9f3c5d) ## 🚀 Enhancements - Refactor typeinfo IO protocol and optimize YAML writing (05ad66f3) - Refactor reader/writer base, options record, JsonNamingPolicy (5bac5355) ... (truncated) Commits viewable in [compare view](xoofx/SharpYaml@2.1.4...3.10.0). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=SharpYaml&package-manager=nuget&previous-version=2.1.4&new-version=3.10.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19877) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anthony Martin <38542602+anthony-c-martin@users.noreply.github.com>

## Description When developing modules that are published to a module registry, this feature will add the ability to test existing templates by adding a moduleAliasMock that will redirect a br/alias to a filesystem path. Fixes Azure#17096 ## Example Usage Having an existing template that deploys a module using the following code: *main.bicep* ```bicep module myModule 'br/myregistry:mymodule:1.0.0' = {} output mainOutput string = myModule.outputs.moduleOutput ``` I want to make changes to mymodule and need to validate them before publishing version 1.0.1 to my registry. I update mymodule and save it as `mymodule.bicep` in a subfolder named `bicepmodules`. *bicepmodules/mymodule.bicep* ```bicep output moduleOutput string = 'Hello from myModule version 1.0.1' ``` To make my template (main.bicep) use the updated module on my filesystem instead of the one from my container registry, I update my `bicepconfig.json` to the following: *bicepconfig.json* ```json { "moduleAliases": { "br": { "myregistry": { "registry": "templates.azurecr.io" } } }, "moduleAliasesMock": { "br": { "myregistry": { "fileSystem": "bicepmodules" } } } } ``` > This is using the new configuration item moduleAliasesMock with the required property `"filesystem"` instead of `"registry"` which will emulate having a read-only OCI registry. I have intentionally not exposed a new prefix for moduleAliases to be able to deploy existing templates that are using the br/ prefix. ## Checklist - [x] I have read and adhere to the [contribution guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md). ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19452) --------- Co-authored-by: Copilot <copilot@github.com>

…re#19882) ## Description - Update release checklist to add step to run pipeline to publish vscode extension. - Removed step to run upload nuget package script since this is already automated ## Checklist - [x] I have read and adhere to the [contribution guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md). ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19882)

- Introduces `PooledBicepClientFactory` that shares a single underlying Bicep CLI client per configuration, with lightweight wrappers that can be disposed independently - Automatically evicts idle clients after a configurable inactivity interval (default 30s), recreating them on demand - Extracts `IJsonRpcClient` interface to make `BicepClient` unit-testable without requiring a full CLI process - Adds comprehensive test coverage for client pooling, eviction, JSON-RPC framing, version validation, and CLI download flows

…Azure#19174) Fix decorator completions for properties inside inline object types (for example, `param foo { @| name: string }`) to suggest decorators based on the property's type rather than the enclosing declaration's type. Fixes Azure#16942 ## Example Usage Before this fix, typing `@` on an inline object type property would show incomplete completions: ```bicep param clusterSettings { @ // Previously suggested `@sealed`, `@discriminator` (object-level) name: string } ``` With this PR, completions align with the property's type; ```bicep param clusterSettings { @ // Now suggests `@minLength`, `@maxLength`, `@description`, `@metadata` (string-level) name: string } ``` ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19174)

…#19884) ## Description Computes the Bicep visualizer's graph layout in the language server with MSAGL instead of in the webview with ELK, behind the off-by-default `bicep.visualizer.serverLayout.enabled` flag. This covers **Phase 5** (server-side layout engine, shadow mode) and **Phase 6** (applying server layout in the webview) of the [visualizer MSAGL layout migration](https://github.com/Azure/bicep/blob/shenglol/layout-engine-3/docs/visualizer-msagl-layout-migration/plan.md). Default behavior is unchanged while the flag is off. The two commits map to the two phases: - **Add server-side MSAGL visual graph layout engine** — `IVisualGraphLayoutEngine` / `MsaglVisualGraphLayoutEngine` run a layered (Sugiyama) top-to-bottom layout. Nested module scopes are laid out independently and composed into parent boxes (MSAGL clusters proved unreliable at runtime). Shared defaults live in `VisualGraphLayoutOptions.Default`. Engine + differ unit tests included, with a performance smoke test. - **Apply server-driven visual graph layout in the webview** — splits the protocol into a topology/metadata update (`textDocument/visualGraphUpdate`) and a measured layout request (`textDocument/visualGraphLayout`) that carries client-measured node sizes; applies server positions in the webview and gates the legacy ELK auto-layout behind `serverLayoutActiveAtom`. Notable details for reviewers: - **Layout invalidation** is derived on the client by comparing `updateNode` field *values* (not presence), so range-only edits (e.g. deleting a blank line) never reflow. The rule is centralized in `layout-invalidation.ts`. - **Animations preserved**: nodes spring to their server positions (motion), and the layout fit uses the same bounds as the Fit View button, so re-layout / add / remove animate and the two controls agree to the pixel. Measured node sizes are rounded to integers so module boxes stay stable and re-layout is idempotent. - **Single in-flight** request loop with a dirty flag; Reset Layout is routed through the same slot so it cannot race a document-change update. - The server stays **stateless per request**, validating each measured layout request against the live compilation. Rationale and the full message flow are documented in `src/vscode-bicep-ui/apps/visual-designer/visual-graph-protocol.md`. ## Example Usage Enable the flag and open the visualizer: ```jsonc "bicep.visualizer.serverLayout.enabled": true ``` Then run **Open Bicep Visualizer** on a `.bicep` file with resources/modules. Editing the file animates incremental layout changes; the Reset Layout button re-runs the server layout. With the flag off (default), the existing ELK path is used and behavior is unchanged. ## Checklist - [x] I have read and adhere to the [contribution guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md). ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19884)

