skill-server/Directory.Packages.props at dev · netclaw-dev/skill-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <AspireVersion>13.1.2</AspireVersion>
  </PropertyGroup>

  <!-- ASP.NET Core Dependencies -->
  <ItemGroup Label="ASP.NET Core">
    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.7" />
    <PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.7" />
  </ItemGroup>

  <!-- Data (Dapper for AOT compatibility) -->
  <ItemGroup Label="Data">
    <PackageVersion Include="Dapper" Version="2.1.72" />
    <PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.7" />
  </ItemGroup>

  <!-- Utilities -->
  <ItemGroup Label="Utilities">
    <PackageVersion Include="YamlDotNet" Version="17.1.0" />
    <PackageVersion Include="SharpZipLib" Version="1.4.2" />
  </ItemGroup>

  <!-- Aspire -->
  <ItemGroup Label="Aspire">
    <PackageVersion Include="Aspire.Hosting.Testing" Version="$(AspireVersion)" />
  </ItemGroup>

  <!-- Build Dependencies -->
  <ItemGroup Label="Build Dependencies">
    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="10.0.203" />
  </ItemGroup>

  <!-- Test Dependencies (xUnit 3) -->
  <ItemGroup Label="Test Dependencies">
    <PackageVersion Include="xunit.v3" Version="3.2.2" />
    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.5.1" />
    <PackageVersion Include="coverlet.collector" Version="10.0.0" />
    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.7" />
  </ItemGroup>
  <!-- Transitive security pin: Aspire.Hosting.AppHost → StreamJsonRpc pulls in
       MessagePack 2.5.192, flagged by NuGetAudit (GHSA-hv8m-jj95-wg3x, LZ4
       decompression DoS). Pin to the patched v2 (2.5.301) to clear the audit. -->
  <ItemGroup>
    <PackageVersion Include="MessagePack" Version="2.5.301" />
  </ItemGroup>
  <!-- Transitive audit suppress: Microsoft.Data.Sqlite → SQLitePCLRaw.lib.e_sqlite3 2.1.11
       is flagged by NuGetAudit (GHSA-2m69-gcr7-jv3q, CVE-2025-6965 — SQLite < 3.50.2
       memory corruption in aggregate-term handling). No patched version of
       SQLitePCLRaw.lib.e_sqlite3 is available on NuGet: 3.50.3 was published then unlisted,
       and 2.1.11 remains the latest stable release. This suppress will be removed once
       Microsoft ships a Microsoft.Data.Sqlite release that pins a non-vulnerable
       SQLitePCLRaw.lib.e_sqlite3. Track: https://github.com/dotnet/efcore/issues/38257 -->
  <ItemGroup>
    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
  </ItemGroup>
</Project>