From c78c62a04831489f406b0859b48186e4bef65af0 Mon Sep 17 00:00:00 2001 From: "Marcelo M. Maciel" <4993482+marcelo-maciel@users.noreply.github.com> Date: Wed, 1 Jul 2026 17:59:02 -0300 Subject: [PATCH] fix(deps): pin Microsoft.OpenApi to 2.7.5 to clear GHSA-v5pm-xwqc-g5wc Microsoft.OpenApi 2.0.0 resolves transitively via Microsoft.AspNetCore.OpenApi and Scalar.AspNetCore, and is flagged by advisory GHSA-v5pm-xwqc-g5wc (CVE-2026-49451): a circular schema reference can stack-overflow the parser and terminate the process. With TreatWarningsAsErrors, the NU1903 audit warning promotes to an error, so a fresh `dotnet restore` fails repo-wide. Central Package Transitive Pinning is already enabled, so adding a single PackageVersion floors Microsoft.OpenApi at the patched 2.7.5 everywhere it resolves. Same 2.x major, compatible with Microsoft.AspNetCore.OpenApi 10.0.8. Verified: fresh restore + full solution build clean with -warnaserror, 0 errors, NU1903 gone. --- src/Directory.Packages.props | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props index c4661c3054..6b3d4d4be6 100644 --- a/src/Directory.Packages.props +++ b/src/Directory.Packages.props @@ -99,6 +99,10 @@ + +