Skip to content

Comments

deps(tests): upgrades outdated dependency coverlet.collector to 8.0.0#2808

Open
Arufonsu wants to merge 1 commit intomainfrom
fix/CVE-2024-21907
Open

deps(tests): upgrades outdated dependency coverlet.collector to 8.0.0#2808
Arufonsu wants to merge 1 commit intomainfrom
fix/CVE-2024-21907

Conversation

@Arufonsu
Copy link
Contributor

@Arufonsu Arufonsu commented Feb 21, 2026
edited
Loading

upgrades outdated dependency coverlet.collector to 8.0.0

@Arufonsu
deps(tests): upgrade coverlet.collector to 8.0.0 to fix CVE-2024-21907
3244f68 
Bumps coverlet.collector from 3.1.2 (and 6.0.4) to 8.0.0 across all test
projects to resolve a transitive dependency vulnerability introduced via
the older Newtonsoft.Json version bundled with earlier coverlet releases.

CVE-2024-21907 (CVSS 7.5 / High) affects Newtonsoft.Json < 13.0.1:
crafted deeply-nested JSON payloads passed to JsonConvert.DeserializeObject
can exhaust the call stack and trigger a StackOverflowException, resulting
in a Denial of Service condition. No authentication is required to exploit
this remotely.

Affected projects:
- Intersect.Tests (3.1.2 → 8.0.0)
- Intersect.Tests.Client.Framework (3.1.2 → 8.0.0)
- Intersect.Tests.Client (6.0.4 → 8.0.0)
- Intersect.Tests.Server (6.0.4 → 8.0.0)

Also standardized all coverlet.collector references to include the
recommended PrivateAssets/IncludeAssets metadata, ensuring the package
remains a dev-only dependency and is not propagated to production intersect projects.

Ref: https://www.mend.io/vulnerability-database/CVE-2024-21907/
Signed-off-by: Arufonsu <17498701+Arufonsu@users.noreply.github.com>
@Arufonsu Arufonsu requested review from a team February 21, 2026 22:22
@Arufonsu Arufonsu added chore Cleans up code, documentation or project structure without altering functionality dependencies Bugs that have to be fixed in a dependency, or a pull requests that update a dependency labels Feb 21, 2026
@pandinocoder
Copy link
Member

pandinocoder commented Feb 22, 2026

... Is this an automated PR?

I don't mind updating coverlet but the mention of patching a CVE for a denial of service doesn't make sense for a test suite (which isn't a service to be denied).

@Arufonsu
Copy link
Contributor Author

Arufonsu commented Feb 25, 2026

... Is this an automated PR?

I don't mind updating coverlet but the mention of patching a CVE for a denial of service doesn't make sense for a test suite (which isn't a service to be denied).

No...
It's a Rider's tip, upgraded thru it's nuget manager, took the info from mend.io (my IDE gave me this as reference) and adjusted it to this PR. We should upgrade it regardless of where this package is installed at, even if its a test suit... and yes this part is my opinion, thus is not an "automated PR" regardless of how it may look like ...

Anyways, changed the description to be less "automated PR" like.

@Arufonsu Arufonsu changed the title deps(tests): upgrade coverlet.collector to 8.0.0 to fix CVE-2024-21907 deps(tests): upgrades outdated dependency coverlet.collector to 8.0.0 Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

chore Cleans up code, documentation or project structure without altering functionality dependencies Bugs that have to be fixed in a dependency, or a pull requests that update a dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Arufonsu @pandinocoder