Skip to content

Fix Microsoft.OpenApi high-severity vulnerability blocking builds#2319

Merged
woksin merged 1 commit into
mainfrom
fix/microsoft-openapi-vulnerability-pin
Jul 1, 2026
Merged

Fix Microsoft.OpenApi high-severity vulnerability blocking builds#2319
woksin merged 1 commit into
mainfrom
fix/microsoft-openapi-vulnerability-pin

Conversation

@woksin

@woksin woksin commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Fixed

  • Resolved a high-severity vulnerability (GHSA-v5pm-xwqc-g5wc) in the transitive Microsoft.OpenApi dependency by pinning it to the patched 2.7.5 release.

Summary

Microsoft.AspNetCore.OpenApi transitively pulls in Microsoft.OpenApi 2.0.0, which has a known high-severity advisory for circular schema references terminating OpenAPI parsing. NuGetAudit treats this as a build error (NU1903), which has been silently failing the daily Update Packages workflow since the advisory was published, and blocks any Release-configuration build outright.

Microsoft.AspNetCore.OpenApi transitively pulls in Microsoft.OpenApi
2.0.0, which has a high-severity advisory (GHSA-v5pm-xwqc-g5wc) for
circular schema references terminating OpenAPI parsing. NuGetAudit
treats this as a build error, which has been silently failing the
daily "Update Packages" workflow since the advisory was published and
just blocked the Release-configuration Publish build outright. Pin
the transitive dependency to the patched 2.7.5 release via central
package management.
@woksin woksin added the patch label Jul 1, 2026
@woksin woksin merged commit 60e810e into main Jul 1, 2026
6 checks passed
@woksin woksin deleted the fix/microsoft-openapi-vulnerability-pin branch July 1, 2026 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant