chore(deps-dev): bump msal from 1.36.0 to 1.37.0

[dependabot]

Bumps msal from 1.36.0 to 1.37.0.

Release notes

Sourced from msal's releases.

1.37.0

Breaking Changes

• Removed support for Python 3.8 in #910

New Features

• Add User Federated Identity Credential (user_fic) grant type support in #918

Bug Fixes and Improvements

• Use unsigned redirect URI for macOS broker silent flows in #907
• Escape username parameter in #901
• Forward MSAL client metadata headers through IMDS to ESTS in #902

Dependency Updates

• Update pymsalruntime minimum version to 0.20.6 in #919
• Bump cryptography dependency ceiling to <50 (N+3) in #906

Changelog

Sourced from msal's changelog.

MSAL Python — Release Guide

How to ship a new version of msal to PyPI. Everything happens in Azure DevOps (no GitHub Releases, no Git-tag-triggered automation).

---

Before you start — one-time prerequisites

Confirm these are set up in ADO (IdentityDivision → IDDP project) — the release will fail at runtime if any are missing:

• Pipeline MSAL.Python-Publish (definition 3067) exists
• Service connection MSAL-ESRP-AME exists and is authorized
• Environment MSAL-Python-Release has a required manual approval configured under Approvals and checks
• Key Vault MSALVault contains cert MSAL-ESRP-Release-Signing

Note on TestPyPI: The TestPyPI publish path (publishTarget = test.pypi.org (Preview / RC)) is currently a no-op — the MSAL-Test-Python-Upload service connection has not been created yet, so that stage prints a skip message and uploads nothing. Until it's wired up, use an RC version (e.g. 1.36.0rc1) on the production path for dry runs.

---

Release in 4 steps

1. Bump the version on dev

The package version lives in one file: https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/msal/sku.py.

__version__ = "1.36.0"     # final release
# or
__version__ = "1.36.0rc1"  # RC / dry run

Open a PR, get it merged into dev.

2. Cut the release branch

git checkout dev && git pull
git checkout -b release-1.36.0
git push origin release-1.36.0

Pushing the branch does not publish anything — the pipeline is manual.

... (truncated)

Commits

• ebb980f Update version to 1.37.0 (#922)
• c504b41 Migrate CI/CD from GitHub Actions to ADO; remove GH Actions workflow (#895)
• 192a82d Removed support for Python 3.8 (#910)
• 08aa7fd Add User Federated Identity Credential (user_fic) grant type support (#918)
• d4f58ec Add documentation for MSI v2 mTLS in Python (#904)
• 5866feb Create design document for MSI v2 In-Memory Key Approach (#905)
• 651d54b Update pymsalruntime minimum version to 0.20.6 (#919)
• 895b581 Use unsigned redirect uri for mac broker flows (#907)
• 8ea1eaa Switch FMI tests from disabled IDLABS_APP_FMI to MISE-App-FMICLIENT (#913)
• faf5dce Bump cryptography dependency ceiling to <50 (N+3) (#906)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)