Update dependency azure-core to v1.38.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
azure-core (source)	==1.28.0 → ==1.38.0

GitHub Vulnerability Alerts

CVE-2026-21226

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

---

Release Notes

Azure/azure-sdk-for-python (azure-core)

v1.38.0

Compare Source

Breaking Changes

• Changed the continuation token format. Continuation tokens generated by previous versions of azure-core are not compatible with this version.

v1.37.0

Compare Source

Features Added

• Added get_backcompat_attr_name to azure.core.serialization. get_backcompat_attr_name gets the backcompat name of an attribute using backcompat attribute access. #​44084

Bugs Fixed

• Fixed leaked requests and aiohttp exceptions for streamed responses #​43200
• Improved granularity of ServiceRequestError and ServiceResponseError exceptions raised in timeout scenarios from the requests and aiohttp transports #​43200

v1.36.0

Compare Source

Features Added

• Added TypeHandlerRegistry to azure.core.serialization to allow developers to register custom serializers and deserializers for specific types or conditions. #​43051

Bugs Fixed

• Fixed repeated import attempts of cchardet and chardet when charset_normalizer is used #​43092

Other Changes

• Removed six as a dependency since it was unused. #​39962
• Added caching to the tracing implementation detection function to prevent potential performance issues from repeated import attempts. #​43338

v1.35.1

Compare Source

Bugs Fixed

• Fixed an issue where the retry_backoff_max parameter in RetryPolicy and AsyncRetryPolicy constructors was being ignored, causing retry operations to use default maximum backoff values instead of the user-specified limits. #​42444

Other Changes

• BearerTokenCredentialPolicy and AsyncBearerTokenCredentialPolicy will now properly surface credential exceptions when handling claims challenges. Previously, exceptions from credential token requests were suppressed; now they are raised and chained with the original 401 HttpResponseError response for better debugging visibility. #​42536

v1.35.0

Compare Source

Features Added

• Added a start_time keyword argument to the start_span and start_as_current_span methods in the OpenTelemetryTracer class. This allows users to specify a custom start time for created spans. #​41106
• Added a context keyword argument to the start_span and start_as_current_span methods in the OpenTelemetryTracer class. This allows users to specify a custom parent context for created spans. #​41511
• Added method as_attribute_dict to azure.core.serialization for backcompat migration purposes. Will return a generated model as a dictionary where the keys are in attribute syntax.
• Added is_generated_model method to azure.core.serialization. Returns whether a given input is a model from one of our generated sdks. #​41445
• Added attribute_list method to azure.core.serialization. Returns all of the attributes of a given model from one of our generated sdks. #​41571

Other Changes

• A timeout error when using the aiohttp transport (the default for async SDKs) will now be raised as a azure.core.exceptions.ServiceResponseTimeoutError, a subtype of the previously raised ServiceResponseError.
• When using with aiohttp 3.10 or later, a connection timeout error will now be raised as a azure.core.exceptions.ServiceRequestTimeoutError, which can be retried.
• The default implementation of on_challenge in BearerTokenCredentialPolicy and AsyncBearerTokenCredentialPolicy will now cache the retrieved token. #​41857

v1.34.0

Compare Source

Features Added

• Added a set_span_error_status method to the OpenTelemetryTracer class. This method allows users to set the status of a span to ERROR after it has been created. #​40703

Other Changes

• Python 3.8 is no longer supported. Please use Python version 3.9 or later.

v1.33.0

Compare Source

Features Added

• Added native OpenTelemetry tracing to Azure Core which enables users to use OpenTelemetry to trace Azure SDK operations without needing to install a plugin. #​39563
  • To enable native OpenTelemetry tracing, users need to:
    1. Have opentelemetry-api installed.
    2. Ensure that settings.tracing_implementation is not set.
    3. Ensure that settings.tracing_enabled is set to True.
  • If setting.tracing_implementation is set, the tracing plugin will be used instead of the native tracing.
  • If settings.tracing_enabled is set to False, tracing will be disabled.
  • The OpenTelemetryTracer class was added to the azure.core.tracing.opentelemetry module. This is a wrapper around the OpenTelemetry tracer that is used to create spans for Azure SDK operations.
  • Added a get_tracer method to the new azure.core.instrumentation module. This method returns an instance of the OpenTelemetryTracer class if OpenTelemetry is available.
  • A TracingOptions TypedDict class was added to define the options that SDK users can use to configure tracing per-operation. These options include the ability to enable or disable tracing and set additional attributes on spans.
    • Example usage: client.method(tracing_options={"enabled": True, "attributes": {"foo": "bar"}})
  • The DistributedTracingPolicy and distributed_trace/distributed_trace_async decorators now uses the OpenTelemetry tracer if it is available and native tracing is enabled.
    • SDK clients can define an _instrumentation_config class variable to configure the OpenTelemetry tracer used in method span creation. Possible configuration options are library_name, library_version, schema_url, and attributes.
    • DistributedTracingPolicy now accepts a instrumentation_config keyword argument to configure the OpenTelemetry tracer used in HTTP span creation.