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.2 to 7.3.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v7.3.5</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.3.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.3.3/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/vitejs/vite/compare/v7.3.3...v7.3.5">7.3.5</a> (2026-06-01)</h2> <h3>Bug Fixes</h3> <ul> <li>backport <a href="https://redirect.github.com/vitejs/vite/issues/22572">#22572</a>, reject windows alternate paths (<a href="https://redirect.github.com/vitejs/vite/issues/22574">#22574</a>) (<a href="https://github.com/vitejs/vite/commit/8c1855607b7c9884c4565d897ee98899a008a2d0">8c18556</a>)</li> <li><strong>deps:</strong> backport <a href="https://redirect.github.com/vitejs/vite/issues/22571">#22571</a>, reject UNC paths for launch-editor-middleware (<a href="https://redirect.github.com/vitejs/vite/issues/22573">#22573</a>) (<a href="https://github.com/vitejs/vite/commit/f20d64bef6e0ef1e4fa7a9783281c7bba0ce5292">f20d64b</a>)</li> </ul> <h3>Miscellaneous Chores</h3> <ul> <li>skip v7.3.4 release (<a href="https://github.com/vitejs/vite/commit/8a6a0c9fc734dbfe293ac33a4954506ee50430e1">8a6a0c9</a>)</li> </ul> <h2><a href="https://github.com/vitejs/vite/compare/v7.3.3...v7.3.4">7.3.4</a> (2026-06-01)</h2> <h3>Bug Fixes</h3> <ul> <li>backport <a href="https://redirect.github.com/vitejs/vite/issues/22572">#22572</a>, reject windows alternate paths (<a href="https://redirect.github.com/vitejs/vite/issues/22574">#22574</a>) (<a href="https://github.com/vitejs/vite/commit/8c1855607b7c9884c4565d897ee98899a008a2d0">8c18556</a>)</li> <li><strong>deps:</strong> backport <a href="https://redirect.github.com/vitejs/vite/issues/22571">#22571</a>, reject UNC paths for launch-editor-middleware (<a href="https://redirect.github.com/vitejs/vite/issues/22573">#22573</a>) (<a href="https://github.com/vitejs/vite/commit/f20d64bef6e0ef1e4fa7a9783281c7bba0ce5292">f20d64b</a>)</li> </ul> <h2><a href="https://github.com/vitejs/vite/compare/v7.3.2...v7.3.3">7.3.3</a> (2026-05-07)</h2> <h3>Bug Fixes</h3> <ul> <li>avoid destructure lowering for newer safari (<a href="https://redirect.github.com/vitejs/vite/issues/22346">#22346</a>) (<a href="https://github.com/vitejs/vite/commit/5ab51c0f76f0896175e02ad797c1f5fe116d02f4">5ab51c0</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitejs/vite/commit/077945cb60df372a52cf999b6e532ba70fac7423"><code>077945c</code></a> release: v7.3.5</li> <li><a href="https://github.com/vitejs/vite/commit/8a6a0c9fc734dbfe293ac33a4954506ee50430e1"><code>8a6a0c9</code></a> chore: skip v7.3.4 release</li> <li><a href="https://github.com/vitejs/vite/commit/8c1855607b7c9884c4565d897ee98899a008a2d0"><code>8c18556</code></a> fix: backport <a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22572">#22572</a>, reject windows alternate paths (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22574">#22574</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/f20d64bef6e0ef1e4fa7a9783281c7bba0ce5292"><code>f20d64b</code></a> fix(deps): backport <a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22571">#22571</a>, reject UNC paths for launch-editor-middleware (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/2">#2</a>...</li> <li><a href="https://github.com/vitejs/vite/commit/ca31424cccb075c88131132b929a63527d0e2b69"><code>ca31424</code></a> release: v7.3.3</li> <li><a href="https://github.com/vitejs/vite/commit/5ab51c0f76f0896175e02ad797c1f5fe116d02f4"><code>5ab51c0</code></a> fix: avoid destructure lowering for newer safari (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22346">#22346</a>)</li> <li>See full diff in <a href="https://github.com/vitejs/vite/commits/v7.3.5/packages/vite">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vite&package-manager=npm_and_yarn&previous-version=7.3.2&new-version=7.3.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Azure/bicep/network/alerts). </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19893) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [form-data](https://github.com/form-data/form-data) from 4.0.5 to 4.0.