Skip to content

fix(deps): suppress GHSA-2m69 and pin MessagePack 2.5.301#76

Merged
Aaronontheweb merged 1 commit into
devfrom
fix-deps-dependabot
Jun 19, 2026
Merged

fix(deps): suppress GHSA-2m69 and pin MessagePack 2.5.301#76
Aaronontheweb merged 1 commit into
devfrom
fix-deps-dependabot

Conversation

@Aaronontheweb

@Aaronontheweb Aaronontheweb commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Motivation

These are the same dependency fixes we already applied to the main netclaw repo (PR #1444). They're needed to unblock the Dependabot PR queue:

  • MessagePack 2.5.301: Pin direct dependency in AppHost so the central version pin in Directory.Packages.props takes effect, suppressing GHSA-hv8m-jj95-wg3x (LZ4 decompression DoS from transitive StreamJsonRpc dep)
  • SQLitePCLRaw.lib.e_sqlite3: Add NuGetAuditSuppress for GHSA-2m69-gcr7-jv3q (CVE-2025-6965) — no patched version available on NuGet yet

Once this lands, all 9 Dependabot PRs should pass CI.

References

@Aaronontheweb
fix(deps): suppress GHSA-2m69-gcr7-jv3q and pin MessagePack to 2.5.301
60be76f 
- Add MessagePack as direct reference in AppHost so central version pin (2.5.301) takes effect,
  suppressing GHSA-hv8m-jj95-wg3x (LZ4 decompression DoS from transitive StreamJsonRpc dep)
- Add NuGetAuditSuppress for GHSA-2m69-gcr7-jv3q (SQLitePCLRaw.lib.e_sqlite3 CVE-2025-6965)
  which has no patched version available on NuGet
@Aaronontheweb Aaronontheweb enabled auto-merge (squash) June 19, 2026 20:18
@Aaronontheweb Aaronontheweb merged commit f7ea68d into dev Jun 19, 2026
7 checks passed
@Aaronontheweb Aaronontheweb deleted the fix-deps-dependabot branch June 19, 2026 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Aaronontheweb