Skip to content

fix: dependabot package upgrade#972

Merged
Roopan-Microsoft merged 10 commits into
dev-v4from
psl-dk-depPRChanges
May 13, 2026
Merged

fix: dependabot package upgrade#972
Roopan-Microsoft merged 10 commits into
dev-v4from
psl-dk-depPRChanges

Conversation

@Dhruvkumar-Microsoft

@Dhruvkumar-Microsoft Dhruvkumar-Microsoft commented May 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Purpose

This pull request primarily updates dependencies and GitHub Actions workflows to use newer, more secure, and maintained versions. The changes improve compatibility, security, and stability across the project’s Python, Node.js, and CI/CD environments.

Dependency Updates

  • Updated Python dependencies in src/backend/pyproject.toml, src/backend/requirements.txt, src/App/pyproject.toml, and src/mcp_server/pyproject.toml to the latest compatible versions, including major packages like fastapi, uvicorn, azure-*, openai, protobuf, and others. This enhances security, performance, and feature support. [1] [2] [3] [4] [5]
  • Updated postcss dependency in src/App/package-lock.json to version 8.5.14 for improved security and bug fixes.

GitHub Actions Workflow Updates

  • Upgraded actions/checkout to v6 and other GitHub Actions (such as setup-python, upload-artifact, template-validation-action, and changed-files) to their latest versions in various workflow files for improved performance and security. [1] [2] [3] [4] [5]
  • Updated azure/login action from v2 to v3 across all workflows to ensure compatibility with the latest Azure authentication mechanisms. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]

These updates collectively modernize the project, reduce technical debt, and ensure a more reliable development and deployment pipeline.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

Roopan-Microsoft and others added 6 commits April 20, 2026 11:06
@Roopan-Microsoft
Merge pull request #936 from microsoft/psl-dependabotchanges-dk
4b972bb 
fix: updated the dependabot packages
@dependabot @github-actions
build: bump the python-deps group in /src/backend with 27 updates
4ffab68 
---
updated-dependencies:
- dependency-name: azure-ai-evaluation
  dependency-version: 1.16.6
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: azure-ai-projects
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: azure-cosmos
  dependency-version: 4.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: azure-identity
  dependency-version: 1.25.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: azure-monitor-opentelemetry
  dependency-version: 1.8.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: azure-search-documents
  dependency-version: 11.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: fastapi
  dependency-version: 0.136.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: openai
  dependency-version: 2.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: opentelemetry-api
  dependency-version: 1.41.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: opentelemetry-exporter-otlp-proto-grpc
  dependency-version: 1.41.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: opentelemetry-exporter-otlp-proto-http
  dependency-version: 1.41.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: opentelemetry-instrumentation-fastapi
  dependency-version: 0.62b1
  dependency-type: direct:production
  dependency-group: python-deps
- dependency-name: opentelemetry-instrumentation-openai
  dependency-version: 0.60.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: opentelemetry-sdk
  dependency-version: 1.41.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: python-dotenv
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: python-multipart
  dependency-version: 0.0.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: uvicorn
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: pylint-pydantic
  dependency-version: 0.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: werkzeug
  dependency-version: 3.1.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: azure-core
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: agent-framework-azure-ai
  dependency-version: 1.0.0rc6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: agent-framework-core
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-deps
- dependency-name: agent-framework-orchestrations
  dependency-version: 1.0.0b260429
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: protobuf
  dependency-version: 7.34.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: python-deps
- dependency-name: cryptography
  dependency-version: 47.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: python-deps
- dependency-name: aiohttp
  dependency-version: 3.13.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-deps
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: python-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github-actions
build: bump the all-actions group with 6 updates
5f72cdb 
Bumps the all-actions group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4` | `6` |
| [microsoft/template-validation-action](https://github.com/microsoft/template-validation-action) | `0.4.3` | `0.4.4` |
| [azure/login](https://github.com/azure/login) | `2` | `3` |
| [tj-actions/changed-files](https://github.com/tj-actions/changed-files) | `47.0.5` | `47.0.6` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5` | `6` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `7` |


Updates `actions/checkout` from 4 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

Updates `microsoft/template-validation-action` from 0.4.3 to 0.4.4
- [Release notes](https://github.com/microsoft/template-validation-action/releases)
- [Commits](microsoft/template-validation-action@v0.4.3...v0.4.4)

Updates `azure/login` from 2 to 3
- [Release notes](https://github.com/azure/login/releases)
- [Commits](Azure/login@v2...v3)

Updates `tj-actions/changed-files` from 47.0.5 to 47.0.6
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@22103cc...9426d40)

Updates `actions/setup-python` from 5 to 6
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v5...v6)

