release: 7.1.8 — Microsoft.OpenApi security fix (#220) + IFormFile media types (#216)#221
Merged
Conversation
…media types) - Bump Swashbuckle.AspNetCore.SwaggerGen 10.0.0 -> 10.2.1 on the net10.0 target, pulling patched Microsoft.OpenApi 2.7.5 (was transitively 2.3.0). Closes the transitive high-severity advisory GHSA-v5pm-xwqc-g5wc / CVE-2026-49451 (CWE-674 uncontrolled recursion on circular $ref schemas) reported in Issue #220. net8.0/net9.0 use Swashbuckle 8.1.1 -> OpenApi v1, outside the advisory range. - Test project (net10.0): bump Swashbuckle.AspNetCore(.Annotations) to 10.2.1 and the direct Microsoft.OpenApi pin 2.3.0 -> 2.7.5 (clears Dependabot alert #2). - Cut stable 7.1.8: drop beta suffix in version.props; CHANGELOG rolls up the #216 media-type/file-size work from 7.1.8-beta.1/beta.2 plus the #220 fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Cuts the stable 7.1.8 release. It folds together two things:
7.1.8-beta.1/7.1.8-beta.2onmaster.Fixes #220
Security fix (#220)
The published package pulled a vulnerable
Microsoft.OpenApi 2.3.0transitively viaSwashbuckle.AspNetCore.SwaggerGen 10.0.0on the net10.0 target:$refschema can stack-overflow the OpenAPI reader (availability / process-termination; no RCE or data exposure).Microsoft.OpenApi >= 2.0.0-preview11, <= 2.7.4. Patched in2.7.5.Swashbuckle.AspNetCore.SwaggerGen10.0.0→10.2.1(net10.0 target), which resolvesMicrosoft.OpenApito 2.7.5. Verified viadotnet list package --include-transitive.8.1.1→Microsoft.OpenApiv1, which is outside the advisory range — left unchanged.Swashbuckle.AspNetCore(.Annotations)→10.2.1and the directMicrosoft.OpenApipin2.3.0→2.7.5(clears Dependabot alert Create package for old asp net #2).Release (version)
version.props: dropped thebeta.2suffix → stable7.1.8.dotnet packconfirmed it produces...7.1.8.nupkg.CHANGELOG.md: new# Changes in 7.1.8section rolling up the Add support for media types #216 work (beta.1/beta.2) plus the Can we update the required minimum version of Swashbuckle.AspNetCore.SwaggerGen? #220 security fix.Verification
dotnet test --framework net10.0→ 86 passed, 0 failed (only pre-existing nullable warnings).dotnet list package --include-transitive(net10.0) →Microsoft.OpenApi 2.7.5.dotnet pack -c Release→MicroElements.Swashbuckle.FluentValidation.7.1.8.nupkg.🤖 Generated with Claude Code