Bump the aspire group with 2 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Updated Aspire.Hosting.Azure.CognitiveServices from 13.2.0 to 13.2.3.

Release notes

Sourced from Aspire.Hosting.Azure.CognitiveServices's releases.

13.2.3

What's New in Aspire 13.2.3

Patch release focused on CLI packaging, signing, and reliability fixes.

🐛 Fixes

• 🛑 aspire stop now properly cleans up application containers on Windows (#​16123)
• 🔐 Fixed macOS signing, permissions, and certificate trust with improved CI verification (#​16053)
• ✍️ Fixed signing for the aspire-managed bundle payload (#​16211)
• 🎭 Fixed Playwright CLI provenance verification for the new tag format (#​16134)
• 🧭 Updated service discovery environment variables (#​16223)

🔧 Improvements

• 📊 Removed telemetry API data limits and refactored URL builders (#​16023)
• ⏱️ Increased native build + sign timeout to 60 minutes for reliability (#​16212)

🏷️ Housekeeping

• 🔖 Bumped branding to 13.2.3 (#​16181)
• 🧪 Temporarily disabled Verify CLI archive step on Windows while investigating (#​16276, #​16285)

13.2.2

This is a servicing release focused on bug fixes and platform improvements.

🐛 Bug Fixes

• Fix SqlClient runtime asset layout on Unix — Resolved an issue where Microsoft.Data.SqlClient failed to load correctly on macOS and Linux due to incorrect NuGet asset layout (#​15709)
• Fix IDE execution regressions for Azure Functions and class library projects — Backported fixes for
  13.2 regressions impacting IDE-based execution (#​15714)
• Fix NpmRunner multi-version output parsing — npm view returning multiple versions no longer breaks version resolution; also bumps @​playwright/cli to >=0.1.3 (#​15746)
• Skip name validation for internal resources — ProjectRebuilderResource, installer, and venv creator resources no longer fail the 64-char name limit since they're never deployed (#​15726, fixes #​15693)

🔒 Security & Certificates

• Use ASP.NET Core dev cert for DCP — Avoids ephemeral certificate trust issues by using the standard ASP.NET Core developer certificate (#​15718)
• Cache PFX dev certs on Windows and Linux — Prevents binary-level changes between runs for persistent container scenarios (#​15774)

🏗️ Infrastructure & Platform

• ARM64 CLI support — Added win-arm64 and linux-arm64 to the native CLI archive build matrix (#​15599)
• Update DCP to
  0.22.11 (#​15713)

💻 CLI Improvements

• Show anonymous dashboard URLs in aspire ps — The dashboard URL is now displayed even when running without authentication (#​15731

13.2.1

🐛 Bug Fixes

• 🖥️ CLI bundles for ARM & musl — win-arm64, linux-arm64, and linux-musl-x64 bundles now correctly include DCP instead of silently producing broken installs (#​15529)
• ⚡ aspire new in VS Code — Fixed a race where the workspace switch severed the CLI terminal before the agent init prompt could complete (#​15553)
• 🔗 Dashboard resource URLs — The describe command no longer produces broken dashboard links with a stray /login?t=... in the path (#​15495)
• 🌍 Guest AppHost env vars — Launch profile environment variables are now correctly forwarded to guest AppHosts (#​15637)
• 📦 Legacy settings migration — .aspire/settings.json → aspire.config.json migration was silently skipped in some scenarios; now works reliably (#​15526)
• 🔧 TypeScript AppHost restore — Fixed config resolution during TS AppHost restore (#​15625)
• 🎭 Playwright CLI on Windows — aspire agent init now correctly installs playwright-cli on Windows (#​15559)
• 📌 Emulator stability — Pinned Kusto emulator image and improved Cosmos DB emulator reliability (#​15504)

✨ Improvements

• 🏗️ Brownfield TypeScript aspire init — Running aspire init in existing JS/TS projects now smartly merges package.json — scripts, dependencies, and engines — with semver-aware conflict handling (#​15123)
• 🎯 Endpoint filtering — New ExcludeReferenceEndpoint property lets you filter specific endpoints from WithReference (#​15586)
• 🌐 More polyglot ATS APIs — Exported additional hosting APIs for TypeScript and Go AppHost authoring (#​15557)
• 🔍 Short trace ID support — The dashboard now resolves short trace IDs in addition to full-length ones (#​15613)
• ⚠️ Aspire.Hosting.NodeJs deprecated — Use Aspire.Hosting.JavaScript instead; the old package no longer appears in aspire add (#​15686)

Commits viewable in compare view.

Updated Microsoft.Extensions.ServiceDiscovery.Yarp from 10.4.0 to 10.5.0.

Release notes

Sourced from Microsoft.Extensions.ServiceDiscovery.Yarp's releases.

