Release Notes Action Items for copilot-cli 1.0.48 → 1.0.51
This issue summarizes upstream release notes for the copilot-cli dependency between the previously pinned version (1.0.48) and the new pinned version (1.0.51), highlighting items that may need follow-up in ado-aw.
The companion version-bump PR is titled chore(deps): update COPILOT_CLI_VERSION to 1.0.51.
Releases analyzed
Security fixes
- Secret scanning now covers commit messages and PR descriptions, redacting secrets before they are published — added in v1.0.51. This is directly relevant to ado-aw's threat detection model: ado-aw's safe-outputs PR creation and issue creation tools pass content through the CLI, and this new secret redaction layer provides an additional defense. No code change needed, but maintainers should be aware of this behavior and verify it is consistent with ado-aw's own
sanitize.rs / validate.rs protections.
Notable features for ado-aw to adopt
preMcpToolCall hook for hook providers to control outgoing MCP request metadata — added in v1.0.51. ado-aw compiles pipelines that configure Copilot CLI hooks (e.g., for safe-outputs enforcement). Consider whether the preMcpToolCall hook surface should be exposed or blocked via the BLOCKED_ARG_PREFIXES list in src/engine.rs.postToolUse hooks can now inject additionalContext into successful tool results — added in v1.0.51 (and also referenced in v1.0.49 for sub-agent calls). This extends the hook API; ado-aw-generated pipelines may benefit from or need to guard against this capability.--session-id=<id> to resume known sessions or start new sessions with a specific UUID — added in v1.0.51. ado-aw controls the CLI arguments via its engine configuration; consider whether --session-id should be surfaced as a supported pipeline parameter or blocked.- Auto-disable the built-in
github-mcp-server in Azure DevOps-only workspaces — added in v1.0.48 (current pinned version, but worth noting). In prompt/headless mode the CLI now auto-disables the GitHub MCP server when running in an ADO-only context. ado-aw pipelines run headless; verify this heuristic does not accidentally suppress the GitHub MCP server that ado-aw explicitly configures.
This issue was opened automatically by the dependency version updater workflow.
Generated by Dependency Version Updater · ● 9.4M · ◷
Release Notes Action Items for
copilot-cli1.0.48→1.0.51This issue summarizes upstream release notes for the
copilot-clidependency between the previously pinned version (1.0.48) and the new pinned version (1.0.51), highlighting items that may need follow-up in ado-aw.The companion version-bump PR is titled
chore(deps): update COPILOT_CLI_VERSION to 1.0.51.Releases analyzed
Security fixes
sanitize.rs/validate.rsprotections.Notable features for ado-aw to adopt
preMcpToolCallhook for hook providers to control outgoing MCP request metadata — added in v1.0.51. ado-aw compiles pipelines that configure Copilot CLI hooks (e.g., for safe-outputs enforcement). Consider whether thepreMcpToolCallhook surface should be exposed or blocked via theBLOCKED_ARG_PREFIXESlist insrc/engine.rs.postToolUsehooks can now injectadditionalContextinto successful tool results — added in v1.0.51 (and also referenced in v1.0.49 for sub-agent calls). This extends the hook API; ado-aw-generated pipelines may benefit from or need to guard against this capability.--session-id=<id>to resume known sessions or start new sessions with a specific UUID — added in v1.0.51. ado-aw controls the CLI arguments via its engine configuration; consider whether--session-idshould be surfaced as a supported pipeline parameter or blocked.github-mcp-serverin Azure DevOps-only workspaces — added in v1.0.48 (current pinned version, but worth noting). In prompt/headless mode the CLI now auto-disables the GitHub MCP server when running in an ADO-only context. ado-aw pipelines run headless; verify this heuristic does not accidentally suppress the GitHub MCP server that ado-aw explicitly configures.This issue was opened automatically by the dependency version updater workflow.