From c78c62a04831489f406b0859b48186e4bef65af0 Mon Sep 17 00:00:00 2001
From: "Marcelo M. Maciel" <4993482+marcelo-maciel@users.noreply.github.com>
Date: Wed, 1 Jul 2026 17:59:02 -0300
Subject: [PATCH] fix(deps): pin Microsoft.OpenApi to 2.7.5 to clear
GHSA-v5pm-xwqc-g5wc
Microsoft.OpenApi 2.0.0 resolves transitively via Microsoft.AspNetCore.OpenApi
and Scalar.AspNetCore, and is flagged by advisory GHSA-v5pm-xwqc-g5wc
(CVE-2026-49451): a circular schema reference can stack-overflow the parser and
terminate the process. With TreatWarningsAsErrors, the NU1903 audit warning
promotes to an error, so a fresh `dotnet restore` fails repo-wide.
Central Package Transitive Pinning is already enabled, so adding a single
PackageVersion floors Microsoft.OpenApi at the patched 2.7.5 everywhere it
resolves. Same 2.x major, compatible with Microsoft.AspNetCore.OpenApi 10.0.8.
Verified: fresh restore + full solution build clean with -warnaserror, 0 errors,
NU1903 gone.
---
src/Directory.Packages.props | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
index c4661c3054..6b3d4d4be6 100644
--- a/src/Directory.Packages.props
+++ b/src/Directory.Packages.props
@@ -99,6 +99,10 @@
+
+