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/form-data/form-data/blob/master/CHANGELOG.md">form-data's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/form-data/form-data/compare/v4.0.5...v4.0.6">v4.0.6</a> - 2026-06-12</h2> <h3>Commits</h3> <ul> <li>[Fix] escape CR, LF, and <code>"</code> in field names and filenames <a href="https://github.com/form-data/form-data/commit/8dff42c6da654ed4e7ad4acb7f8ccd3831217c99"><code>8dff42c</code></a></li> <li>[Dev Deps] update <code>@ljharb/eslint-config</code>, <code>auto-changelog</code>, <code>tape</code> <a href="https://github.com/form-data/form-data/commit/f31d21ef10bf46e46344c3ee4f99acbef6be43e1"><code>f31d21e</code></a></li> <li>[Deps] update <code>hasown</code>, <code>mime-types</code> <a href="https://github.com/form-data/form-data/commit/92ae0eb5da94d6f01925d5f4fcffb2a1e50ed7cd"><code>92ae0eb</code></a></li> <li>[Dev Deps] update <code>js-randomness-predictor</code> <a href="https://github.com/form-data/form-data/commit/67b0f65c2e0b065a511d42227d35e4d367644e97"><code>67b0f65</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"><code>64190db</code></a> v4.0.6</li> <li><a href="https://github.com/form-data/form-data/commit/92ae0eb5da94d6f01925d5f4fcffb2a1e50ed7cd"><code>92ae0eb</code></a> [Deps] update <code>hasown</code>, <code>mime-types</code></li> <li><a href="https://github.com/form-data/form-data/commit/f31d21ef10bf46e46344c3ee4f99acbef6be43e1"><code>f31d21e</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code>, <code>auto-changelog</code>, <code>tape</code></li> <li><a href="https://github.com/form-data/form-data/commit/8dff42c6da654ed4e7ad4acb7f8ccd3831217c99"><code>8dff42c</code></a> [Fix] escape CR, LF, and <code>"</code> in field names and filenames</li> <li><a href="https://github.com/form-data/form-data/commit/67b0f65c2e0b065a511d42227d35e4d367644e97"><code>67b0f65</code></a> [Dev Deps] update <code>js-randomness-predictor</code></li> <li>See full diff in <a href="https://github.com/form-data/form-data/compare/v4.0.5...v4.0.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=form-data&package-manager=npm_and_yarn&previous-version=4.0.5&new-version=4.0.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Azure/bicep/network/alerts). </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19891) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [undici](https://github.com/nodejs/undici) from 7.26.0 to 7.28.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.28.0</h2> <h1>⚠️ Security Release</h1> <p>This release line addresses <strong>7 security advisories</strong>, all shipped in <strong>v7.28.0</strong>.</p> <blockquote> <p><strong>Action required:</strong> Upgrade to <strong>undici 7.28.0</strong> or later.</p> <pre lang="sh"><code>npm install undici@^7.28.0 </code></pre> </blockquote> <p>The v7 line is <strong>not</strong> affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.</p> <blockquote> <p><strong>Note on GHSA-hm92-r4w5-c3mj:</strong> this fix shipped in <strong>v7.28.0</strong>, not the earlier 7.2x line — the vulnerable single-pool code was still present through <code>v7.27.2</code>. The per-origin pool fix is <a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a> (<a href="https://redirect.github.com/nodejs/undici/pull/5041">#5041</a>).</p> </blockquote> <h2>Summary</h2> <table> <thead> <tr> <th>Advisory</th> <th>CVE</th> <th>Severity (CVSS)</th> <th>Fixed in</th> <th>Fix commit</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td> <td>CVE-2026-12151</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></td> <td>CVE-2026-9697</td> <td>High (7.4)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/04201f89"><code>04201f89</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj">GHSA-hm92-r4w5-c3mj</a></td> <td>CVE-2026-6734</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6">GHSA-pr7r-676h-xcf6</a></td> <td>CVE-2026-9678</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/85a24055"><code>85a24055</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td> <td>CVE-2026-9679</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td> <td>CVE-2026-11525</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td> <td>CVE-2026-6733</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/ea8930cf"><code>ea8930cf</code></a></td> </tr> </tbody> </table> <hr /> <h2>High severity</h2> <h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong> · CWE-400, CWE-770 <strong>Fix:</strong> <a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a> <em>websocket: limit the number of fragments in a message</em> (part of backport <a href="https://github.com/nodejs/undici/commit/a027a4a0"><code>a027a4a0</code></a> <em>Backport WebSocket maxPayloadSize fixes to v7.x</em>, <a href="https://redirect.github.com/nodejs/undici/pull/5423">#5423</a>)</p> <p>A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the <em>number</em> of fragments per message, leading to unbounded memory growth and denial of service.