From 6cf192ad7aebfc4caa8783a14ce5dfd1e18724e3 Mon Sep 17 00:00:00 2001
From: John CSA <103165870+jluocsa@users.noreply.github.com>
Date: Sat, 23 May 2026 12:12:55 -0700
Subject: [PATCH] .Net: Bump Scriban from 7.1.0 to 7.2.0 to address
 GHSA-24c8-4792-22hx

Scriban <= 7.1.0 has a known high-severity DoS (GHSA-24c8-4792-22hx, CVSS 8.7) in ArrayFunctions.InsertAt. The array.insert_at template builtin allocates index - list.Count null entries in a tight loop, bypassing LoopLimit, LimitToString, RecursiveLimit, and ObjectRecursionLimit, and OOMs the host process. Patched in Scriban 7.2.0.

NuGet now flags this as NU1903 on restore. Combined with dotnet build --warnaserror in the Debug CI legs of dotnet-build-and-test.yml, every open .NET PR is currently failing on three projects that reference Scriban centrally: samples/Concepts, src/Functions/Functions.Prompty, and src/Functions/Functions.Prompty.UnitTests.

Single-line bump in dotnet/Directory.Packages.props -- central package management means all three projects inherit the new version. No source changes needed; the advisory affects a runtime template builtin not exercised by SK's tests.
---
 dotnet/Directory.Packages.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dotnet/Directory.Packages.props b/dotnet/Directory.Packages.props
index 10568b08f85f..4469eea47ee9 100644
--- a/dotnet/Directory.Packages.props
+++ b/dotnet/Directory.Packages.props
@@ -106,7 +106,7 @@
     <PackageVersion Include="PdfPig" Version="0.1.13" />
     <PackageVersion Include="Pinecone.Client" Version="3.1.0" />
     <PackageVersion Include="Prompty.Core" Version="0.2.3-beta" />
-    <PackageVersion Include="Scriban" Version="7.1.0" />
+    <PackageVersion Include="Scriban" Version="7.2.0" />
     <PackageVersion Include="PuppeteerSharp" Version="20.2.5" />
     <PackageVersion Include="System.Diagnostics.DiagnosticSource" Version="10.0.2" />
     <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.16.0" />