[Autofix] Bump MongoDB.Driver to 2.30.0 to fix High-severity CVEs#1
Closed
Apiiro-Guardian-AutoFix wants to merge 1 commit into
Closed
[Autofix] Bump MongoDB.Driver to 2.30.0 to fix High-severity CVEs#1Apiiro-Guardian-AutoFix wants to merge 1 commit into
Apiiro-Guardian-AutoFix wants to merge 1 commit into
Conversation
Apiiro-Guardian-AutoFix
added
the
apiiro-autofix
Member
|
Closing autofix PR in bulk cleanup. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
✅ Fixed
OSS · View in Apiiro
Summary:
Bumped MongoDB.Driver from 2.8.1 to 2.30.0 in the WorkflowCore.Persistence.MongoDB provider project, which is the transitive source of the dependency surfaced under Sample07.
What Changed:
Changed the
MongoDB.DriverPackageReference Version attribute from2.8.1to2.30.0insrc/providers/WorkflowCore.Persistence.MongoDB/WorkflowCore.Persistence.MongoDB.csproj. Sample07.csproj pulls MongoDB.Driver in only via a ProjectReference to this provider (it has no direct PackageReference for it), so updating the parent fixes the transitive vulnerability for Sample07 and every other downstream consumer (e.g. Sample04) in one place.Why This Fix:
The overlay flags this as a sub-dependency and lists four candidate fix versions (2.19.0, 2.30.0, 3.0.0, 3.8.0). 2.30.0 is the highest version on the 2.x line, so it incorporates all High-severity fixes covered by the lower 2.x options while avoiding the 3.x major break that removed
MongoDB.Driver.Linq.IMongoQueryable<T>— a type still used inMongoPersistenceProvider.cs. The repo has nopackages.lock.jsonconfigured, so editing the csproj is the complete fix; NuGet will resolve the new version on next restore.Files Changed:
src/providers/WorkflowCore.Persistence.MongoDB/WorkflowCore.Persistence.MongoDB.csprojReviewer Notes:
src/samples/WorkflowCore.Sample07/WorkflowCore.Sample07.csproj, but Sample07 has no direct PackageReference for MongoDB.Driver — it inherits it via ProjectReference to WorkflowCore.Persistence.MongoDB. The fix is intentionally applied at that source project so it also covers…MongoPersistenceProvider.csandWorkflowPurger.csuseMongoDB.Driver.Linq.IMongoQueryable<T>, which was removed/relocated in MongoDB.Driver 3.0. 2.30.0 keeps that API while picking up all listed High-sev CVE fixes.Potential Impact:
Low-to-medium. The bump stays within MongoDB.Driver 2.x, which is API-compatible for the surface used here (Builders, IMongoCollection, IMongoQueryable, BsonClassMap). Some serialization/LINQ behavior tweaks landed in late 2.x (e.g. LINQ3 became default in 2.19+), so workflows that stress the MongoDB persistence provider should be smoke-tested, but the public API used in this repo is unchanged.
About Apiiro Autofix
This PR was automatically generated by Apiiro Autofix. Review all changes carefully before merging and run your test suite to verify no regressions.