Bump StreamJsonRpc to 2.25.25 to clear MessagePack NU1903#18155
Open
mitchdenny wants to merge 4 commits into
Open
Bump StreamJsonRpc to 2.25.25 to clear MessagePack NU1903#18155mitchdenny wants to merge 4 commits into
mitchdenny wants to merge 4 commits into
Conversation
The aspire-starter template was emitting NU1903 for transitive MessagePack 2.5.192 (GHSA-hv8m-jj95-wg3x / CVE-2026-48109) because the shared StreamJsonRpc 2.22.23 dependency pulled it in. Updating StreamJsonRpc to 2.25.25 brings MessagePack 2.5.198, outside the advisory's vulnerable range. The advisory affects only MessagePack's LZ4 decompression path. We do not use MessagePackFormatter anywhere - all StreamJsonRpc sites use SystemTextJsonFormatter - and our JSON-RPC transports are local UDS under the user's home directory, so the underlying vulnerability was not reachable. This change is warning hygiene. Fixes #18153 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18155Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18155" |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR bumps the centrally-managed StreamJsonRpc package version from 2.22.23 to 2.25.25 to resolve the NU1903 vulnerability warning (GHSA-hv8m-jj95-wg3x / CVE-2026-48109) that was emitted when creating new Aspire projects via dotnet new aspire-starter. The transitive MessagePack 2.5.192 dependency (pulled via the old StreamJsonRpc) falls within the advisory's vulnerable range; the updated StreamJsonRpc brings MessagePack 2.5.198 which is outside that range.
Changes:
- Bump
StreamJsonRpcfrom2.22.23to2.25.25inDirectory.Packages.props(central package management)
Show a summary per file
| File | Description |
|---|---|
| Directory.Packages.props | Bumps the centrally-pinned StreamJsonRpc version to clear the NU1903 transitive vulnerability warning on MessagePack |
Copilot's findings
- Files reviewed: 1/1 changed files
- Comments generated: 0
Contributor
|
Re-running the failed jobs in the CI workflow for this pull request because 1 job was identified as retry-safe transient failures in the CI run attempt.
|
StreamJsonRpc 2.25.25 still declares a transitive dep on MessagePack 2.5.198, which is inside the advisory's vulnerable range (< 2.5.302). Add a direct PackageReference on MessagePack to Aspire.Hosting so consumers (including generated AppHosts from 'aspire new aspire-starter') restore the patched version, and NU1903 is no longer emitted. This can be removed once StreamJsonRpc ships a release that depends on MessagePack >= 2.5.302. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
PR Testing ReportPR Information
Changes AnalyzedFiles Changed
Change Categories
Test Scenarios ExecutedScenario 1: PR CLI version matches head SHAStatus: ✅ Passed
Scenario 2:
|
| Commit | MessagePack |
StreamJsonRpc |
Vulnerable? |
|---|---|---|---|
| pre-PR baseline | 2.5.192 |
2.22.23 |
yes |
020f29c9 (StreamJsonRpc bump only) |
2.5.198 |
2.25.25 |
still yes |
4f03129d (with MessagePack pin) |
2.5.302 |
2.25.25 |
no ✅ |
Versions read directly from obj/project.assets.json of the generated PrSmoke.AppHost.
Summary
| Scenario | Status |
|---|---|
| 1. CLI version matches head SHA | ✅ Passed |
2a. NU1903 gone after 020f29c9 (StreamJsonRpc bump only) |
❌ Failed |
2b. NU1903 gone after 4f03129d (direct MessagePack 2.5.302 pin) |
✅ Passed |
| 3. Resolved package versions | ✅ Passed (with follow-up commit) |
Overall Result
✅ PR VERIFIED at 4f03129d — the follow-up commit pinning MessagePack 2.5.302 directly in Aspire.Hosting correctly eliminates NU1903 from dotnet new aspire-starter AppHost restore. The original 020f29c9 commit alone was insufficient because StreamJsonRpc 2.25.25 still declares a vulnerable MessagePack 2.5.198 transitively. This PR now contains both changes.
Notes
- This pin can be removed once
StreamJsonRpcships a release that depends onMessagePack >= 2.5.302. - Exposure assessment (separate from the warning): Aspire never instantiates
MessagePack; everyJsonRpcsite usesSystemTextJsonFormatter. AllStreamJsonRpctransports are local UDS in the user's home dir. The advisory's LZ4 decompression bug is not reachable in Aspire's runtime.
mitchdenny
requested review from
danegsta,
davidfowl and
karolz-ms
as code owners
StreamJsonRpc 2.25.25 ships analyzers built against Roslyn 4.14, which breaks template tests that build generated AppHosts with the .NET 8 SDK (CSC error CS9057). The MessagePack 2.5.302 direct pin in Aspire.Hosting already overrides StreamJsonRpc 2.22.23's transitive MessagePack 2.5.192 in consumer projects, so the GHSA-hv8m-jj95-wg3x warning is silenced without needing the StreamJsonRpc bump. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
Tracking upstream fix at microsoft/vs-streamjsonrpc#1458. Once that ships in a StreamJsonRpc release, we can drop the MessagePack pin added here and just bump StreamJsonRpc. |
Contributor
|
❓ CLI E2E Tests unknown — 115 passed, 0 failed, 2 unknown (commit View all recordings
📹 Recordings uploaded automatically from CI run #27416008774 |
StreamJsonRpc 2.25.28 brings MessagePack 2.5.302 transitively, which is above the GHSA-hv8m-jj95-wg3x / CVE-2026-48109 vulnerable range. This lets us drop the direct MessagePack PackageReference (and PackageVersion) we added earlier as a workaround. StreamJsonRpc 2.25.x ships an analyzer built against Roslyn 4.14, which is newer than the Roslyn 4.11 in the .NET 8 SDK used by template tests to build generated AppHost projects (would trigger CSC error CS9057). We don't use the StreamJsonRpc analyzers anywhere in this assembly, so ExcludeAssets="analyzers" skips them. NuGet bakes the exclusion into the Aspire.Hosting nuspec so downstream consumers (AppHost projects) also skip the analyzer transitively. See microsoft/vs-streamjsonrpc#1459 for the upstream MessagePack bump. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| <PackageVersion Include="System.IO.Hashing" Version="10.0.8" /> | ||
| <PackageVersion Include="Yarp.ReverseProxy" Version="2.3.0" /> | ||
| <PackageVersion Include="StreamJsonRpc" Version="2.22.23" /> | ||
| <PackageVersion Include="StreamJsonRpc" Version="2.25.28" /> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps
StreamJsonRpcto2.25.28to pick upMessagePack 2.5.302transitively, clearing theNU1903warning for GHSA-hv8m-jj95-wg3x / CVE-2026-48109 in consumer AppHost projects generated bydotnet new aspire-starter. No direct exposure for us — we don't use the MessagePack formatter — but the bump avoids the warning for end users.StreamJsonRpc 2.25.xships an analyzer built against Roslyn 4.14, which is newer than the Roslyn 4.11 in the .NET 8 SDK used by our template tests to build generated AppHost projects (would otherwise triggerCS9057). We don't use the StreamJsonRpc analyzers, soExcludeAssets="analyzers"on thePackageReferenceskips them. NuGet bakes the exclusion into theAspire.Hostingnuspec so downstream consumers transitively skip the analyzer too.The upstream MessagePack fix lives at microsoft/vs-streamjsonrpc#1459. The
ExcludeAssets="analyzers"can be dropped once our template-test toolchain moves to a .NET SDK with Roslyn ≥ 4.14.Fixes #18153