chore(deps): update dependency messagepack to 3.1.7#6203
Conversation
thomhurst
added
dependencies
thomhurst
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is a Renovate-generated patch bump of MessagePack from 3.1.6 to 3.1.7. The diff is minimal: a single version string change in Directory.Packages.props.
Security impact: The release notes for 3.1.7 document a security release fixing 3 high-severity and 9 moderate-severity CVEs, covering issues such as:
- CWE-789 (uncontrolled memory allocation) in DateTime ext, Unity blit, and multidimensional array paths
- CWE-674 (uncontrolled recursion) in LZ4 skipping and JSON conversion depth
- CWE-125 (out-of-bounds read) in LZ4 input reads
- CWE-502 (deserialization of untrusted data) — nested typeless blocklist bypass
Given the security fixes, merging this promptly is recommended.
Change assessment: LGTM. Single-line version bump in the central Directory.Packages.props file, no API-surface changes, no structural concerns. Auto-merge is already enabled, which is appropriate for a security patch release.
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
2 participants
This PR contains the following updates:
3.1.6→3.1.7Release Notes
MessagePack-CSharp/MessagePack-CSharp (MessagePack)
v3.1.7What's Changed
scopedtoMessagePackWriter.Write(ReadOnlySpan<T>)methods by @AArnott in #2271Security release details
This release fixes 3 high severity and 9 moderate severity security vulnerabilities.
High severity advisory fixes
26d4e74GHSA-382j-8mxh-c7x2 Reject invalid DateTime ext lengths for CWE-789b9cb605GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674719e690GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125Moderage severity advisory fixes
2b5a500GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409f093bdcGHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502f077798GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-118825a3493GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407b414e6dGHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-6740555f07GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-7899b5783aGHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validationf96fcf0GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407b3af7cfGHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-67466ad089GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674082ba7dGHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674Fixes with no security advisory
fb0fe9fHonor TypeFormatter options hooks for CWE-470c1c06a6Fix WriteRawX methods to advance by written length46c6a0fFix CWE-190 map header length overflowFull Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.6...v3.1.7
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.