.Net: Bump Scriban from 7.1.0 to 7.2.0 to address GHSA-24c8-4792-22hx#14031
Open
jluocsa wants to merge 1 commit into
Open
.Net: Bump Scriban from 7.1.0 to 7.2.0 to address GHSA-24c8-4792-22hx#14031jluocsa wants to merge 1 commit into
jluocsa wants to merge 1 commit into
Conversation
Scriban <= 7.1.0 has a known high-severity DoS (GHSA-24c8-4792-22hx, CVSS 8.7) in ArrayFunctions.InsertAt. The array.insert_at template builtin allocates index - list.Count null entries in a tight loop, bypassing LoopLimit, LimitToString, RecursiveLimit, and ObjectRecursionLimit, and OOMs the host process. Patched in Scriban 7.2.0. NuGet now flags this as NU1903 on restore. Combined with dotnet build --warnaserror in the Debug CI legs of dotnet-build-and-test.yml, every open .NET PR is currently failing on three projects that reference Scriban centrally: samples/Concepts, src/Functions/Functions.Prompty, and src/Functions/Functions.Prompty.UnitTests. Single-line bump in dotnet/Directory.Packages.props -- central package management means all three projects inherit the new version. No source changes needed; the advisory affects a runtime template builtin not exercised by SK's tests.
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the central .NET package version configuration to bump Scriban.
Changes:
- Bumped
ScribanNuGet package version from7.1.0to7.2.0.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5 tasks
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps
Scribanfrom 7.1.0 to 7.2.0 indotnet/Directory.Packages.propsto clear GHSA-24c8-4792-22hx (High, CVSS 8.7).Why
Scriban ≤ 7.1.0 has a known high-severity DoS in
ArrayFunctions.InsertAt: thearray.insert_attemplate builtin allocatesindex - list.Countnull entries in a tight loop with no bound, bypassingLoopLimit,LimitToString,RecursiveLimit, andObjectRecursionLimit. A one-line template such as{{ [1] | array.insert_at 200000000 'x' | array.size }}OOMs the host process in ~600 ms. Patched in Scriban 7.2.0.NuGet now flags this as
NU1903on restore. Combined withdotnet build … --warnaserrorin the Debug CI legs (dotnet/.github/workflows/dotnet-build-and-test.yml), every open .NET PR (#14030, #14029, …) is currently failing on three projects that reference Scriban transitively or directly:dotnet/samples/Concepts/Concepts.csprojdotnet/src/Functions/Functions.Prompty/Functions.Prompty.csprojdotnet/src/Functions/Functions.Prompty.UnitTests/Functions.Prompty.UnitTests.csprojHow
Single-line bump in
Directory.Packages.props(central package management — all three projects inherit). No source changes needed; the advisory affects a runtime template builtin not exercised by SK's tests.Validation
Locally on Windows with .NET 10.0.100 SDK,
GITHUB_ACTIONS=true, mirroring the CI build command:Targeted Redis unit tests still pass (109/109) — sanity check that nothing transitive broke.
Release notes
Bump Scriban from 7.1.0 to 7.2.0 to address GHSA-24c8-4792-22hx (CVSS 8.7 High).Contribution Checklist