From dcad4d7460b106b455effa69f1277282bdffdbf5 Mon Sep 17 00:00:00 2001 From: iammukeshm Date: Thu, 2 Jul 2026 00:01:13 +0530 Subject: [PATCH] fix(deps): pin Microsoft.OpenApi to patched 2.9.0 (NU1903) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Microsoft.AspNetCore.OpenApi 10.0.8 only requires Microsoft.OpenApi >= 2.0.0, so it floated in the vulnerable 2.0.0 transitively. Under NuGetAuditMode=all + TreatWarningsAsErrors that fails the build with NU1903 (GHSA-v5pm-xwqc-g5wc, HIGH, patched in 2.7.5). Stay on the 2.x line — 3.x has breaking API changes that fail the OpenAPI transformers. Pin to latest patched 2.x (2.9.0). Fixes #1318 Co-Authored-By: Claude Opus 4.8 (1M context) --- src/Directory.Packages.props | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props index c4661c3054..b1567ac911 100644 --- a/src/Directory.Packages.props +++ b/src/Directory.Packages.props @@ -99,6 +99,11 @@ + +