Skip to content

Upgrade Scriban to 6.6.0#25122

Merged
EngincanV merged 2 commits intorel-10.2from
upgrade/scriban-6.6.0
Mar 23, 2026
Merged

Upgrade Scriban to 6.6.0#25122
EngincanV merged 2 commits intorel-10.2from
upgrade/scriban-6.6.0

Conversation

@maliming
Copy link
Member

@maliming maliming commented Mar 20, 2026

Upgrade Scriban NuGet package from 6.3.0 to 6.6.0 to resolve security advisory GHSA-5rpf-x9jg-8j5p (Memory Exhaustion / DoS, medium severity).

This fixes the NU1902 NuGet security warning that causes Add-Migration and other build commands to fail.

Resolves #25121

Copilot AI review requested due to automatic review settings March 20, 2026 02:45
@maliming maliming added the dependency-change Indicates a version change of a dependency (typically, upgrade) label Mar 20, 2026
@maliming maliming added this to the 10.2-final milestone Mar 20, 2026
@maliming maliming requested a review from EngincanV March 20, 2026 02:46
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades the Scriban NuGet dependency to address GHSA-5rpf-x9jg-8j5p (memory exhaustion/DoS) and eliminate NU1902 warnings that can block tooling (e.g., Add-Migration) in this repo.

Changes:

  • Bump central Scriban package version from 6.3.0 to 6.6.0.
  • Document the dependency change under 10.2.0-rc.3 in package version change notes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
docs/en/package-version-changes.md Adds a 10.2.0-rc.3 entry documenting the Scriban upgrade (needs table formatting fix per review comment).
Directory.Packages.props Updates the centrally-managed Scriban version to 6.6.0.

@EngincanV EngincanV merged commit d4bec65 into rel-10.2 Mar 23, 2026
@EngincanV EngincanV deleted the upgrade/scriban-6.6.0 branch March 23, 2026 06:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EngincanV EngincanV EngincanV approved these changes

Assignees

No one assigned

Labels

dependency-change Indicates a version change of a dependency (typically, upgrade)

Projects

None yet

Milestone

10.2-final

Development

Successfully merging this pull request may close these issues.

3 participants

@maliming @EngincanV