Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[docs] Aspire 13.5 stub: security dependency update (CVE-2026-46681)#1183

Open
aspire-repo-bot[bot] wants to merge 1 commit into
release/13.5microsoft/aspire.dev:release/13.5from
docs/aspire-17539-security-dep-bump-31e2e258a77a8683microsoft/aspire.dev:docs/aspire-17539-security-dep-bump-31e2e258a77a8683Copy head branch name to clipboard
Open

[docs] Aspire 13.5 stub: security dependency update (CVE-2026-46681)#1183
aspire-repo-bot[bot] wants to merge 1 commit into
release/13.5microsoft/aspire.dev:release/13.5from
docs/aspire-17539-security-dep-bump-31e2e258a77a8683microsoft/aspire.dev:docs/aspire-17539-security-dep-bump-31e2e258a77a8683Copy head branch name to clipboard

Conversation

@aspire-repo-bot
Copy link
Copy Markdown
Contributor

@aspire-repo-bot aspire-repo-bot Bot commented Jun 2, 2026

Documents changes from microsoft/aspire#17539 by @dependabot.

What and why

This PR creates a stub What's new in Aspire 13.5 page that records the security dependency update shipped via microsoft/aspire#17539.

The source PR bumps npm packages across the repository (including the Visual Studio Code extension) and patches CVE-2026-46681 — a Prototype Pollution vulnerability in @nevware21/ts-utils (via objDeepCopy/objCopyProps using for...in without hasOwnProperty guards).

Target branch

Targeting release/13.4 — the latest release branch on microsoft/aspire.dev — because release/13.5 (from the source PR milestone 13.5) does not exist there.

Changes

  • Created src/frontend/src/content/docs/whats-new/aspire-13-5.mdx — stub What's new page for 13.5 noting the CVE fix
  • Updated src/frontend/config/sidebar/docs.topics.ts — adds Aspire 13.5 entry at the top of the What's new list

Note: This is a stub. As more 13.5 changes land, this page should be expanded with full release notes.

Note

🔒 Integrity filter blocked 1 item

The following item was blocked because it doesn't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by PR Documentation Check for issue #17539 · ● 22.3M ·

@aspire-repo-bot
docs: add Aspire 13.5 stub with CVE-2026-46681 security note
1e4ca11 
Documents the security dependency update from microsoft/aspire#17539:
- CVE-2026-46681 (Prototype Pollution in @nevware21/ts-utils) patched
  in the VS Code extension's npm dependencies
- Adds aspire-13-5.mdx stub page for the 13.5 what's new section
- Updates sidebar to list Aspire 13.5

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@aspire-repo-bot aspire-repo-bot Bot added the docs-from-code Copilot initiated issue from dotnet/aspire repo label Jun 2, 2026
@aspire-repo-bot aspire-repo-bot Bot mentioned this pull request Jun 2, 2026
Merged
@aspire-repo-bot aspire-repo-bot Bot requested a review from mitchdenny June 2, 2026 09:11
@IEvangelist IEvangelist changed the base branch from release/13.4 to release/13.5 June 5, 2026 20:36
@IEvangelist IEvangelist marked this pull request as ready for review June 5, 2026 21:46
@IEvangelist IEvangelist self-requested a review as a code owner June 5, 2026 21:46
Copilot AI review requested due to automatic review settings June 5, 2026 21:46
Copilot AI reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new “What’s new in Aspire 13.5” stub page to document the CVE-related dependency update (from microsoft/aspire#17539) and exposes it in the docs sidebar under “What’s new”.

Changes:

  • Added aspire-13-5.mdx stub release notes page describing the VS Code extension dependency update for CVE-2026-46681.
  • Updated the docs sidebar to include an “Aspire 13.5” entry at the top of the “What’s new” list.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/frontend/src/content/docs/whats-new/aspire-13-5.mdx New stub “What’s new in Aspire 13.5” page documenting the security dependency update.
src/frontend/config/sidebar/docs.topics.ts Adds the Aspire 13.5 page to the “What’s new” sidebar items.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/frontend/src/content/docs/whats-new/aspire-13-5.mdx
Comment on lines +12 to +15
import {
Aside,
Icon,
} from '@astrojs/starlight/components';
IEvangelist
IEvangelist reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@IEvangelist IEvangelist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Source-of-truth branch mismatch — review skipped

Cannot verify this PR against microsoft/aspire.
PR base branch (microsoft/aspire.dev) release/13.5
Matching branch in microsoft/aspire does not exist
Latest release branch in microsoft/aspire release/13.4 (4f2189335)
Source PR cited in body microsoft/aspire# — merged to main, milestone 13.5

My review protocol requires using the matching microsoft/aspire release branch as the single source of truth for claim verification. Because no release/13.5 branch exists on microsoft/aspire yet (13.5 has not been cut), I cannot verify the API/CLI/config claims in this PR against an authoritative source code snapshot for that release.

Possible resolutions:

  1. Re-target this PR to release/13.4 in aspire.dev if the documented behavior is already present in 13.4.
  2. Wait until release/13.5 is cut in microsoft/aspire, then re-run review against that branch.

Skipping Phase B (doc-tester) as well — running it without the Phase A claim verification would produce an incomplete review per protocol.

@IEvangelist
Copy link
Copy Markdown
Member

IEvangelist commented Jun 6, 2026

I can't process the outstanding feedback in this hourly pass because the PR targets release/13.5, but microsoft/aspire still has no matching release/13.5 branch after fetching upstream.

Source-of-truth check:

  • microsoft/aspire.dev PR base: release/13.5
  • microsoft/aspire matching branch: not found
  • Latest checked source SHA: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9 on release/13.4

Per the docs-feedback protocol, I can't guess across branches. Please retarget this PR to a branch that exists in microsoft/aspire, or wait until release/13.5 is cut there.

@IEvangelist
Copy link
Copy Markdown
Member

IEvangelist commented Jun 7, 2026

I can't safely process this feedback because the PR targets release/13.5, but I couldn't find a matching release/13.5 branch in the microsoft/aspire source clone or on https://github.com/microsoft/aspire.git (git ls-remote --heads origin release/13.5 returned no ref). Per the docs-feedback responder source-of-truth rule, I'm stopping rather than guessing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IEvangelist IEvangelist IEvangelist left review comments

Copilot code review Copilot Copilot left review comments

@mitchdenny mitchdenny Awaiting requested review from mitchdenny

Assignees

No one assigned

Labels

docs-from-code Copilot initiated issue from dotnet/aspire repo needs-human-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IEvangelist
Morty Proxy This is a proxified and sanitized view of the page, visit original site.