Bump the nuget group with 1 update by dependabot[bot] · Pull Request #80 · KoalaFacts/HeroMessaging

dependabot · 2026-06-12T00:41:15Z

Updated MessagePack from 3.1.4 to 3.1.7.

Release notes

Sourced from MessagePack's releases.

3.1.7 What's Changed

Add scoped to MessagePackWriter.Write(ReadOnlySpan<T>) methods by @AArnott in Add scoped to MessagePackWriter.Write(ReadOnlySpan<T>) methods MessagePack-CSharp/MessagePack-CSharp#2271
Fix security issues in master by @AArnott in Fix security issues in master MessagePack-CSharp/MessagePack-CSharp#2274

Security release details

This release fixes 3 high severity and 9 moderate severity security vulnerabilities.

High severity advisory fixes

26d4e743 GHSA-382j-8mxh-c7x2 Reject invalid DateTime ext lengths for CWE-789
b9cb6050 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674
719e690a GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125

Moderage severity advisory fixes

2b5a500a GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409
f093bdc1 GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502
f077798e GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-1188
25a3493e GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407
b414e6df GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674
0555f07c GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789
9b5783a7 GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validation
f96fcf05 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407
b3af7cf7 GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674
66ad0894 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674
082ba7da GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674

Fixes with no security advisory

fb0fe9f0 Honor TypeFormatter options hooks for CWE-470
c1c06a6f Fix WriteRawX methods to advance by written length
46c6a0fe Fix CWE-190 map header length overflow

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.6...v3.1.7

3.1.6 What's Changed

Add several known unsafe 'gadgets' to the disallow list by @AArnott in Add several known unsafe 'gadgets' to the disallow list MessagePack-CSharp/MessagePack-CSharp#2270

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.5...v3.1.6

3.1.5 What's Changed

Remove unneeded GetTypeInfo() calls by @Bykiev in Remove unneeded GetTypeInfo() calls MessagePack-CSharp/MessagePack-CSharp#2206
Use 'Write' instead of 'WriteInt32' for union type keys by @VictorNicollet in Use 'Write' instead of 'WriteInt32' for union type keys MessagePack-CSharp/MessagePack-CSharp#2212
Fix various disposable issues by @Bykiev in Fix various disposable issues MessagePack-CSharp/MessagePack-CSharp#2224
fix: prevent StackOverflow in Equals with recursive generic constraints by @khuongntrd in fix: prevent StackOverflow in Equals with recursive generic constraints MessagePack-CSharp/MessagePack-CSharp#2226
Add more types to the default disallow list of named types to be deserialized by @AArnott in Add more types to the default disallow list of named types to be deserialized MessagePack-CSharp/MessagePack-CSharp#2256
Fix release workflow by @AArnott in Fix release workflow MessagePack-CSharp/MessagePack-CSharp#2268
~~Fix Incorrect DateTimeOffset Serializer by @T0PP1ng in Fix Incorrect DateTimeOffset Serializer MessagePack-CSharp/MessagePack-CSharp#2225~~
Revert DateTimeOffset encoding change by @AArnott in Revert DateTimeOffset encoding change MessagePack-CSharp/MessagePack-CSharp#2262

New Contributors

@Bykiev made their first contribution in Remove unneeded GetTypeInfo() calls MessagePack-CSharp/MessagePack-CSharp#2206
@VictorNicollet made their first contribution in Use 'Write' instead of 'WriteInt32' for union type keys MessagePack-CSharp/MessagePack-CSharp#2212
@T0PP1ng made their first contribution in Fix Incorrect DateTimeOffset Serializer MessagePack-CSharp/MessagePack-CSharp#2225
@khuongntrd made their first contribution in fix: prevent StackOverflow in Equals with recursive generic constraints MessagePack-CSharp/MessagePack-CSharp#2226

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.4...v3.1.5

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps MessagePack from 3.1.4 to 3.1.7 --- updated-dependencies: - dependency-name: MessagePack dependency-version: 3.1.7 dependency-type: direct:production dependency-group: nuget ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-06-12T00:42:22Z

