Skip to content

Bump MessagePack to 2.5.302#1459

Merged
AArnott merged 1 commit into
v2.25from
dev/andarno/msgpack-2.5.302
Jun 12, 2026
Merged

Bump MessagePack to 2.5.302#1459
AArnott merged 1 commit into
v2.25from
dev/andarno/msgpack-2.5.302

Conversation

@AArnott

@AArnott AArnott commented Jun 12, 2026

Copy link
Copy Markdown
Member

No description provided.

Copilot AI review requested due to automatic review settings June 12, 2026 14:07
@AArnott AArnott enabled auto-merge June 12, 2026 14:07
@AArnott AArnott changed the title Bump MessagePack to 2.25.302 Bump MessagePack to 2.5.302 Jun 12, 2026
@AArnott AArnott force-pushed the dev/andarno/msgpack-2.5.302 branch from d611796 to d0ae95d Compare June 12, 2026 14:07
@alxtsbkms

alxtsbkms commented Jun 12, 2026

Copy link
Copy Markdown

Great, I was wondering whether could bump it up!

Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the centrally managed MessagePack dependency version used across the solution to the newer 2.5.302 release.

Changes:

  • Bump MessagePackVersion from 2.5.198 to 2.5.302 in central package management.
  • This implicitly updates both MessagePack and MessagePackAnalyzer via the shared version property.

@AArnott AArnott mentioned this pull request Jun 12, 2026
Closed
@AArnott AArnott added this to the v2.25 milestone Jun 12, 2026
@AArnott AArnott merged commit 9b41ea7 into v2.25 Jun 12, 2026
6 checks passed
@AArnott AArnott deleted the dev/andarno/msgpack-2.5.302 branch June 12, 2026 17:07
@AArnott

AArnott commented Jun 12, 2026

Copy link
Copy Markdown
Member Author

https://github.com/microsoft/vs-streamjsonrpc/releases/tag/v2.25.28

mitchdenny added a commit to microsoft/aspire that referenced this pull request Jun 14, 2026
@mitchdenny
Bump StreamJsonRpc to 2.25.28 and drop MessagePack pin
17566e8 
StreamJsonRpc 2.25.28 brings MessagePack 2.5.302 transitively, which is
above the GHSA-hv8m-jj95-wg3x / CVE-2026-48109 vulnerable range. This
lets us drop the direct MessagePack PackageReference (and PackageVersion)
we added earlier as a workaround.

StreamJsonRpc 2.25.x ships an analyzer built against Roslyn 4.14, which
is newer than the Roslyn 4.11 in the .NET 8 SDK used by template tests
to build generated AppHost projects (would trigger CSC error CS9057). We
don't use the StreamJsonRpc analyzers anywhere in this assembly, so
ExcludeAssets="analyzers" skips them. NuGet bakes the exclusion into
the Aspire.Hosting nuspec so downstream consumers (AppHost projects)
also skip the analyzer transitively.

See microsoft/vs-streamjsonrpc#1459 for the upstream MessagePack bump.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mitchdenny mitchdenny mentioned this pull request Jun 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@olegtk olegtk olegtk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.25

Development

Successfully merging this pull request may close these issues.

4 participants

@AArnott @alxtsbkms @olegtk