[automated] Merge branch 'release/9.0' => 'release/9.0-staging'#126136
Open
github-actions[bot] wants to merge 26 commits intorelease/9.0-stagingfrom
Open
[automated] Merge branch 'release/9.0' => 'release/9.0-staging'#126136github-actions[bot] wants to merge 26 commits intorelease/9.0-stagingfrom
github-actions[bot] wants to merge 26 commits intorelease/9.0-stagingfrom
Conversation
…ryptography.Xml components Apply mitigations to System.Security.Cryptography.Xml components Apply depth checks to a number of recursive components. Opt out of using unsafe transforms in EncryptedXml by default. Co-Authored-By: Pranav Senthilnathan <pranas@microsoft.com> ---- #### AI description (iteration 1) #### PR Classification Security mitigation that enforces strict XML recursion depth limits and safe transform validation to prevent DoS attacks. #### PR Summary This pull request strengthens the System.Security.Cryptography.Xml components against malicious XML payloads by introducing configurable recursion depth checks, safe transform validations, and comprehensive tests for deep or infinite XML structures. - **`tests/SignedXmlTest.cs` & `tests/EncryptedXmlTests.cs`**: Added tests covering infinite XSLT loops, deep XML document signing, and configurable recursion limit behaviors. - **`src/Security/Cryptography/Xml/EncryptedKey.cs` & `EncryptedData.cs`**: Refactored XML loading logic to use thread-static counters for tracking XML recursion depth and throwing exceptions when limits are exceeded. - **`src/Security/Cryptography/Xml/CanonicalizationDispatcher.cs`**: Integrated depth counters to abort processing on XML structures that exceed the safe nesting threshold. - **`src/Security/Cryptography/Xml/XmlDecryptionTransform.cs`**: Updated the decryption flow to track and limit recursive XML processing via work items with depth information. - **`src/Security/Cryptography/Xml/LocalAppContextSwitches.cs`**: Introduced new AppContext switches to configure maximum recursion depth and allowed dangerous XML transforms. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…ing CR or LF in MailAddressParser Adds early validation in MailAddressParser.TryParseAddress to reject email addresses containing CR or LF characters, preventing SMTP header injection via crafted mail address strings. This fix has already been merged in .NET Framework and needs to ship together with it. ---- #### AI description (iteration 1) #### PR Classification This pull request is a bug fix that strengthens input validation for email addresses by rejecting any address containing CR or LF characters. #### PR Summary The changes add a validation check in the mail address parser to throw a FormatException (or return false) when CR or LF characters are detected, and update tests accordingly to enforce the new behavior. - `src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs`: Introduced a new check using MailBnfHelper.HasCROrLF to detect and reject mail addresses with CR or LF. - `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs`: Added tests that verify the parser throws an exception or returns false based on the throwExceptionIfFail flag. - `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs`: Updated test cases to remove or adjust mail addresses containing CR or LF characters. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
use AZL3 instead of Ubuntu for builds ---- #### AI description (iteration 1) #### PR Classification This pull request updates the build pipeline configuration. #### PR Summary The changes modify the Linux build pool setup to leverage AZL3 images instead of Ubuntu by conditionally selecting different build agent images based on the architecture type. - `eng/pipelines/common/xplat-setup.yml`: Replaced the fixed Ubuntu image demand with conditional expressions that assign `build.azurelinux.3.arm64` for ARM architectures and `build.azurelinux.3.amd64` for other architectures. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
[release/9.0] update MsQuic MSRC 105190 ---- #### AI description (iteration 1) #### PR Classification Dependency update for MsQuic. #### PR Summary This pull request updates the MsQuic dependency to a newer version to keep the release aligned with recent improvements. - `/eng/Versions.props`: Updated `MicrosoftNativeQuicMsQuicSchannelVersion` from `2.4.8` to `2.4.17`. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
