fix(deps): pin Microsoft.OpenApi to 2.7.5 to clear GHSA-v5pm-xwqc-g5wc#1321
Closed
marcelo-maciel wants to merge 1 commit into
Closed
fix(deps): pin Microsoft.OpenApi to 2.7.5 to clear GHSA-v5pm-xwqc-g5wc#1321marcelo-maciel wants to merge 1 commit into
marcelo-maciel wants to merge 1 commit into
Conversation
Microsoft.OpenApi 2.0.0 resolves transitively via Microsoft.AspNetCore.OpenApi and Scalar.AspNetCore, and is flagged by advisory GHSA-v5pm-xwqc-g5wc (CVE-2026-49451): a circular schema reference can stack-overflow the parser and terminate the process. With TreatWarningsAsErrors, the NU1903 audit warning promotes to an error, so a fresh `dotnet restore` fails repo-wide. Central Package Transitive Pinning is already enabled, so adding a single PackageVersion floors Microsoft.OpenApi at the patched 2.7.5 everywhere it resolves. Same 2.x major, compatible with Microsoft.AspNetCore.OpenApi 10.0.8. Verified: fresh restore + full solution build clean with -warnaserror, 0 errors, NU1903 gone.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Contributor
Author
|
Superseded by #1319, which already pins Microsoft.OpenApi to the patched 2.9.0 on main. Closing as duplicate. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Microsoft.OpenApi 2.0.0resolves transitively (viaMicrosoft.AspNetCore.OpenApi 10.0.8andScalar.AspNetCore 2.14.14) and is flagged by advisory GHSA-v5pm-xwqc-g5wc / CVE-2026-49451: a circular schema reference can stack-overflow the parser and terminate the process (availability only, no RCE or data exposure).Because the repo builds with
TreatWarningsAsErrors, theNU1903audit warning is promoted to an error, so a freshdotnet restorefails repo-wide on any clean checkout or CI runner. A cached restore does not re-audit, which is why existing local builds still pass.Fix
Central Package Transitive Pinning is already enabled in
Directory.Packages.props, so a singlePackageVersionentry floorsMicrosoft.OpenApiat the patched2.7.5everywhere it resolves. It stays on the same2.xmajor and is compatible withMicrosoft.AspNetCore.OpenApi 10.0.8.Verification
Fresh
dotnet restoreplus full solution build clean with-warnaserror, 0 errors,NU1903gone. The full test suite runs in CI on this PR (local host-boot smoke was blocked by a Windows Application Control policy in the throwaway worktree, unrelated to the change).