Breaking Changes

• Removed automatic tracing enablement for the OpenTelemetry plugin if opentelemetry was imported. To enable tracing with the plugin, please import azure.core.settings.settings and set settings.tracing_implementation to "opentelemetry". #​39563
• In DistributedTracingPolicy, the default span name is now just the HTTP method (e.g., "GET", "POST") and no longer includes the URL path. This change was made to converge with the OpenTelemetry HTTP semantic conventions. The full URL is still included in the span attributes.
• Renamed span attributes in DistributedTracingPolicy:
  • "x-ms-client-request-id" is now "az.client_request_id"
  • "x-ms-request-id" is now "az.service_request_id"

Bugs Fixed

• Fixed an issue where the traceparent header was not being set correctly in the DistributedTracingPolicy. The traceparent header will now set based on the context of the HTTP client span. #​40074

Other Changes

• Added opentelemetry-api as an optional dependency for tracing. This can be installed with pip install azure-core[tracing]. #​39563

v1.32.0

Compare Source

Features Added

• Added a default implementation to handle token challenges in BearerTokenCredentialPolicy and AsyncBearerTokenCredentialPolicy.

Bugs Fixed

• Fixed an issue where the tracing_attributes keyword argument wasn't being handled at the request/method level. #​38164

Other Changes

• Log "x-vss-e2eid" and "x-msedge-ref" headers in HttpLoggingPolicy.

v1.31.0

Compare Source

Features Added

• Added azure.core.AzureClouds enum to represent the different Azure clouds.
• Added two new credential protocol classes, SupportsTokenInfo and AsyncSupportsTokenInfo, to offer more extensibility in supporting various token acquisition scenarios. #​36565
  • Each new protocol class defines a get_token_info method that returns an AccessTokenInfo object.
• Added a new TokenRequestOptions class, which is a TypedDict with optional parameters, that can be used to define options for token requests through the get_token_info method. #​36565
• Added a new AccessTokenInfo class, which is returned by get_token_info implementations. This class contains the token, its expiration time, and optional additional information like when a token should be refreshed. #​36565
• BearerTokenCredentialPolicy and AsyncBearerTokenCredentialPolicy now first check if a credential has the get_token_info method defined. If so, the get_token_info method is used to acquire a token. Otherwise, the get_token method is used. #​36565
  • These policies now also check the refresh_on attribute when determining if a new token request should be made.

Other Changes

• The Azure Core OpenTelemetry tracing plugin will now be the preferred tracing plugin over the OpenCensus plugin. If both plugins are installed and opentelemetry is imported, then OpenTelemetry will be used to trace Azure SDK operations. #​35050

v1.30.2

Compare Source

Features Added

• Tracing: DistributedTracingPolicy will now set an attribute, http.request.resend_count, on HTTP spans for resent requests to indicate the resend attempt number. #​35069

Bugs Fixed

• Raise correct exception if transport is used while already closed #​35559

Other Changes

• HTTP tracing spans will now include an error.type attribute if an error status code is returned. #​34619
• Minimum required Python version is now 3.8

v1.30.1

Compare Source

Other Changes

• Accept float for retry_after header. #​34203

v1.30.0

Compare Source

Features Added

• Support tuple input for file values to azure.core.rest.HttpRequest #​33948
• Support tuple input to files with duplicate field names azure.core.rest.HttpRequest #​34021

v1.29.7

Compare Source

Other Changes

• Removed dependency on anyio. #​33282

v1.29.6

Compare Source

Bugs Fixed

• Adjusted AsyncBearerTokenCredentialPolicy to work properly with trio concurrency mechanisms. (#​33307)

Other Changes

• Added dependency on anyio >=3.0,<5.0
• Bumped minimum dependency on requests to 2.21.0.

v1.29.5

Compare Source

Bugs Fixed

• Fixed an issue with multipart/form-data in the async transport where data was not getting encoded into the request body. #​32473

Other Changes

• Use ssl context from aiohttp by default.

v1.29.4

Compare Source

Bugs Fixed

• Fixed the issue that some urls trigger an infinite loop. #​31346
• Fixed issue where IndexError was raised if multipart responses did not match the number of requests. #​31471
• Fixed issue unbound variable exception if dict is invalid in CloudEvent.from_dict. #​31835
• Fixed issue asyncBearerTokenCredentialPolicy is not backward compatible with SansIOHTTPPolicy. #​31836
• Fixed issue mypy complains with new version of azure-core. #​31564

v1.29.3

Compare Source

Bugs Fixed

• Typing fix: message cannot be None in AzureError. #​31564

v1.29.2

Compare Source

Bugs Fixed

• Added a default implementation for AsyncTokenCredential.__aexit__() #​31573

Other Changes

• Bumped typing-extensions version to 4.6.0.

v1.29.1

Compare Source

Bugs Fixed

• Not pass enabled_cae unless it is explicitly enabled.

v1.29.0

Compare Source

Features Added

• A keyword argument enable_cae was added to the get_token method of the TokenCredential protocol. #​31012
• BearerTokenCredentialPolicy and AsyncBearerTokenCredentialPolicy now accept enable_cae keyword arguments in their constructors. This is used in determining if Continuous Access Evaluation (CAE) should be enabled for each get_token request. #​31012

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.