This pull request updates the following dependencies [marker]: <> (Begin:Coherency Updates) ## Coherency Updates The following updates ensure that dependencies with a *CoherentParentDependency* attribute were produced in a build used as input to the parent dependency's build. See [Dependency Description Format](https://github.com/dotnet/arcade/blob/master/Documentation/DependencyDescriptionFormat.md#dependency-description-overview) [DependencyUpdate]: <> (Begin) - **Coherency Updates**: - **runtime.linux-arm64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-x64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-musl-arm64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-musl-x64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.win-arm64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.win-x64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.osx-arm64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.osx-x64.Microsoft.NETCore.Runtime.JIT.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-musl-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-musl-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-musl-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.linux-musl-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.win-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.win-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.osx-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.osx-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.osx-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) - **runtime.osx-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools**: from 19.1.0-alpha.1.26152.4 to 19.1.0-alpha.1.26167.4 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport) [DependencyUpdate]: <> (End) [marker]: <> (End:Coherency Updates) [marker]: <> (Begin:f85f62c8-5e7d-4706-1003-08dcbc30275f) ## From https://github.com/dotnet/emsdk - **Subscription**: [f85f62c8-5e7d-4706-1003-08dcbc30275f](https://maestro.dot.net/subscriptions?search=f85f62c8-5e7d-4706-1003-08dcbc30275f) - **Build**: [20260325.1](https://dev.azure.com/dnceng/internal/_build/results?buildId=2935784) ([307773](https://maestro.dot.net/channel/3883/github:dotnet:emsdk/build/307773)) - **Date Produced**: March 25, 2026 9:15:21 PM UTC - **Commit**: [918f4eac9e7d238562abcc364ec417be11b108f0](dotnet/emsdk@918f4ea) - **Branch**: [release/9.0](https://github.com/dotnet/emsdk/tree/release/9.0) [DependencyUpdate]: <> (Begin) - **Dependency Updates**: - From [9.0.16-servicing.26160.4 to 9.0.15-servicing.26175.1][2] - Microsoft.SourceBuild.Intermediate.emsdk - Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport - From [9.0.16 to 9.0.15][2] - Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100 [2]: dotnet/emsdk@dee9781...918f4ea [DependencyUpdate]: <> (End) [marker]: <> (End:f85f62c8-5e7d-4706-1003-08dcbc30275f) --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
> [!NOTE] > This PR was AI/Copilot-generated. Update the release/9.0 WASI and Browser WebAssembly Helix queue image references to the published Ubuntu 26.04 WebAssembly image. - `libraries/helix-queues-setup.yml`: move WASI, Browser WASM, and Browser WASM Firefox to `ubuntu-26.04-helix-webassembly-amd64` - `coreclr/templates/helix-queues-setup.yml`: move Browser WASM to the 26.04 amd64 image while preserving the existing host queue pattern on this branch - exact tag validated in `image-info.dotnet-dotnet-buildtools-prereqs-docker-main.json` Backport of #126524. Ref #125690, #126122 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This PR updates version branding on branch `release/9.0`. **Changes:** - Repository: runtime - PatchVersion: `15` → `16` **Files Modified:** - eng/Versions.props (+2 -2)
This was referenced Apr 10, 2026
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Ahmet İbrahim Aksoy <aaksoy@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: wfurt <tweinfurt@yahoo.com> Co-authored-by: Alexander Köplinger <alex.koeplinger@outlook.com> Co-authored-by: Marie Píchová <11718369+ManickaP@users.noreply.github.com>
…-merge-9.0-2026-04-14-1139
Co-authored-by: Mirroring <dnceng-mirroring@microsoft.com> Co-authored-by: Eirik George Tsarpalis <Eirik.Tsarpalis@microsoft.com> Co-authored-by: Ahmet Ibrahim Aksoy <aaksoy@microsoft.com> Co-authored-by: Tomas Weinfurt <toweinfu@microsoft.com> Co-authored-by: Tomas Weinfurt <Tomas.Weinfurt@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I detected changes in the release/9.0 branch which have not been merged yet to release/9.0-staging. I'm a robot and am configured to help you automatically keep release/9.0-staging up to date, so I've opened this PR.
This PR merges commits made on release/9.0 by the following committers:
Instructions for merging from UI
This PR will not be auto-merged. When pull request checks pass, complete this PR by creating a merge commit, not a squash or rebase commit.
If this repo does not allow creating merge commits from the GitHub UI, use command line instructions.
Instructions for merging via command line
Run these commands to merge this pull request from the command line.
or if you are using SSH
After PR checks are complete push the branch
Instructions for resolving conflicts
Instructions for updating this pull request
Contributors to this repo have permission update this pull request by pushing to the branch 'merge/release/9.0-to-release/9.0-staging'. This can be done to resolve conflicts or make other changes to this pull request before it is merged.
The provided examples assume that the remote is named 'origin'. If you have a different remote name, please replace 'origin' with the name of your remote.
or if you are using SSH
Contact .NET Core Engineering (dotnet/dnceng) if you have questions or issues.
Also, if this PR was generated incorrectly, help us fix it. See https://github.com/dotnet/arcade/blob/main/.github/workflows/scripts/inter-branch-merge.ps1.