From ddbe2430747e0835576f27e5f75b82e95ebf3e20 Mon Sep 17 00:00:00 2001
From: Rohan <142411639+Rohannagariya1@users.noreply.github.com>
Date: Thu, 11 Jun 2026 20:07:02 +0530
Subject: [PATCH] fix(security): pin System.Net.Http 4.3.4 +
 System.Text.RegularExpressions 4.3.1 [APS-19467 APS-19468]

- Add explicit PackageReference pins overriding vulnerable transitive 4.3.0
  versions pulled in via NETStandard.Library 1.6.1
- System.Net.Http 4.3.0 -> 4.3.4 (GHSA-7jgj-8wvc-jh57, .NET Core Information Disclosure)
- System.Text.RegularExpressions 4.3.0 -> 4.3.1 (GHSA-cmhx-cq75-c4mj, Regex DoS)
- dotnet list package --vulnerable now reports no vulnerable packages

Resolves: APS-19467, APS-19468

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 .../NunitPlaywrightBrowserstack.Tests.csproj                   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/NunitPlaywrightBrowserstack.Tests/NunitPlaywrightBrowserstack.Tests.csproj b/NunitPlaywrightBrowserstack.Tests/NunitPlaywrightBrowserstack.Tests.csproj
index cfed4f8..3f061bc 100644
--- a/NunitPlaywrightBrowserstack.Tests/NunitPlaywrightBrowserstack.Tests.csproj
+++ b/NunitPlaywrightBrowserstack.Tests/NunitPlaywrightBrowserstack.Tests.csproj
@@ -18,6 +18,9 @@
     <PackageReference Include="NUnit" Version="4.3.2" />
     <PackageReference Include="NUnit.Analyzers" Version="4.6.0" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
+    <!-- Security pins: override vulnerable transitive 4.3.0 (via NETStandard.Library 1.6.1). APS-19467 / APS-19468 -->
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
 
   <ItemGroup>