Fix Dependabot alerts, modernize sample dependencies, drop EOL SDK installs

[torosent]

Summary

Three related cleanups for the samples/ projects and the public PR validation pipeline:

1. Fix all 5 open Dependabot security alerts (transitive deps in samples).
2. Modernize outdated sample dependencies (13 package bumps + 1 deprecated package replacement).
3. Remove EOL .NET Core 2.1 / 3.1 SDK install steps from the PR validation pipeline (recurring TLS failures as Microsoft retires EOL release infrastructure).

Dependabot alerts fixed

#	Advisory	Package	Before → After	Affected sample	Fix
36	GHSA-cmhx-cq75-c4mj	System.Text.RegularExpressions	4.3.0 → 4.3.1	ManagedIdentity v1.x	Explicit pin
35	GHSA-7jgj-8wvc-jh57	System.Net.Http	4.3.0 → 4.3.4	ManagedIdentity v1.x	Explicit pin
31	GHSA-8g4q-xg66-9fp4	System.Text.Json	6.0.0 → 10.0.8	ApplicationInsightsSample	Explicit pin
28	GHSA-rxg9-xrhp-64gj	System.Drawing.Common	4.7.0 → 6.0.0	ApplicationInsightsSample	Transitive via WorkerService upgrade
25	GHSA-cmhx-cq75-c4mj	System.Text.RegularExpressions	4.3.0 → 4.3.1	Correlation.Samples	Explicit pin

System.Drawing.Common is resolved by bumping Microsoft.ApplicationInsights.WorkerService from 2.21.0 → 2.23.0, which brings Drawing.Common 6.0.0 transitively — outside the only known vulnerable ranges (4.x < 4.7.2 and 5.x < 5.0.3). No explicit reference or CPM entry is needed.

Sample dependency modernization (Directory.Packages.props)

Package	Before	After
Azure.Identity	1.18.0	1.21.0
Azure.Monitor.OpenTelemetry.Exporter	1.6.0	1.8.1
Microsoft.ApplicationInsights.DependencyCollector	2.12.0	2.23.0
Microsoft.ApplicationInsights.WorkerService	2.21.0	2.23.0
Microsoft.Extensions.Azure	1.7.4	1.14.0
Microsoft.Extensions.Configuration	3.1.32	10.0.8
Microsoft.Extensions.Configuration.Json	3.1.32	10.0.8
Microsoft.Extensions.Hosting	6.0.1	10.0.8
OpenTelemetry.Exporter.Console	1.1.0	1.15.3
OpenTelemetry.Exporter.Zipkin (deprecated)	—	replaced with OpenTelemetry.Exporter.OpenTelemetryProtocol 1.15.3
System.Text.Json	10.0.3	10.0.8
Vio.DurableTask.Hosting	2.2.1	2.2.17
ncrontab (net48)	1.0.0	3.4.0

Code changes

• samples/DistributedTraceSample/OpenTelemetry/Program.cs: migrate deprecated AddZipkinExporter() → AddOtlpExporter() (Zipkin exporter package replaced).
• samples/Correlation.Samples/TelemetryActivator.cs: migrate from obsolete TelemetryConfiguration.InstrumentationKey to ConnectionString (APPLICATIONINSIGHTS_CONNECTION_STRING) with backward-compat fallback to the legacy APPINSIGHTS_INSTRUMENTATIONKEY env var.
• samples/DistributedTraceSample/ApplicationInsights/ApplicationInsightsSample.csproj: removed stale System.Diagnostics.DiagnosticSource VersionOverride="7.0.2" workaround (no longer needed once Hosting is on 10.x).

CI fix (eng/templates/build-steps.yml)

Removed the two UseDotNet@2 steps that installed .NET Core 2.1 and .NET Core 3.1 SDKs. Both runtimes are long EOL (Aug 2021 and Dec 2022); no project in the repo targets netcoreapp2.x or netcoreapp3.x. The 2.1 release-index endpoint has become unreliable, producing intermittent TLS handshake failures that fail the whole PR validation pipeline (e.g., build #279849 DTFxCoreValidate Validate 11):

##[error]Failed to download or parse releases-index.json with error:
write EPROTO ... tlsv1 alert internal error ... SSL alert number 80

Builds use VSBuild/MSBuild, and the only SDK actually required is .NET 8 for the net8.0 test targets. The official build pipeline (eng/ci/official-build.yml) doesn't install these SDKs either.

Intentionally not modernized

• Microsoft.Azure.DurableTask.AzureStorage 1.17.3 in ManagedIdentity v1.x (educational pin to demonstrate v1.x usage).
• EnterpriseLibrary.SemanticLogging / CommandLineParser 1.x in DurableTask.Samples (abandoned / breaking API changes).
• Microsoft.ApplicationInsights 2.x → 3.x (major version, out of scope).

Verification

• ✅ All 6 sample projects, 4 src libraries, and 3 test projects build with 0 warnings, 0 errors.
• ✅ dotnet list package --include-transitive on each affected sample confirms no vulnerable transitive versions remain.

