Skip to content

fix(deps): pin Microsoft.OpenApi to patched 2.9.0 (NU1903)#1319

Merged
iammukeshm merged 1 commit into
mainfrom
fix/pin-microsoft-openapi
Jul 1, 2026
Merged

fix(deps): pin Microsoft.OpenApi to patched 2.9.0 (NU1903)#1319
iammukeshm merged 1 commit into
mainfrom
fix/pin-microsoft-openapi

Conversation

@iammukeshm

Copy link
Copy Markdown
Member

Fixes #1318.

Problem

Microsoft.OpenApi 2.0.0 flows in transitively via Microsoft.AspNetCore.OpenApi 10.0.8 (which only requires >= 2.0.0) and carries HIGH-severity advisory GHSA-v5pm-xwqc-g5wc. With NuGetAuditMode=all (default on recent SDKs) + TreatWarningsAsErrors=true, this fails the build:

error NU1903: Package 'Microsoft.OpenApi' 2.0.0 has a known high severity vulnerability

Reproduce on clean main:

dotnet build src/FSH.Starter.slnx -p:NuGetAuditMode=all

Fix

Pin Microsoft.OpenApi to 2.9.0 in src/Directory.Packages.props (CentralPackageTransitivePinningEnabled is already on, so one entry pins the whole graph).

  • Advisory is first patched in 2.7.5; 2.9.0 is the latest patched 2.x.
  • Deliberately staying on 2.x: 3.x has breaking API changes (IOpenApiMediaType.Example becomes read-only) that fail the framework's OpenAPI transformers and AspNetCore.OpenApi's source generator.

Verification

  • dotnet build src/FSH.Starter.slnx -p:NuGetAuditMode=allBuild succeeded (was NU1903 before).
  • Resolved Microsoft.OpenApi is now 2.9.0 (no advisory).

🤖 Generated with Claude Code

Microsoft.AspNetCore.OpenApi 10.0.8 only requires Microsoft.OpenApi >= 2.0.0,
so it floated in the vulnerable 2.0.0 transitively. Under NuGetAuditMode=all +
TreatWarningsAsErrors that fails the build with NU1903 (GHSA-v5pm-xwqc-g5wc,
HIGH, patched in 2.7.5). Stay on the 2.x line — 3.x has breaking API changes
that fail the OpenAPI transformers. Pin to latest patched 2.x (2.9.0).

Fixes #1318

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@iammukeshm iammukeshm merged commit 4a16370 into main Jul 1, 2026
16 checks passed
@iammukeshm iammukeshm deleted the fix/pin-microsoft-openapi branch July 1, 2026 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Build fails: transitive Microsoft.OpenApi 2.0.0 has high-severity advisory (NU1903)

1 participant