Skip to content

fix(deps): pin Microsoft.OpenApi to 2.7.5 to clear GHSA-v5pm-xwqc-g5wc#1321

Closed
marcelo-maciel wants to merge 1 commit into
fullstackhero:mainfrom
marcelo-maciel:fix/bump-microsoft-openapi
Closed

fix(deps): pin Microsoft.OpenApi to 2.7.5 to clear GHSA-v5pm-xwqc-g5wc#1321
marcelo-maciel wants to merge 1 commit into
fullstackhero:mainfrom
marcelo-maciel:fix/bump-microsoft-openapi

Conversation

@marcelo-maciel

Copy link
Copy Markdown
Contributor

What

Microsoft.OpenApi 2.0.0 resolves transitively (via Microsoft.AspNetCore.OpenApi 10.0.8 and Scalar.AspNetCore 2.14.14) and is flagged by advisory GHSA-v5pm-xwqc-g5wc / CVE-2026-49451: a circular schema reference can stack-overflow the parser and terminate the process (availability only, no RCE or data exposure).

Because the repo builds with TreatWarningsAsErrors, the NU1903 audit warning is promoted to an error, so a fresh dotnet restore fails repo-wide on any clean checkout or CI runner. A cached restore does not re-audit, which is why existing local builds still pass.

Fix

Central Package Transitive Pinning is already enabled in Directory.Packages.props, so a single PackageVersion entry floors Microsoft.OpenApi at the patched 2.7.5 everywhere it resolves. It stays on the same 2.x major and is compatible with Microsoft.AspNetCore.OpenApi 10.0.8.

Verification

Fresh dotnet restore plus full solution build clean with -warnaserror, 0 errors, NU1903 gone. The full test suite runs in CI on this PR (local host-boot smoke was blocked by a Windows Application Control policy in the throwaway worktree, unrelated to the change).

Microsoft.OpenApi 2.0.0 resolves transitively via Microsoft.AspNetCore.OpenApi
and Scalar.AspNetCore, and is flagged by advisory GHSA-v5pm-xwqc-g5wc
(CVE-2026-49451): a circular schema reference can stack-overflow the parser and
terminate the process. With TreatWarningsAsErrors, the NU1903 audit warning
promotes to an error, so a fresh `dotnet restore` fails repo-wide.

Central Package Transitive Pinning is already enabled, so adding a single
PackageVersion floors Microsoft.OpenApi at the patched 2.7.5 everywhere it
resolves. Same 2.x major, compatible with Microsoft.AspNetCore.OpenApi 10.0.8.

Verified: fresh restore + full solution build clean with -warnaserror, 0 errors,
NU1903 gone.
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@marcelo-maciel

Copy link
Copy Markdown
Contributor Author

Superseded by #1319, which already pins Microsoft.OpenApi to the patched 2.9.0 on main. Closing as duplicate.

@marcelo-maciel marcelo-maciel deleted the fix/bump-microsoft-openapi branch July 1, 2026 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant