Skip to content

Upgrade System.Linq.Dynamic.Core to 1.6.0 and fix breaking changes #1389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 19, 2025
Merged

Upgrade System.Linq.Dynamic.Core to 1.6.0 and fix breaking changes #1389

merged 2 commits into from
Sep 19, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 18, 2025
edited
Loading

This PR upgrades System.Linq.Dynamic.Core from version 1.3.0 to 1.6.0 to address the high severity security vulnerability GHSA-4cv2-4hjh-77rx.

Problem

The current version 1.3.0 has a known security vulnerability that needs to be resolved. However, upgrading to 1.6.0 introduces breaking changes due to stricter security controls that prevent access to certain .NET framework methods like object.Equals() used in workflow definitions.

Solution

1. Expression Transformation

Added automatic transformation of legacy expression patterns to maintain backward compatibility:

// Before (fails in 1.6.0)
"object.Equals(data[\"Flag1\"], true)"

// After (automatically transformed)
"Convert.ToBoolean(data[\"Flag1\"]) == true"

2. Enhanced Security Configuration

Implemented a ParsingConfig with appropriate permissions for workflow expression parsing while maintaining security:

private static readonly ParsingConfig ParsingConfig = new ParsingConfig
{
    AllowNewToEvaluateAnyType = true,
    AreContextKeywordsEnabled = true
};

3. Comprehensive Updates

Updated all DynamicExpressionParser.ParseLambda() calls throughout the DefinitionLoader to use the new configuration and automatic expression transformation.

Backward Compatibility

Existing workflow definitions continue to work without modification:

  • JSON and YAML workflow files with object.Equals() expressions are automatically converted
  • No breaking changes for end users
  • All existing functionality preserved

Testing

Verified the upgrade works correctly with:

  • Existing test asset definitions (stored-dynamic-definition.json/yaml)
  • Simple dynamic property access expressions
  • Complex conditional expressions with equality comparisons
  • Both JSON and YAML workflow definition formats

The security vulnerability warning is now resolved, and the build produces no vulnerability warnings.

Fixes #1371.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot @danielgerlag
Upgrade System.Linq.Dynamic.Core to 1.6.0 and fix breaking changes
a61d0c4 
Co-authored-by: danielgerlag <2357007+danielgerlag@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Vulnerable dependency System.Linq.Dynamic.Core 1.3.0 Upgrade System.Linq.Dynamic.Core to 1.6.0 and fix breaking changes Sep 18, 2025
@Copilot Copilot AI requested a review from danielgerlag September 18, 2025 00:56
Copilot finished work on behalf of danielgerlag September 18, 2025 00:56
@danielgerlag danielgerlag marked this pull request as ready for review September 18, 2025 05:13
@danielgerlag danielgerlag merged commit 34928d4 into master Sep 19, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielgerlag danielgerlag Awaiting requested review from danielgerlag danielgerlag is a code owner

@glucaci glucaci Awaiting requested review from glucaci glucaci is a code owner

Assignees

@danielgerlag danielgerlag

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Vulnerable dependency System.Linq.Dynamic.Core 1.3.0

2 participants

@Copilot @danielgerlag