[Copilot]

Pull request overview

This PR addresses Dependabot security alerts in the repository’s sample projects by ensuring patched versions of vulnerable transitive dependencies are resolved under Central Package Management (CPM).

Changes:

• Add explicit PackageReference entries in affected sample .csproj files to force resolution of patched transitive packages.
• Add a CPM PackageVersion entry for System.Drawing.Common at 4.7.3 so samples can reference it without per-project versioning.
• Preserve the older Microsoft.Azure.DurableTask.AzureStorage 1.x dependency in the Managed Identity sample while overriding its vulnerable transitives.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
Directory.Packages.props	Adds CPM version entry for System.Drawing.Common to support patched dependency resolution.
samples/Correlation.Samples/Correlation.Samples.csproj	Adds explicit reference to System.Text.RegularExpressions to override a vulnerable transitive.
samples/DistributedTraceSample/ApplicationInsights/ApplicationInsightsSample.csproj	Adds explicit references to System.Drawing.Common and System.Text.Json to override vulnerable transitives.
samples/ManagedIdentitySample/DTFx.AzureStorage v1.x/ManagedIdentity.AzStorageV1.csproj	Adds explicit references to System.Net.Http and System.Text.RegularExpressions to override vulnerable transitives from older dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[torosent]

Addressed the review feedback and broadened the scope per request:

• System.Drawing.Common pin removed. Instead, bumped Microsoft.ApplicationInsights.WorkerService 2.21.0 → 2.23.0, which transitively brings System.Drawing.Common to 6.0.0 — outside the only known vulnerable ranges (4.x < 4.7.2 and 5.x < 5.0.3). No explicit reference or new CPM entry needed.
• Sample dependencies modernized: Microsoft.Extensions.* (Hosting/Configuration/Configuration.Json) → 10.0.8, Microsoft.Extensions.Azure → 1.14.0, Azure.Identity → 1.21.0, Azure.Monitor.OpenTelemetry.Exporter → 1.8.1, Microsoft.ApplicationInsights.DependencyCollector → 2.23.0, OpenTelemetry.Exporter.Console → 1.15.3, Vio.DurableTask.Hosting → 2.2.17, ncrontab → 3.4.0, System.Text.Json → 10.0.8.
• Code changes for deprecated APIs:
  • OpenTelemetrySample/Program.cs: migrated from deprecated AddZipkinExporter() to AddOtlpExporter() (Zipkin exporter package replaced).
  • Correlation.Samples/TelemetryActivator.cs: migrated from obsolete TelemetryConfiguration.InstrumentationKey to ConnectionString (APPLICATIONINSIGHTS_CONNECTION_STRING) with a backward-compat fallback to the legacy env var.
• Cleanup: removed stale System.Diagnostics.DiagnosticSource VersionOverride="7.0.2" workaround (no longer needed once Hosting is on 10.x).

Intentionally not modernized:

• Microsoft.Azure.DurableTask.AzureStorage 1.17.3 in ManagedIdentity v1.x (educational pin — sample exists to demo v1.x).
• EnterpriseLibrary.SemanticLogging and CommandLineParser 1.x in DurableTask.Samples (abandoned / breaking API changes).
• Microsoft.ApplicationInsights 2.x → 3.x (major version, out of scope).

Verified: all 6 samples + 4 src libraries + 3 test projects build with 0 warnings, 0 errors, and dotnet list package --include-transitive confirms no vulnerable transitives remain in any sample graph.

The failing DTFxCoreValidate Validate 3 check on the previous push was 1 of 13 parallel test shards for DurableTask.Core.Tests.dll. This PR does not touch DurableTask.Core or its tests; it was almost certainly flaky. New checks should be running now.

[torosent]

CI fix: removed EOL .NET Core 2.1 / 3.1 SDK installs from the PR validation pipeline

The previously failing DTFxCoreValidate Validate 11 shard on build #279849 was not a test failure or a flaky shard — it failed in the Use the .NET Core 2.1 SDK (required for build signing) task with:

##[error]Failed to download or parse releases-index.json with error:
write EPROTO ... tlsv1 alert internal error ... SSL alert number 80

Why the 2.1 / 3.1 installs are safe to drop

• .NET Core 2.1 has been EOL since Aug 2021 and 3.1 since Dec 2022. Microsoft is rotating/retiring the TLS infrastructure for the old release indexes, which is why this task started failing intermittently (the nightly main build at 05:38 UTC succeeded; this PR build at 16:00 UTC failed on the exact same step).
• No project in the repo targets netcoreapp2.x or netcoreapp3.x. Verified by grep across the entire tree. All libraries target netstandard2.0, all .NET Framework projects target net48/net472, and all test/sample projects targeting modern Core use net8.0.
• The "required for build signing" comment is stale. Signing is performed by sign-files.yml@eng invoked from eng/ci/official-build.yml, which does not install .NET Core 2.1 either. Builds use VSBuild (MSBuild), not dotnet build, so the only SDK actually required is .NET 8 for the net8.0 test targets.

Change

eng/templates/build-steps.yml: removed the two UseDotNet@2 steps for 2.1.x and 3.1.x; kept the 8.0.x install.

CI is re-running on d47f7e1.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.