Updates `actions/upload-artifact` from 4 to 7
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: microsoft/template-validation-action
  dependency-version: 0.4.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: azure/login
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: tj-actions/changed-files
  dependency-version: 47.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-actions
- dependency-name: actions/setup-python
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@Dhruvkumar-Microsoft
Merge branch 'dev-v4' of https://github.com/microsoft/Multi-Agent-Cus…
670f5ac 
…tom-Automation-Engine-Solution-Accelerator into dependabotchanges
@Dhruvkumar-Microsoft
Merge branch 'dev-v4' of https://github.com/microsoft/Multi-Agent-Cus…
c13dc35 
…tom-Automation-Engine-Solution-Accelerator into psl-dk-depPRChanges
@Dhruvkumar-Microsoft
updated the packages
d6648c1
@github-actions

github-actions Bot commented May 8, 2026
edited
Loading

Copy link
Copy Markdown

Coverage

Coverage Report •
FileStmtsMissCoverMissing
TOTAL303437987% 
report-only-changed-files is enabled. No files were changed during this commit :)

Tests Skipped Failures Errors Time
883 5 💤 0 ❌ 0 🔥 7.947s ⏱️

@Dhruvkumar-Microsoft Dhruvkumar-Microsoft marked this pull request as ready for review May 11, 2026 09:56
Copilot AI review requested due to automatic review settings May 11, 2026 09:56
Copilot AI reviewed May 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request modernizes the project’s dependency set (Python + Node) and CI/CD workflows to newer versions, aiming to improve security and long-term maintainability across the backend, App service, MCP server, and GitHub Actions pipelines.

Changes:

  • Upgraded multiple Python dependencies (and regenerated uv.lock files) for src/backend, src/mcp_server, and src/App.
  • Updated backend dependency pinning in both pyproject.toml and requirements.txt to keep them aligned.
  • Updated GitHub Actions workflow action versions (e.g., actions/checkout, actions/setup-python, actions/upload-artifact, azure/login) and bumped postcss in the frontend lockfile.

Reviewed changes

Copilot reviewed 17 out of 21 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/mcp_server/uv.lock Lockfile refresh to reflect updated MCP server dependency versions.
src/mcp_server/pyproject.toml Bumps MCP server deps (e.g., python-dotenv, python-multipart).
src/backend/uv.lock Lockfile refresh for backend dependency upgrades (FastAPI/OpenAI/Azure/OTel stack, etc.).
src/backend/requirements.txt Aligns pip requirements with upgraded backend dependency pins.
src/backend/pyproject.toml Updates backend dependency pins (and dev extras) for newer versions.
src/App/uv.lock Updates App Python lockfile to match newly pinned env/multipart packages.
src/App/pyproject.toml Pins python-dotenv / python-multipart to specific versions for the App package.
src/App/package-lock.json Upgrades postcss to 8.5.14 in the Node lockfile.
.github/workflows/validate-bicep-params.yml Updates core Actions versions (checkout/setup-python/upload-artifact).
.github/workflows/test-automation-v2.yml Updates azure/login to v3.
.github/workflows/job-docker-build.yml Updates azure/login to v3.
.github/workflows/job-deploy.yml Updates azure/login to v3.
.github/workflows/job-deploy-windows.yml Updates azure/login to v3.
.github/workflows/job-deploy-linux.yml Updates azure/login to v3.
.github/workflows/job-cleanup-deployment.yml Updates azure/login to v3.
.github/workflows/docker-build-and-push.yml Updates azure/login to v3.
.github/workflows/deploy.yml Updates azure/login to v3 in deploy + follow-up job.
.github/workflows/deploy-waf.yml Updates azure/login to v3.
.github/workflows/broken-links-checker.yml Updates pinned tj-actions/changed-files commit to newer version.
.github/workflows/azure-dev.yml Updates checkout and azure/login action versions.
.github/workflows/azd-template-validation.yml Updates checkout and template validation action version.
Files not reviewed (1)
  • src/App/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings May 12, 2026 12:58
Copilot AI reviewed May 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • src/App/package-lock.json: Language not supported

Comment thread src/backend/pyproject.toml
Comment thread src/mcp_server/pyproject.toml
@Roopan-Microsoft Roopan-Microsoft merged commit 4450802 into dev-v4 May 13, 2026
9 checks passed
@github-actions

github-actions Bot commented May 18, 2026

Copy link
Copy Markdown

🎉 This PR is included in version 4.2.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@Dhruvkumar-Microsoft Dhruvkumar-Microsoft deleted the psl-dk-depPRChanges branch May 22, 2026 04:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Roopan-Microsoft Roopan-Microsoft Roopan-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Dhruvkumar-Microsoft @Roopan-Microsoft