10.5.0

HTTP Logging Middleware APIs in Microsoft.AspNetCore.Diagnostics.Middleware are now stable. This release also transfers Microsoft.Extensions.VectorData.Abstractions and Microsoft.Extensions.VectorData.ConformanceTests from the Semantic Kernel repository into dotnet/extensions, jumping from 10.1.0 to 10.5.0 for consistent versioning. The release also delivers fixes across the AI libraries, AI Evaluation, and Service Discovery.

Breaking Changes

1. Rename VectorStoreVectorAttribute constructor parameter #​7460
   • The Dimensions parameter was renamed to dimensions (lowercase). This is a source-breaking change only — binary compatibility is preserved.
   • If you use the named argument syntax new VectorStoreVectorAttribute(Dimensions: 1536), update it to new VectorStoreVectorAttribute(dimensions: 1536).

Experimental API Changes

Now Stable

• HTTP Logging Middleware APIs are now stable (previously EXTEXP0013): AddHttpLogEnricher<T>, IHttpLogEnricher, and RequestHeadersLogEnricherOptions.HeadersDataClasses #​7380

What's Changed

AI

• Fix OpenAIResponsesChatClient to respect "store":false in responses #​7417 by @​stephentoub
• Fix InvalidOperationException in CoalesceWebSearchToolCallContent #​7419 by @​stephentoub
• Handle F# optional parameters in AIFunctionFactory schema generation #​7439 by @​eiriktsarpalis
• Fix ComputerCallResponseItem using Item.Id instead of CallId #​7446 by @​jozkee
• Fix HostedFileContent with image MIME type sent as input_file instead of input_image #​7438 by @​stephentoub (co-authored by @​copilot)
• Guard Activity.Current restore with null check in OpenTelemetry streaming clients #​7443 by @​stephentoub (co-authored by @​copilot)
• Enable stateless mode in remote MCP server template (released as v1.2.0 on 2026-04-01) #​7441 by @​jeffhandley

Vector Data

• Move Microsoft.Extensions.VectorData.Abstractions over from Semantic Kernel #​7434 by @​roji
• Rename VectorStoreVectorAttribute dimensions constructor parameter #​7460 by @​roji

AI Evaluation

• Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore #​7397 by @​peterwald
• Update brace-expansion for CVE-2026-33750 #​7457 by @​SamMonoRT

ASP.NET Core Extensions

• Removing experimental attribute from Http logging middleware #​7380 by @​mariamgerges

Service Discovery

• Implement RFC6761 reserved DNS names handling #​6924 by @​rzikm

Documentation Updates

• Remove per-library CHANGELOG.md files #​7413 by @​jeffhandley

Test Improvements

... (truncated)

10.4.1

This release of the Microsoft.Extensions.AI packages adds new experimental APIs for Realtime client sessions and Text-to-Speech, along with OpenTelemetry and middleware improvements.

Packages in this release

Package	Version
Microsoft.Extensions.AI.Abstractions	10.4.1
Microsoft.Extensions.AI	10.4.1
Microsoft.Extensions.AI.OpenAI	10.4.1

Experimental API Changes

New Experimental APIs

• New experimental API: Realtime Client Sessions #​7285 and #​7399
• New experimental API: Text-to-Speech Client #​7381

Changes to Experimental APIs

• Hosted File Download Stream: write-path methods now explicitly throw NotSupportedException #​7394

What's Changed

AI

• Add ITextToSpeechClient abstraction, middleware, and OpenAI implementation #​7381 by @​stephentoub
• Realtime Client Proposal #​7285 by @​tarekgh
• Add VoiceActivityDetection options to realtime session abstractions #​7399 by @​tarekgh
• Make UriContent mediaType parameter optional with inference from URI file extension #​7398 by @​stephentoub (co-authored by @​Copilot)
• Emit gen_ai.client.operation.exception via ILogger LoggerMessage on OpenTelemetry instrumentation classes #​7379 by @​stephentoub (co-authored by @​Copilot)
• Support invoke_workflow as an equivalent parent span to invoke_agent in FunctionInvokingChatClient #​7382 by @​stephentoub (co-authored by @​Copilot)
• Make HostedFileDownloadStream explicitly read-only #​7394 by @​stephentoub (co-authored by @​Copilot)

Documentation Updates

• Document JSON schema derivation for return types in AIFunctionFactory #​7400 by @​stephentoub (co-authored by @​Copilot)

Test Improvements

• Fix test warnings #​7369 by @​jozkee
• Add tests for JSON deserialization of serializable types #​7373 by @​stephentoub (co-authored by @​Copilot)

Repository Infrastructure Updates

• Update Package Validation Baseline to 10.4.0 #​7389 by @​jeffhandley (co-authored by @​Copilot)
• Update ModelContextProtocol libraries to version 1.0.0 #​7340 by @​stephentoub (co-authored by @​Copilot)

Acknowledgements

• @​eiriktsarpalis @​ericstj @​CodeBlanch @​lmolkova @​adamsitnik @​joperezr reviewed pull requests
  ... (truncated)

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions