This is an automated email from the ASF dual-hosted git repository.
chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory.git
The following commit(s) were added to refs/heads/main by this push:
new 0f015a150 chore: Bump MessagePack from 2.5.187 to 2.5.301 (#3750)
0f015a150 is described below
commit 0f015a1501beef4959873aa1d980d3bd772268d6
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Fri Jun 12 11:07:17 2026 +0530
chore: Bump MessagePack from 2.5.187 to 2.5.301 (#3750)
Updated
[MessagePack](https://github.com/MessagePack-CSharp/MessagePack-CSharp)
from 2.5.187 to 2.5.301.
<details>
<summary>Release notes</summary>
_Sourced from [MessagePack's
releases](https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases)._
## 2.5.301
## Security release
This release fixes 2 high severity and 9 moderate severity security
vulnerabilities as listed below.
This release is missing #2269 from the v2.5.205 release. We recommend
folks adopt the v2.5.302 release which has all the security fixes
combined.
### High severity advisory fixes
- 696b4a76 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack
structures for CWE-674
- 3538bc11 GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125
### Moderage severity advisory fixes
- 853429a0 GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for
CWE-409
- 826f17c7 GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass
for CWE-502
- c98d31f2 GHSA-2f33-pr97-265q Default MVC input formatter to
UntrustedData for CWE-1188
- ae90f2b1 GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for
CWE-407
- 940b8508 GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674
- e01f07cf GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789
- dc6f6324 GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array
allocation validation
- e97f71e7 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407
- 7b12e5b5 GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674
- a3c8a183 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for
CWE-674
- 96743523 GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674
### Fixes with no security advisory
- 814bc4c1 Honor TypeFormatter options hooks for CWE-470
- b0f8c5e2 Fix WriteRawX methods to advance by written length
- 0124048c Fix CWE-190 map header length overflow
## 2.5.205
## What's Changed
* Fix repo url by @tomap in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2065
* Update DynamicAssembly usage to honor different AssemblyLoadContext's
by @BertanAygun in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2183
* Add more types to the default disallow list of named types to be
deserialized by @AArnott in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2263
* Add several known unsafe 'gadgets' to the disallow list by @AArnott
in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2269
## New Contributors
* @tomap made their first contribution in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2065
**Full Changelog**:
https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v2.5.192...v2.5.205
## 2.5.198
## What's Changed
* Fix repo url by @tomap in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2065
* Update DynamicAssembly usage to honor different AssemblyLoadContext's
by @BertanAygun in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2183
## New Contributors
* @tomap made their first contribution in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2065
**Full Changelog**:
https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v2.5.192...v2.5.198
## 2.5.192
## What's Changed
* Fix bugs in serializing long numbers by @AArnott in
https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2055
**Full Changelog**:
https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v2.5.187...v2.5.192
Commits viewable in [compare
view](https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v2.5.187...v2.5.301).
</details>
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/apache/fory/network/alerts).
</details>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot]
<49699333+dependabot[bot]@users.noreply.github.com>
---
benchmarks/csharp/Fory.CSharpBenchmark.csproj | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/benchmarks/csharp/Fory.CSharpBenchmark.csproj
b/benchmarks/csharp/Fory.CSharpBenchmark.csproj
index 60aa57687..7cc9ebc23 100644
--- a/benchmarks/csharp/Fory.CSharpBenchmark.csproj
+++ b/benchmarks/csharp/Fory.CSharpBenchmark.csproj
@@ -8,7 +8,7 @@
</PropertyGroup>
<ItemGroup>
- <PackageReference Include="MessagePack" Version="2.5.187" />
+ <PackageReference Include="MessagePack" Version="2.5.301" />
<PackageReference Include="protobuf-net" Version="3.2.56" />
</ItemGroup>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]