Update MongoDB.Driver to version 3.9.0

[Falco20019]

Updated MongoDB.Driver version from 3.8.1 to 3.9.0 and removed pinned versions for SharpCompress and Snappier.

Description

Removes the wrongly pinned SharpCompress dependency and uses the fixed transitive for Snappier.

Fixes #17981

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR upgrades the MongoDB.Driver package from version 3.8.1 to 3.9.0 and removes the pinned transitive dependency overrides for SharpCompress and Snappier that were previously required due to Component Governance flags.

Changes:

• Bumped MongoDB.Driver from 3.8.1 to 3.9.0.
• Removed pinned versions for SharpCompress and Snappier, which are no longer needed as the new MongoDB.Driver version presumably resolves the CG-flagged transitive dependency versions.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18078

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18078"

[Falco20019]

Ping @davidfowl as he introduced the change in #17190

[Falco20019]

@joperezr Hey, could you maybe aid here? Now that #18153 is fixed, it would be great if we could fix #17981 as-well to get rid of even more issues we currently have with 13.4. Thanks.

[davidfowl]

I think we need a regression test. Nothing is failing in our test suite AFAIK which means we have a gap.

[Falco20019]

@davidfowl Hard to do. There IS an unlisted version for SharpCompress that it's taking, but thats old (Jan 8th 2026 according to https://nuget.info/packages/SharpCompress/1.0.0) and MUST NOT be used: https://www.nuget.org/packages/SharpCompress/1.0.0

This is a state corresponding to the vulnerable 0.44.x and the GHSA at GHSA-6c8g-7p36-r338 is not listing 1.0.0 as vulnerable as it never was intended to be released.

[github-actions]

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

[davidfowl]

/backport to release/13.4

[github-actions]

Started backporting to release/13.4 (link to workflow run)