Update aspire monorepo to 13.4.5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Aspire.AppHost.Sdk	13.4.0 → 13.4.5
Aspire.Hosting.AppHost	13.4.0 → 13.4.5
Aspire.Hosting.SqlServer	13.4.0 → 13.4.5

---

Release Notes

microsoft/aspire (Aspire.AppHost.Sdk)

v13.4.5: Aspire 13.4.5

What's New in Aspire 13.4.5

Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.

🐛 Fixes

• 🛡️ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory — The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use MessagePackFormatter or LZ4 — all StreamJsonRpc calls use SystemTextJsonFormatter over local Unix sockets — so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of the Aspire.Hosting package. (#​18204, @mitchdenny)
• 🎭 playwrightCliVersion values that are not valid SemVer 2.0 now fail fast with a clear diagnostic — Previously an invalid override (range expression, dist-tag like latest, or a v-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#​18205, @mitchdenny)
• 🤖 CLI telemetry now detects and reports the calling coding agent — When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as copilot-cli. (#​18240, @damianedwards)

🏷️ Housekeeping

• 📄 Refreshed the @microsoft/aspire-cli npm package README to be TypeScript-only — updated examples to the current ts-starter template (apphost.mts / aspire.mjs), added a backing-services snippet showing aspire add for PostgreSQL and Redis, and documented aspire dashboard run as a standalone dashboard option. (#​18221, @adamint)

---

Full Changelog: v13.4.4...v13.4.5

Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e

Generated by Generate release notes for a new stable Aspire release · ● 4.4M

v13.4.4

v13.4.3: Aspire 13.4.3

What's New in Aspire 13.4.3

Patch release for Aspire 13.4 with a fix for persistent container endpoint allocation regressions introduced in 13.4.

🐛 Fixes

• 🔌 Persistent container endpoints had incorrect default behavior — Persistent containers were defaulting to proxyless endpoint behavior instead of the proxied behavior used by normal containers. This caused integrations that depend on endpoint allocation before resource startup (such as the KeyVault emulator) to fail. Persistent containers now default to proxied endpoints matching normal container behavior; opt out with isProxied: false or WithEndpointProxySupport(false). Proxyless container endpoints with only a targetPort specified now also resolve immediately to that port instead of waiting for delayed allocation. (#​17960, @danegsta)

🏷️ Housekeeping

• 🛠️ Unblocked WinGet manifest publishing on locked-down 1ES agents and updated manifest tags (#​17958)

---

Full Changelog: microsoft/aspire@v13.4.2...v13.4.3

Full commit: 4f218933552e18ff2874d1b6d5dc3fe671e3b6d9

Generated by Generate release notes for a new stable Aspire release · ● 4.7M

v13.4.2: Aspire 13.4.2

What's New in Aspire 13.4.2

Patch release for Aspire 13.4 with a fix for Redis persistent container deadlock on startup when using TLS.

🐛 Fixes

• 🔴 Redis with WithLifetime(ContainerLifetime.Persistent) could deadlock on startup — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #​17822. (#​17827, backported via #​17850, @danegsta)

🏷️ Housekeeping

• 🚀 Bumped branding to 13.4.2 (#​17876)

---

Full Changelog: microsoft/aspire@v13.4.1...v13.4.2

Full commit: d7d0b6759ce4b936c76bc4775814d27db560dd6d

Generated by Generate release notes for a new stable Aspire release · ● 5M

v13.4.1: Aspire 13.4.1

What's New in Aspire 13.4.1

Patch release for Aspire 13.4 with fixes for explicit-start resource lifecycle callbacks, Redis persistent container startup, proxyless endpoint allocation, and a duplicated profiles block in the empty C# AppHost template.

🐛 Fixes

• ⏱️ Explicit-start resources triggered lifecycle callbacks too early — Session-scoped resources marked with WithExplicitStart() were having their execution configuration callbacks (environment variables, arguments, certificates) evaluated at AppHost startup instead of at manual start. This meant user-interaction callbacks such as WithEnvironment(ctx => PromptForValueAsync(...)) were called before the user triggered the resource. DCP registration is now deferred until the user manually starts the resource; persistent explicit-start resources still register immediately but patch the existing DCP record to Start = true rather than deleting and recreating it. Fixes #​17813. (#​17825, backported via #​17826, @danegsta)
• 🔴 Redis with WithLifetime(ContainerLifetime.Persistent) could deadlock on startup — Redis TLS startup arguments used the public/allocated host ports instead of the internal target ports. When the public port differed from the target port (or was not yet allocated) the container would listen on an unexpected port and become unreachable. The TLS and non-TLS startup arguments now bind to target ports, matching what Redis expects internally. Fixes #​17822. (#​17827, backported via #​17850, @danegsta)
• 🔌 Proxyless container endpoint could hang when resolved before container creation — Referencing a proxyless container endpoint in an environment variable callback (before the container port spec was finalized) could deadlock. An on-demand allocation path now commits the target port as the fallback host port in that case; once BuildContainerPorts runs, normal DCP dynamic port assignment takes over for any later resolution. (#​17851, backported via #​17859, @danegsta)
• 📄 Empty C# AppHost template emitted duplicate profiles block — aspire new aspire-empty on 13.4 produced an aspire.config.json with a profiles block that duplicated the content already present in apphost.run.json, causing redundant launch configuration. The embedded template now contains only the required appHost.path binding; profile configuration lives exclusively in apphost.run.json. Fixes #​17660. (#​17781, backported via #​17820, @mitchdenny)

🏷️ Housekeeping

• 📦 Added Aspire CLI npm package to the release pipeline so the npm distribution is published as part of stable releases. (#​17297, backported via #​17766, @adamint)
• 🚀 Bumped branding to 13.4.1 (#​17819)

---

Full Changelog: microsoft/aspire@v13.4.0...v13.4.1

Full commit: cf985fa817dd5863e7f62eb74fa1725ab5069ed2

Generated by Generate release notes for a new stable Aspire release · ● 1.0.40

Generated by Generate release notes for a new stable Aspire release · ● 3.9M

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.