Toutsu/GmRelayBot
1
1
Fork 0
Code Issues 20 Pull Requests 1 Actions Packages Projects Releases 88 Wiki Activity

fix(deps): override vulnerable MessagePack to 2.5.301 in AppHost
PR Checks / test-and-build (pull_request) Failing after 23m59s
Details

Browse Source 
GHSA-hv8m-jj95-wg3x / CVE-2026-48109. Aspire.Hosting.PostgreSQL 13.2.1
pulls MessagePack 2.5.192 which is affected; pin the patched transitive
dependency explicitly.
This commit is contained in:
Toutsu
2026-06-13 11:21:57 +03:00
parent de121d7523
commit 6cd68493f1
2 changed files with 15 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/GmRelay.AppHost/GmRelay.AppHost.csproj
+3
View File
@@ -8,6 +8,9 @@
<ItemGroup> <ItemGroup>
<PackageReference Include="Aspire.Hosting.PostgreSQL" Version="13.2.1" /> <PackageReference Include="Aspire.Hosting.PostgreSQL" Version="13.2.1" />
<!-- Overrides transitive vulnerable MessagePack 2.5.192 pulled by Aspire.Hosting.PostgreSQL.
See GHSA-hv8m-jj95-wg3x / CVE-2026-48109. -->
<PackageReference Include="MessagePack" Version="2.5.301" />
</ItemGroup> </ItemGroup>
<PropertyGroup> <PropertyGroup>
src/GmRelay.AppHost/packages.lock.json
+12 -11
View File
@@ -83,6 +83,16 @@
"System.IO.Hashing": "10.0.3" "System.IO.Hashing": "10.0.3"
} }
}, },
"MessagePack": {
"type": "Direct",
"requested": "[2.5.301, )",
"resolved": "2.5.301",
"contentHash": "WUnJgmYc06ngIxZxLe9sa0P6rOTyOZIQn8SuDvJSjyMn7e8/AdlNAdt81WPUhWKeQ7hDkgxKU1vTrJqX/4L79A==",
"dependencies": {
"MessagePack.Annotations": "2.5.301",
"Microsoft.NET.StringTools": "17.6.3"
}
},
"SecurityCodeScan.VS2019": { "SecurityCodeScan.VS2019": {
"type": "Direct", "type": "Direct",
"requested": "[5.6.7, )", "requested": "[5.6.7, )",
@@ -248,19 +258,10 @@
"YamlDotNet": "16.3.0" "YamlDotNet": "16.3.0"
} }
}, },
"MessagePack": {
"type": "Transitive",
"resolved": "2.5.192",
"contentHash": "Jtle5MaFeIFkdXtxQeL9Tu2Y3HsAQGoSntOzrn6Br/jrl6c8QmG22GEioT5HBtZJR0zw0s46OnKU8ei2M3QifA==",
"dependencies": {
"MessagePack.Annotations": "2.5.192",
"Microsoft.NET.StringTools": "17.6.3"
}
},
"MessagePack.Annotations": { "MessagePack.Annotations": {
"type": "Transitive", "type": "Transitive",
"resolved": "2.5.192", "resolved": "2.5.301",
"contentHash": "jaJuwcgovWIZ8Zysdyf3b7b34/BrADw4v82GaEZymUhDd3ScMPrYd/cttekeDteJJPXseJxp04yTIcxiVUjTWg==" "contentHash": "3PyBiSeKTfvtyzUv3+9eXGIw7vBBZ0GAc4k3+RVT0tz2vKv3l0pviiA2b6DrmHyDvj1Au8lSVDDw/wKPMxUQ4A=="
}, },
"Microsoft.Extensions.AI.Abstractions": { "Microsoft.Extensions.AI.Abstractions": {
"type": "Transitive", "type": "Transitive",