Skip to content

Update MessagePack version to 2.5.302#1458

Closed
emanueldejanu wants to merge 1 commit into
microsoft:mainfrom
emanueldejanu:patch-1
Closed

Update MessagePack version to 2.5.302#1458
emanueldejanu wants to merge 1 commit into
microsoft:mainfrom
emanueldejanu:patch-1

Conversation

@emanueldejanu

@emanueldejanu emanueldejanu commented Jun 12, 2026

Copy link
Copy Markdown

Upgrade MessagePack version because of vulnerability GHSA-hv8m-jj95-wg3x

@emanueldejanu
Update MessagePack version to 2.5.302
322d250 
Upgrade MessagePack version because of vulnerability GHSA-hv8m-jj95-wg3x
Copilot AI review requested due to automatic review settings June 12, 2026 10:44
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the centrally managed MessagePack dependency version for the repository.

Changes:

  • Bumped MessagePackVersion from 2.5.198 to 2.5.302.

@emanueldejanu emanueldejanu requested a review from Copilot June 12, 2026 10:45
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@mitchdenny mitchdenny mentioned this pull request Jun 12, 2026
Open
@mitchdenny

mitchdenny commented Jun 12, 2026

Copy link
Copy Markdown
Member

👋 from the .NET Aspire team. We just shipped microsoft/aspire#18155 which pins MessagePack to 2.5.302 directly in Aspire.Hosting purely to silence the NU1903 warning that GHSA-hv8m-jj95-wg3x raises for every consumer AppHost project generated by dotnet new aspire-starter (issue: microsoft/aspire#18153). Aspire doesn't actually use MessagePack at runtime — all our JsonRpc instances use SystemTextJsonFormatter — so this pin is purely warning hygiene for our downstream consumers.

We'd love to drop the pin once this PR (or an equivalent) ships in a StreamJsonRpc release on NuGet. Happy to test a preview if that helps.

This was referenced Jun 12, 2026
Open
Open
@AArnott

AArnott commented Jun 12, 2026

Copy link
Copy Markdown
Member

This PR is targeting 2.26 which won't release for some time. I'm going to create a different PR against a new v2.25 branch so you can get the update more quickly.

@AArnott AArnott closed this Jun 12, 2026
@AArnott

AArnott commented Jun 12, 2026

Copy link
Copy Markdown
Member

See #1459

@AArnott

AArnott commented Jun 12, 2026

Copy link
Copy Markdown
Member

https://github.com/microsoft/vs-streamjsonrpc/releases/tag/v2.25.28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@emanueldejanu @mitchdenny @AArnott