Skip to content

chore(deps): bump ASP.NET/EF Core 9.0.15 + fix vuln ImageSharp 3.1.12#37

Merged
gustavograciano merged 1 commit into
mainfrom
chore/bump-deps-seguros
Apr 22, 2026
Merged

chore(deps): bump ASP.NET/EF Core 9.0.15 + fix vuln ImageSharp 3.1.12#37
gustavograciano merged 1 commit into
mainfrom
chore/bump-deps-seguros

Conversation

@gustavograciano

@gustavograciano gustavograciano commented Apr 22, 2026

Copy link
Copy Markdown
Owner

Summary

Consolida bumps seguros que estavam em 10+ PRs obsoletos do Dependabot (fechados em lote). Principal motivação: vulnerabilidade em `SixLabors.ImageSharp 3.1.5` (GHSA-2cmq-823j-5qj8 high, GHSA-rxmq-m78w-7wmc moderate).

Bumps

  • SixLabors.ImageSharp 3.1.5 → 3.1.12 (fix de vuln)
  • Microsoft.AspNetCore.Authentication.JwtBearer 9.0.9 → 9.0.15
  • Microsoft.AspNetCore.OpenApi 9.0.0 → 9.0.15
  • Microsoft.EntityFrameworkCore / .Design / .SqlServer / .InMemory 9.0.9 → 9.0.15
  • Microsoft.IdentityModel.Tokens 8.14.0 → 8.14.2
  • System.IdentityModel.Tokens.Jwt 8.14.0 → 8.14.2

Infra

  • nuget.config na raiz consolida todos os projetos para usar apenas nuget.org. Antes, os projetos em src/ herdavam feed Azure DevOps privado do config global do dev, gerando 401 em máquinas sem credenciais.

Validação

  • dotnet test120 passando
  • dotnet build Release — 0 warnings

PRs do Dependabot fechados em lote

Obsoletos (código evoluiu com Sprints 1-14): #3, #4, #6, #11, #12, #13, #14, #18, #19, #20

Major bumps arriscados (review futuro): #5 upload-artifact, #7 react, #8 vite, #9 node 25, #10 dotnet 10, #15 coverlet 10, #16 aspnet 10, #21 Swashbuckle 10

🤖 Generated with Claude Code

@gustavograciano @claude
chore(deps): bump ASP.NET/EF Core 9.0.9->9.0.15 + fix vuln ImageSharp
48f3820 
Consolida bumps seguros que estavam em Dependabot PRs obsoletos
(fechados em lote). Principais motivacoes:

- SixLabors.ImageSharp 3.1.5 -> 3.1.12:
  - GHSA-2cmq-823j-5qj8 (high): fix de SixLabors.ImageSharp
  - GHSA-rxmq-m78w-7wmc (moderate): idem

- Runtime patches (sem breaking):
  - Microsoft.AspNetCore.Authentication.JwtBearer 9.0.9 -> 9.0.15
  - Microsoft.AspNetCore.OpenApi 9.0.0 -> 9.0.15
  - Microsoft.EntityFrameworkCore[.Design/.SqlServer/.InMemory] 9.0.9 -> 9.0.15
  - Microsoft.IdentityModel.Tokens 8.14.0 -> 8.14.2
  - System.IdentityModel.Tokens.Jwt 8.14.0 -> 8.14.2

- Infra de config:
  - nuget.config na raiz do repo consolida todos os projetos em
    src/ pra usarem apenas nuget.org (antes Application/Infrastructure/
    Jobs herdavam feed Azure DevOps privado do config global do dev,
    que falha com 401 em maquina sem credenciais)

Validacao: 120 testes passando, build Release 0 warnings.

PRs do Dependabot fechados neste lote (obsoletos contra main atualizado):
- #3 setup-node (gh actions, sem workflow scope)
- #4 cache
- #6 setup-dotnet
- #11 eslint group
- #12 globals
- #13 BCrypt
- #14 axios (caret ja puxava a nova via npm)
- #18 aspnet group (superseded por este commit)
- #19 EF Design (idem)
- #20 Serilog group (Sinks.Seq 9.0.1 nao existe; mantemos 9.0.0)

Major bumps arriscados fechados para review futuro:
- #5 upload-artifact 4->7
- #7 react group
- #8 vite group
- #9 node 20->25-alpine
- #10 dotnet/sdk 9->10
- #15 coverlet 6->10
- #16 dotnet/aspnet 9->10
- #21 Swashbuckle 9->10

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@gustavograciano gustavograciano merged commit fc96afd into main Apr 22, 2026
gustavograciano added a commit that referenced this pull request May 3, 2026
@gustavograciano
Merge pull request #37 from gustavograciano/chore/bump-deps-seguros
4e356fd 
chore(deps): bump ASP.NET/EF Core 9.0.15 + fix vuln ImageSharp 3.1.12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gustavograciano