⚠️ Vulnerable Dependencies Detected

  Determining projects to restore...
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Architecture.Tests/HeroMessaging.Architecture.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Observability.HealthChecks.Tests/HeroMessaging.Observability.HealthChecks.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Observability.OpenTelemetry.Tests/HeroMessaging.Observability.OpenTelemetry.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Serialization.Json.Tests/HeroMessaging.Serialization.Json.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/src/HeroMessaging.Observability.OpenTelemetry/HeroMessaging.Observability.OpenTelemetry.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Tests/HeroMessaging.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Transport.RabbitMQ.Tests/HeroMessaging.Transport.RabbitMQ.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Storage.SqlServer.Tests/HeroMessaging.Storage.SqlServer.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Storage.PostgreSql.Tests/HeroMessaging.Storage.PostgreSql.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Serialization.Protobuf.Tests/HeroMessaging.Serialization.Protobuf.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
/home/runner/work/HeroMessaging/HeroMessaging/tests/HeroMessaging.Serialization.MessagePack.Tests/HeroMessaging.Serialization.MessagePack.Tests.csproj : warning NU1902: Package 'OpenTelemetry.Api' 1.15.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g94r-2vxg-569j [/home/runner/work/HeroMessaging/HeroMessaging/HeroMessaging.slnx]
  All projects are up-to-date for restore.

The following sources were used:
   https://api.nuget.org/v3/index.json

The given project `HeroMessaging.Abstractions` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Observability.HealthChecks` has no vulnerable packages given the current sources.
Project `HeroMessaging.Observability.OpenTelemetry` has the following vulnerable packages
   [net10.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

The given project `HeroMessaging.Security` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Serialization.Json` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Serialization.MessagePack` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Serialization.Protobuf` has no vulnerable packages given the current sources.
The given project `HeroMessaging.SourceGenerators` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Storage.PostgreSql` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Storage.SqlServer` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Transport.RabbitMQ` has no vulnerable packages given the current sources.
The given project `HeroMessaging` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Abstractions.Tests` has no vulnerable packages given the current sources.
Project `HeroMessaging.Architecture.Tests` has the following vulnerable packages
   [net10.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

The given project `HeroMessaging.Benchmarks` has no vulnerable packages given the current sources.
Project `HeroMessaging.Observability.HealthChecks.Tests` has the following vulnerable packages
   [net10.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

Project `HeroMessaging.Observability.OpenTelemetry.Tests` has the following vulnerable packages
   [net10.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

The given project `HeroMessaging.RingBuffer.Tests` has no vulnerable packages given the current sources.
The given project `HeroMessaging.Security.Tests` has no vulnerable packages given the current sources.
Project `HeroMessaging.Serialization.Json.Tests` has the following vulnerable packages
   [net10.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

Project `HeroMessaging.Serialization.MessagePack.Tests` has the following vulnerable packages
   [net10.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

Project `HeroMessaging.Serialization.Protobuf.Tests` has the following vulnerable packages
   [net10.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

The given project `HeroMessaging.SourceGenerators.Tests` has no vulnerable packages given the current sources.
Project `HeroMessaging.Storage.PostgreSql.Tests` has the following vulnerable packages
   [net10.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

Project `HeroMessaging.Storage.SqlServer.Tests` has the following vulnerable packages
   [net10.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Transitive Package       Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

The given project `HeroMessaging.Tests.Shared` has no vulnerable packages given the current sources.
Project `HeroMessaging.Tests` has the following vulnerable packages
   [net10.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net8.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

Project `HeroMessaging.Transport.RabbitMQ.Tests` has the following vulnerable packages
   [net8.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

   [net9.0]: 
   Top-level Package        Requested   Resolved   Severity   Advisory URL                                     
   > OpenTelemetry.Api      1.15.0      1.15.0     Moderate   https://github.com/advisories/GHSA-g94r-2vxg-569j

Please update vulnerable packages before merging.

dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jun 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the nuget group with 1 update#80

Bump the nuget group with 1 update#80
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/src/HeroMessaging.Serialization.MessagePack/nuget-cbaa0ed2ee

dependabot Bot commented on behalf of github Jun 12, 2026

Uh oh!

github-actions Bot commented Jun 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 12, 2026

3.1.7

What's Changed

Security release details

High severity advisory fixes

Moderage severity advisory fixes

Fixes with no security advisory

3.1.6

What's Changed

3.1.5

What's Changed

New Contributors

Uh oh!

github-actions Bot commented Jun 12, 2026

⚠️ Vulnerable Dependencies Detected

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants