From 787ac92ad612b9050037d5a673288568d543e694 Mon Sep 17 00:00:00 2001 From: iammukeshm Date: Fri, 12 Jun 2026 18:17:21 +0530 Subject: [PATCH] fix(deps): pin transitive MessagePack to 2.5.301 (NU1903 audit failure) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub advisory GHSA-hv8m-jj95-wg3x (high severity, LZ4 decompression AccessViolationException) was published against MessagePack < 2.5.301, which Microsoft.AspNetCore.SignalR.StackExchangeRedis pulls in at 2.5.187. NuGet audit runs with warnings-as-errors, so every restore in CI now fails with NU1903 — breaking all PR checks regardless of their content. CentralPackageTransitivePinningEnabled is on, so a single PackageVersion entry bumps the transitive across the solution. Remove the pin once the SignalR backplane package references a patched MessagePack itself. Co-Authored-By: Claude Fable 5 --- src/Directory.Packages.props | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props index 404daeb6f5..c4661c3054 100644 --- a/src/Directory.Packages.props +++ b/src/Directory.Packages.props @@ -120,4 +120,11 @@ + + + + \ No newline at end of file