chore(deps): bump Scriban 6.6.0 -> 7.1.0 (closes #87)#89
Open
andikrueger wants to merge 1 commit into
Open
Conversation
Clears three NuGet advisories that were promoted to hard build errors by TreatWarningsAsErrors=true: - GHSA-5wr9-m6jw-xx44 (critical) - sandbox bypass via cached MemberFilter - GHSA-m2p3-hwv5-xpqw (moderate) - LimitToString denial of service - GHSA-xw6w-9jjh-p9cr (moderate) - unbounded string mul / BigInteger shift DoS Practical exposure was nil - Scriban is only used at build time by PptMcp.Build.Tasks/GenerateSkillFile.cs to render source-controlled skill prompt templates, never with attacker-supplied input. The bump unblocks the McpServer build and clears the advisories. Scriban API surface used by GenerateSkillFile (Template.Parse, HasErrors, Messages, ScriptObject.Import, TemplateContext, PushGlobal, Render) is stable across 6 -> 7. No source changes required. Verified: dotnet build PptMcp.sln succeeds with 0 warnings, 0 errors. The GenerateSkillFile build task ran successfully (PptSkillPrompts.g.cs generated from 5 skill files), proving runtime API compatibility. Closes trsdn#87 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps Scriban from 6.6.0 → 7.1.0 to clear three NuGet advisories that are promoted to hard build errors by
TreatWarningsAsErrors=true, blocking the McpServer build.Why
MemberFilterLimitToStringdenial of serviceBuild fails with:
Practical exposure was nil. Scriban is only used at build time by
PptMcp.Build.Tasks/GenerateSkillFile.csto render source-controlled skill prompt templates — there is no path for attacker-supplied template text. The advisories matter here only because they block CI.Why 7.1.0
There is no Scriban 6.7.x — the project jumped from 6.x to 7.x. 7.1.0 is the latest release.
API surface used by
GenerateSkillFile(Template.Parse,HasErrors,Messages,ScriptObject.Import(model, renamer:),TemplateContext,PushGlobal,Render) is stable across 6 → 7. No source changes required.Changes
Directory.Packages.props—Scriban6.6.0→7.1.0CHANGELOG.md— new### Securityentry under[Unreleased]Verification
dotnet build PptMcp.sln -c Debug→ 0 warnings, 0 errors (was: 3 errors on McpServer)GenerateSkillFilebuild task ran successfully — generatedobj\Debug\net9.0-windows\PptSkillPrompts.g.cs from 5 skill files— proves runtime API compatibility with the new versionRelated
Closes #87
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com