dependabot[bot] opened a new pull request, #8018: URL: https://github.com/apache/ignite-3/pull/8018
Updated [MessagePack](https://github.com/MessagePack-CSharp/MessagePack-CSharp) from 2.5.198 to 2.5.302. <details> <summary>Release notes</summary> _Sourced from [MessagePack's releases](https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases)._ ## 2.5.302 This is a merge release, combining the security fix from the https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases/tag/v2.5.205 release with the several security fixes from the https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases/tag/v2.5.301 release. ## 2.5.301 ## Security release This release fixes 2 high severity and 9 moderate severity security vulnerabilities as listed below. This release is missing #2269 from the v2.5.205 release. We recommend folks adopt the v2.5.302 release which has all the security fixes combined. ### High severity advisory fixes - 696b4a76 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674 - 3538bc11 GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125 ### Moderage severity advisory fixes - 853429a0 GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409 - 826f17c7 GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502 - c98d31f2 GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-1188 - ae90f2b1 GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407 - 940b8508 GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674 - e01f07cf GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789 - dc6f6324 GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validation - e97f71e7 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407 - 7b12e5b5 GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674 - a3c8a183 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674 - 96743523 GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674 ### Fixes with no security advisory - 814bc4c1 Honor TypeFormatter options hooks for CWE-470 - b0f8c5e2 Fix WriteRawX methods to advance by written length - 0124048c Fix CWE-190 map header length overflow ## 2.5.205 ## What's Changed * Fix repo url by @tomap in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2065 * Update DynamicAssembly usage to honor different AssemblyLoadContext's by @BertanAygun in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2183 * Add more types to the default disallow list of named types to be deserialized by @AArnott in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2263 * Add several known unsafe 'gadgets' to the disallow list by @AArnott in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2269 ## New Contributors * @tomap made their first contribution in https://github.com/MessagePack-CSharp/MessagePack-CSharp/pull/2065 **Full Changelog**: https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v2.5.192...v2.5.205 Commits viewable in [compare view](https://github.com/MessagePack-CSharp/MessagePack-CSharp/compare/v2.5.198...v2.5.302). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
