Skip to content

[APS-19257][APS-19258] fix: pin System.Net.Http 4.3.4 + System.Text.RegularExpressions 4.3.1#9

Open
Rohannagariya1 wants to merge 1 commit into
browserstack:mainfrom
Rohannagariya1:fix/APS-19257-19258-dotnet-deps
Open

[APS-19257][APS-19258] fix: pin System.Net.Http 4.3.4 + System.Text.RegularExpressions 4.3.1#9
Rohannagariya1 wants to merge 1 commit into
browserstack:mainfrom
Rohannagariya1:fix/APS-19257-19258-dotnet-deps

Conversation

@Rohannagariya1

@Rohannagariya1 Rohannagariya1 commented Jun 11, 2026

Copy link
Copy Markdown

Security Fix: APS-19257 + APS-19258

Issue

Two High-severity (CVSS 7.5) GitHub advisories flagged on this repo:

  • APS-19257 — System.Net.Http .NET Core Information Disclosure (GHSA-7jgj-8wvc-jh57), patched in 4.3.4
  • APS-19258 — System.Text.RegularExpressions Regex Denial of Service (GHSA-cmhx-cq75-c4mj), patched in 4.3.1

Root Cause

Both packages were present transitively at the vulnerable 4.3.0 version, pulled in via the legacy NETStandard.Library 1.6.1 meta-package that the BrowserStack SDK dependency chain references (verified in obj/.../project.assets.json on main). They are not direct references, so they must be overridden with an explicit pin.

Note: dotnet list package --vulnerable crashes on this project with "Sequence contains no matching element" (a known SDK bug triggered because this csproj lacks <IsTestProject>true</IsTestProject>), so the scanner can't print them — but project.assets.json confirms both resolve at the vulnerable 4.3.0. This is a real finding, not a false positive. Dependabot did not open a PR here (coverage gap), unlike the sibling MSTest/nunit/xunit repos.

Fix Applied

Added two explicit PackageReference pins to the test .csproj:

<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />

After the fix, project.assets.json resolves System.Net.Http = 4.3.4 and System.Text.RegularExpressions = 4.3.1. No application/source code changes.

Testing

  • dotnet restore succeeds; project.assets.json confirms patched versions (4.3.4 / 4.3.1).
  • Pre-existing build failure (NOT caused by this change): dotnet build fails on both main and this branch with Microsoft.NET.Test.Sdk doesn't support net6.0 — because Microsoft.NET.Test.Sdk Version="*" floats to 18.6.0, which dropped net6.0 support. This is unrelated to the security pins and should be addressed separately (bump TargetFramework to net8.0, or pin Microsoft.NET.Test.Sdk to a net6.0-supporting version).
  • BrowserStack live session: BLOCKED (environment) — net6.0 runtime not installed on the test machine + the pre-existing build failure above prevents a dotnet test run locally. Change is dependency-metadata only.

Jira Tickets

Checklist

  • Security issue addressed (both packages now resolve to patched versions in assets.json)
  • Build passing — pre-existing net6.0/Test.Sdk failure on main, not introduced here (see Testing)
  • BrowserStack live session — blocked by local environment (see Testing)
  • Minimal change (csproj pins only)

@Rohannagariya1 @claude
fix(security): pin System.Net.Http 4.3.4 + System.Text.RegularExpress…
a116518 
…ions 4.3.1 [APS-19257 APS-19258]

- Add explicit PackageReference pins overriding vulnerable transitive 4.3.0
  versions pulled in via NETStandard.Library 1.6.1
- System.Net.Http 4.3.0 -> 4.3.4 (GHSA-7jgj-8wvc-jh57, .NET Core Information Disclosure)
- System.Text.RegularExpressions 4.3.0 -> 4.3.1 (GHSA-cmhx-cq75-c4mj, Regex DoS)
- project.assets.json confirms resolved versions are now 4.3.4 / 4.3.1

Resolves: APS-19257, APS-19258

Co-Authored-By: Claude Fable 5 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Rohannagariya1