build(deps): bump msal from 1.36.0 to 1.37.0

[dependabot]

Bumps msal from 1.36.0 to 1.37.0.

Release notes

Sourced from msal's releases.

1.37.0

Breaking Changes

• Removed support for Python 3.8 in #910

New Features

• Add User Federated Identity Credential (user_fic) grant type support in #918

Bug Fixes and Improvements

• Use unsigned redirect URI for macOS broker silent flows in #907
• Escape username parameter in #901
• Forward MSAL client metadata headers through IMDS to ESTS in #902

Dependency Updates

• Update pymsalruntime minimum version to 0.20.6 in #919
• Bump cryptography dependency ceiling to <50 (N+3) in #906

Changelog

Sourced from msal's changelog.

MSAL Python — Release Guide

How to ship a new version of msal to PyPI. Everything happens in Azure DevOps (no GitHub Releases, no Git-tag-triggered automation).

---

Before you start — one-time prerequisites

Confirm these are set up in ADO (IdentityDivision → IDDP project) — the release will fail at runtime if any are missing:

• Pipeline MSAL.Python-Publish (definition 3067) exists
• Service connection MSAL-ESRP-AME exists and is authorized
• Environment MSAL-Python-Release has a required manual approval configured under Approvals and checks
• Key Vault MSALVault contains cert MSAL-ESRP-Release-Signing

Note on TestPyPI: The TestPyPI publish path (publishTarget = test.pypi.org (Preview / RC)) is currently a no-op — the MSAL-Test-Python-Upload service connection has not been created yet, so that stage prints a skip message and uploads nothing. Until it's wired up, use an RC version (e.g. 1.36.0rc1) on the production path for dry runs.

---

Release in 4 steps

1. Bump the version on dev

The package version lives in one file: https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/msal/sku.py.

__version__ = "1.36.0"     # final release
# or
__version__ = "1.36.0rc1"  # RC / dry run

Open a PR, get it merged into dev.

2. Cut the release branch

git checkout dev && git pull
git checkout -b release-1.36.0
git push origin release-1.36.0

Pushing the branch does not publish anything — the pipeline is manual.

... (truncated)

Commits

• ebb980f Update version to 1.37.0 (#922)
• c504b41 Migrate CI/CD from GitHub Actions to ADO; remove GH Actions workflow (#895)
• 192a82d Removed support for Python 3.8 (#910)
• 08aa7fd Add User Federated Identity Credential (user_fic) grant type support (#918)
• d4f58ec Add documentation for MSI v2 mTLS in Python (#904)
• 5866feb Create design document for MSI v2 In-Memory Key Approach (#905)
• 651d54b Update pymsalruntime minimum version to 0.20.6 (#919)
• 895b581 Use unsigned redirect uri for mac broker flows (#907)
• 8ea1eaa Switch FMI tests from disabled IDLABS_APP_FMI to MISE-App-FMICLIENT (#913)
• faf5dce Bump cryptography dependency ceiling to <50 (N+3) (#906)
• Additional commits viewable in compare view

[mergify]

Automatically approving dependabot

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.69%. Comparing base (dc0c759) to head (521f05c).
⚠️ Report is 312 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #274   +/-   ##
=======================================
  Coverage   49.69%   49.69%           
=======================================
  Files           4        4           
  Lines         163      163           
  Branches       18       16    -2     
=======================================
  Hits           81       81           
  Misses         82       82           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.