Skip to content

fix: Remove AutoMapper dependency to remediate CVE-2026-32933#1457

Merged
JoseRenan merged 2 commits intomainfrom
fix/remove-automapper-cve-2026-32933
Apr 9, 2026
Merged

fix: Remove AutoMapper dependency to remediate CVE-2026-32933#1457
JoseRenan merged 2 commits intomainfrom
fix/remove-automapper-cve-2026-32933

Conversation

@JoseRenan
Copy link
Copy Markdown
Member

@JoseRenan JoseRenan commented Mar 30, 2026
edited
Loading

Summary

Removes the AutoMapper 10.1.1 NuGet dependency to remediate CVE-2026-32933 (High severity, due 2026-06-12).

Replaces AutoMapper with explicit manual property-by-property mapping in a new \ConfigurationMapper\ class. No reflection is used — every mapped property is listed explicitly for auditability.

Why manual mapping?

Manual mapping is:

  • Auditable: every property mapping is visible in code
  • Compile-time safe: missing/renamed properties cause build errors
  • Zero new dependencies: no Mapster, Mapperly, or other libraries introduced

What changed

Area Change
\ConfigurationMapper.cs\ New — explicit \MapFrom()\ for each Args type + ConfigFile, \Merge(), \ToConfiguration()\
\ConfigPostProcessor.cs\ Removed \IMappingAction<>\ interface, simplified to plain class
\ConfigurationBuilder.cs\ Uses \ConfigurationMapper\ instead of \IMapper\
\ServiceCollectionExtensions.cs\ \AddTransient()\ replaces \AddAutoMapper()\
4 .csproj\ files Removed AutoMapper package references
\Directory.Packages.props\ Removed AutoMapper version entries
\ConfigurationProfile.cs\ + 9 value converters Deleted

Validation

  • ✅ Build: 0 warnings, 0 errors
  • ✅ All 829 unit tests pass
  • ✅ E2E CLI tests: Generate, Validate, Redact, Aggregate, Config merge, Duplicate conflict detection, External SBOM validate

@JoseRenan
fix: remove AutoMapper dependency to remediate CVE-2026-32933
bff4c5e 
Replace AutoMapper 10.1.1 (and AutoMapper.Extensions.Microsoft.DependencyInjection 8.1.1)
with explicit manual property-by-property mapping in ConfigurationMapper.cs.

Changes:
- Add ConfigurationMapper with explicit MapFrom() for each Args type and ConfigFile
- Add type-safe MergeSetting<T>() for config merge with conflict detection
- Add explicit ToConfiguration() for InputConfiguration -> Configuration copy
- Refactor ConfigPostProcessor to remove IMappingAction interface dependency
- Update ConfigurationBuilder to use ConfigurationMapper directly
- Update DI registration from AddAutoMapper() to AddTransient<ConfigPostProcessor>()
- Remove AutoMapper from all 4 csproj files and Directory.Packages.props
- Delete ConfigurationProfile.cs and 9 value converter files

No reflection used - every mapped property is listed explicitly for auditability.
All 829 unit tests pass. E2E CLI tests verified (generate, validate, redact, aggregate, config merge).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 30, 2026

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

@KalleOlaviNiemitalo
Copy link
Copy Markdown

KalleOlaviNiemitalo commented Mar 31, 2026
edited
Loading

sbom-tool is in EOL/deprecation

That would be good to say in the README too, and in NuGet Gallery.

@KalleOlaviNiemitalo KalleOlaviNiemitalo mentioned this pull request Mar 31, 2026
Open
@JoseRenan
chore: remove .features from tracked files
e2cfde0 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 31, 2026

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

@KalleOlaviNiemitalo KalleOlaviNiemitalo mentioned this pull request Apr 1, 2026
Open
@JoseRenan JoseRenan marked this pull request as ready for review April 9, 2026 19:55
@JoseRenan JoseRenan requested a review from a team as a code owner April 9, 2026 19:55
@sfoslund
Copy link
Copy Markdown
Member

sfoslund commented Apr 9, 2026

/azp run

@JoseRenan JoseRenan enabled auto-merge (squash) April 9, 2026 20:02
@JoseRenan JoseRenan disabled auto-merge April 9, 2026 20:02
@JoseRenan JoseRenan enabled auto-merge (squash) April 9, 2026 20:02
@JoseRenan JoseRenan merged commit 629f31c into main Apr 9, 2026
5 checks passed
@JoseRenan JoseRenan deleted the fix/remove-automapper-cve-2026-32933 branch April 9, 2026 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sfoslund sfoslund sfoslund approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JoseRenan @KalleOlaviNiemitalo @sfoslund