Skip to content

Bump xunit to 2.6.6 in Allure.Xunit #600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
delatrie merged 2 commits into from
Oct 16, 2025
Merged

Bump xunit to 2.6.6 in Allure.Xunit #600

delatrie merged 2 commits into from
Oct 16, 2025

Conversation

@delatrie
Copy link
Contributor

@delatrie delatrie commented Oct 15, 2025

Context

The PR bumps the version of xUnit.net packages referenced by Allure.Xunit to 2.6.6. This is the earliest version that targets netstandard2.0 and doesn't reference NETStandard.Library. The reference to NETStandard.Library introduced transitive dependencies on vulnerable packages, as noted in #558. Getting rid of this reference fixes this, as xunit itself doesn't use the vulnerable packages in its code.

Another vulnerable package mentioned in the issue is System.Text.Json, which is brought by Lib.Harmony. This is a subject of #599.

Fixes #558

@delatrie delatrie added the type:security Security vulnerability or fix label Oct 15, 2025
@delatrie delatrie added type:dependencies Pull requests that update a dependency and removed type:security Security vulnerability or fix labels Oct 15, 2025
Base automatically changed from bump-harmony-2.4.1 to main October 16, 2025 10:10
@delatrie delatrie force-pushed the fix-xunit-netcoreapp3.1-vulnerabilities branch from 0b211ad to 928f078 Compare October 16, 2025 10:19
@delatrie delatrie changed the title deps(xunit): bump xunit to 2.6.6 Bump xunit to 2.6.6 in Allure.Xunit Oct 16, 2025
@delatrie delatrie merged commit 85dacc7 into main Oct 16, 2025
6 checks passed
@delatrie delatrie deleted the fix-xunit-netcoreapp3.1-vulnerabilities branch October 16, 2025 10:24
This was referenced Dec 23, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@epszaw epszaw epszaw approved these changes

Assignees

No one assigned

Labels

theme:build theme:reqnroll theme:xunit type:dependencies Pull requests that update a dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allure.Xunit contains vulnarable packages

3 participants

@delatrie @epszaw