From 59fe182298bdee1912863de62cd8b1a4630a4854 Mon Sep 17 00:00:00 2001
From: Rohan <142411639+Rohannagariya1@users.noreply.github.com>
Date: Thu, 11 Jun 2026 20:07:02 +0530
Subject: [PATCH] fix(security): pin System.Net.Http 4.3.4 +
 System.Text.RegularExpressions 4.3.1 [APS-19255 APS-19256]

- Add explicit PackageReference pins overriding vulnerable transitive 4.3.0
  versions pulled in via NETStandard.Library 1.6.1
- System.Net.Http 4.3.0 -> 4.3.4 (GHSA-7jgj-8wvc-jh57, .NET Core Information Disclosure)
- System.Text.RegularExpressions 4.3.0 -> 4.3.1 (GHSA-cmhx-cq75-c4mj, Regex DoS)
- dotnet list package --vulnerable now reports no vulnerable packages

Resolves: APS-19255, APS-19256

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 MSTest_browserstack/MSTest_browserstack.csproj | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/MSTest_browserstack/MSTest_browserstack.csproj b/MSTest_browserstack/MSTest_browserstack.csproj
index 63a61ee..04fcbf8 100644
--- a/MSTest_browserstack/MSTest_browserstack.csproj
+++ b/MSTest_browserstack/MSTest_browserstack.csproj
@@ -16,6 +16,9 @@
     <PackageReference Include="MSTest.TestAdapter" Version="3.1.1" />
     <PackageReference Include="MSTest.TestFramework" Version="3.1.1" />
     <PackageReference Include="Selenium.WebDriver" Version="4.17.0" />
+    <!-- Security pins: override vulnerable transitive 4.3.0 (via NETStandard.Library 1.6.1). APS-19255 / APS-19256 -->
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
 
   <ItemGroup>