</p> <ul> <li><strong>Affected:</strong> applications using <code>new WebSocket(...)</code> or <code>WebSocketStream</code> against untrusted endpoints.</li> <li><strong>Workaround:</strong> none — upgrade is required.</li> </ul> <h3>TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></strong> · CWE-295</p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/f9eba0ad9134e1c0977848476bba9d49734696e4"><code>f9eba0a</code></a> Bumped v7.28.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5430">#5430</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/a027a4a04c6c055877d1abaf5f60ee4917e7e01f"><code>a027a4a</code></a> Backport WebSocket maxPayloadSize fixes to v7.x (<a href="https://redirect.github.com/nodejs/undici/issues/5423">#5423</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/8cb10f983eb6005dd53f3744d95d3b6d7dbcee0f"><code>8cb10f9</code></a> websocket: limit the number of fragments in a message</li> <li><a href="https://github.com/nodejs/undici/commit/04201f8947041f0f4f2ac865dbdb1677e46a8844"><code>04201f8</code></a> fix: honor requestTls when proxy is SOCKS5</li> <li><a href="https://github.com/nodejs/undici/commit/fcd642ff613ea9030dec87cf622e68d4b1ae9847"><code>fcd642f</code></a> fix(socks5): preserve dispatch backpressure return value (<a href="https://redirect.github.com/nodejs/undici/issues/5166">#5166</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/bc98c97906abf26fa1e959b2f6111b53ade0e18f"><code>bc98c97</code></a> fix(socks5): use configured connector in Socks5ProxyAgent (<a href="https://redirect.github.com/nodejs/undici/issues/5168">#5168</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9e1c74372a2b27cacd92d27c13a83a6d84f10e0e"><code>9e1c743</code></a> fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (<a href="https://redirect.github.com/nodejs/undici/issues/5099">#5099</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/376c8be27cb40cc17ccaad6b6ebb317fa7148d65"><code>376c8be</code></a> fix(socks5): enforce authenticated state before CONNECT (<a href="https://redirect.github.com/nodejs/undici/issues/5097">#5097</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/3805b8f8518882991044048c256e005dc3c10a85"><code>3805b8f</code></a> fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...</li> <li><a href="https://github.com/nodejs/undici/commit/85a240551c9feb8b8a0ecc56c84b2b3015add8a9"><code>85a2405</code></a> fix(cache): trim qualified field names</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.26.0...v7.28.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=7.26.0&new-version=7.28.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Azure/bicep/network/alerts). </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19892) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

microsoft-github-policy-service Bot and others added 30 commits May 31, 2026 11:36

Reformat code (Azure#19717)

09ed688

Update code to match the house style 😎 Co-authored-by: Bicep Automation <bicep@noreply.github.com>

dependabot Bot and others added 29 commits June 14, 2026 23:48

Reformat code (Azure#19843)

11f63d2

Update code to match the house style 😎 Co-authored-by: Bicep Automation <bicep@noreply.github.com>

GABRIELNGBTUC merged commit 37ecbd6 into feature/fix-19750 Jun 19, 2026
26 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync with main to resolve nuget audit advisory#5

Sync with main to resolve nuget audit advisory#5
GABRIELNGBTUC merged 108 commits into
feature/fix-19750from
main

GABRIELNGBTUC commented Jun 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

Conversation

GABRIELNGBTUC commented Jun 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants