Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion Directory.Packages.props
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,11 @@
<PackageVersion Include="StackExchange.Redis" Version="2.13.1" />
<PackageVersion Include="System.IO.Hashing" Version="10.0.8" />
<PackageVersion Include="Yarp.ReverseProxy" Version="2.3.0" />
<PackageVersion Include="StreamJsonRpc" Version="2.22.23" />
<PackageVersion Include="StreamJsonRpc" Version="2.25.25" />
<!-- See note in src/Aspire.Hosting/Aspire.Hosting.csproj — patched MessagePack
pulled directly because StreamJsonRpc 2.25.25 still declares 2.5.198
transitively, which is in the GHSA-hv8m-jj95-wg3x vulnerable range. -->
<PackageVersion Include="MessagePack" Version="2.5.302" />
<PackageVersion Include="Semver" Version="3.0.0" />
<PackageVersion Include="Sigstore" Version="0.5.0" />
<PackageVersion Include="Tuf" Version="0.5.0" />
Expand Down
13 changes: 13 additions & 0 deletions src/Aspire.Hosting/Aspire.Hosting.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,19 @@
<PackageReference Include="Semver" />
<PackageReference Include="System.IO.Hashing" />
<PackageReference Include="StreamJsonRpc" />
<!--
StreamJsonRpc 2.25.25 declares a transitive dependency on MessagePack 2.5.198,
which is inside the GHSA-hv8m-jj95-wg3x / CVE-2026-48109 vulnerable range
(MessagePack < 2.5.302). Aspire does not use MessagePack at runtime — every
JsonRpc instance in this repo uses SystemTextJsonFormatter — but transitive
consumers of Aspire.Hosting / Aspire.Hosting.AppHost (e.g. generated AppHost
projects from `aspire new aspire-starter`) emit NU1903 during restore. Adding
a direct reference to a patched MessagePack version overrides StreamJsonRpc's
transitive pin so the warning is silenced for downstream consumers.
Remove this once StreamJsonRpc ships a release that depends on MessagePack
>= 2.5.302 (or 3.x).
-->
<PackageReference Include="MessagePack" />
</ItemGroup>

<ItemGroup>
Expand Down
Loading