Pin MessagePack to 2.5.301 to fix GHSA-hv8m-jj95-wg3x vulnerability in AI Chat Web template#7560
Conversation
…mplate Pin MessagePack to 2.5.301 to resolve NU1903 warning-as-error in the AppHost project. The vulnerable 2.5.192 version was pulled transitively through Aspire packages.
adamsitnik
left a comment
There was a problem hiding this comment.
The
AIChatWebExecutionTests.TestAllSupportedConfigurationstest fails because the AppHost project pulls inMessagePack2.5.192 transitively through Aspire packages, which has a known high-severity vulnerability (GHSA-hv8m-jj95-wg3x). The test sandbox setsTreatWarningsAsErrors=true, so NU1903 becomes a build error.
@copilot would it be possible to solve the problem by updating the Aspire version instead?
Yes, it's possible — the latest stable Aspire packages are at 13.4.3 which likely pulls in a fixed MessagePack transitively. However, updating Aspire would require bumping multiple packages in
That's a broader change with risk of breaking changes in the template. The MessagePack pin is the most surgical fix for just the vulnerability. Would you prefer I update all Aspire packages instead? |
adamsitnik
left a comment
There was a problem hiding this comment.
@copilot the tests keep failing, fix it and verify the fix before pushing the changes:
Microsoft.Extensions.AI.Templates.Tests.AIChatWebSnapshotTests.RunSnapshotTests
Microsoft.TemplateEngine.Authoring.TemplateVerifier.TemplateVerificationException : Directory: D:\a_work\1\s\test\ProjectTemplates\Microsoft.Extensions.AI.Templates.IntegrationTests\Snapshots\aichatweb
NotEqual:
Received: aichatweb.A.received\aichatweb\aichatweb.AppHost\aichatweb.AppHost.csproj
Verified: aichatweb.A.verified\aichatweb\aichatweb.AppHost\aichatweb.AppHost.csproj
Equal:
Received: aichatweb.A.received\aichatweb\aichatweb.sln
Verified: aichatweb.A.verified\aichatweb\aichatweb.sln
Received: aichatweb.A.received\aichatweb\README.md
Verified: aichatweb.A.verified\aichatweb\README.md
Received: aichatweb.A.received\aichatweb\aichatweb.AppHost\AppHost.cs
Verified: aichatweb.A.verified\aichatweb\aichatweb.AppHost\AppHost.cs
Received: aichatweb.A.received\aichatweb\aichatweb.AppHost\appsettings.Development.json
Verified: aichatweb.A.verified\aichatweb\aichatweb.AppHost\appsettings.Development.json
Received: aichatweb.A.received\aichatweb\aichatweb.AppHost\appsettings.json
Verified: aichatweb.A.verified\aichatweb\aichatweb.AppHost\appsettings.json
Received: aichatweb.A.received\aichatweb\aichatweb.ServiceDefaults\aichatweb.ServiceDefaults.csproj
Verified: aichatweb.A.verified\aichatweb\aichatweb.ServiceDefaults\aichatweb.ServiceDefaults.csproj
Received: aichatweb.A.received\aichatweb\aichatweb.ServiceDefaults\Extensions.cs
Verified: aichatweb.A.verified\aichatweb\aichatweb.ServiceDefaults\Extensions.cs
Received: aichatweb.A.received\aichatweb\aichatweb.Web\aichatweb.Web.csproj
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\aichatweb.Web.csproj
Received: aichatweb.A.received\aichatweb\aichatweb.Web\appsettings.Development.json
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\appsettings.Development.json
Received: aichatweb.A.received\aichatweb\aichatweb.Web\appsettings.json
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\appsettings.json
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Program.cs
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Program.cs
Received: aichatweb.A.received\aichatweb\aichatweb.AppHost\Properties\launchSettings.json
Verified: aichatweb.A.verified\aichatweb\aichatweb.AppHost\Properties\launchSettings.json
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Components\App.razor
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Components\App.razor
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Components\Routes.razor
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Components\Routes.razor
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Components_Imports.razor
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Components_Imports.razor
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Properties\launchSettings.json
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Properties\launchSettings.json
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Services\IngestedChunk.cs
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Services\IngestedChunk.cs
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Services\SemanticSearch.cs
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Services\SemanticSearch.cs
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Components\Layout\LoadingSpinner.razor
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Components\Layout\LoadingSpinner.razor
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Components\Layout\LoadingSpinner.razor.css
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Components\Layout\LoadingSpinner.razor.css
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Components\Layout\MainLayout.razor
Verified: aichatweb.A.verified\aichatweb\aichatweb.Web\Components\Layout\MainLayout.razor
Received: aichatweb.A.received\aichatweb\aichatweb.Web\Components\Layout\MainLay
Fixed in 2nd commit. The snapshot verification files for all three AppHost variants ( |
adamsitnik
left a comment
There was a problem hiding this comment.
@copilot the fix is still not complete:
Microsoft.Extensions.AI.Templates.Tests.AIChatWebSnapshotTests.RunSnapshotTests
Microsoft.TemplateEngine.Authoring.TemplateVerifier.TemplateVerificationException : Directory: /mnt/vss/_work/1/s/test/ProjectTemplates/Microsoft.Extensions.AI.Templates.IntegrationTests/Snapshots/aichatweb
NotEqual:
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.AppHost/aichatweb.AppHost.csproj
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.AppHost/aichatweb.AppHost.csproj
Equal:
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.sln
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.sln
Received: aichatweb.A_aoai_aais.received/aichatweb/README.md
Verified: aichatweb.A_aoai_aais.verified/aichatweb/README.md
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.ServiceDefaults/aichatweb.ServiceDefaults.csproj
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.ServiceDefaults/aichatweb.ServiceDefaults.csproj
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.ServiceDefaults/Extensions.cs
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.ServiceDefaults/Extensions.cs
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.AppHost/appsettings.json
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.AppHost/appsettings.json
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.AppHost/AppHost.cs
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.AppHost/AppHost.cs
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.AppHost/appsettings.Development.json
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.AppHost/appsettings.Development.json
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/aichatweb.Web.csproj
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/aichatweb.Web.csproj
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/appsettings.json
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/appsettings.json
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/appsettings.Development.json
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/appsettings.Development.json
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Program.cs
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Program.cs
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.AppHost/Properties/launchSettings.json
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.AppHost/Properties/launchSettings.json
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Services/IngestedChunk.cs
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Services/IngestedChunk.cs
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Services/SemanticSearch.cs
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Services/SemanticSearch.cs
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Components/Routes.razor
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Components/Routes.razor
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Components/_Imports.razor
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Components/_Imports.razor
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Components/App.razor
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Components/App.razor
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Properties/launchSettings.json
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Properties/launchSettings.json
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Services/Ingestion/DocumentReader.cs
Verified: aichatweb.A_aoai_aais.verified/aichatweb/aichatweb.Web/Services/Ingestion/DocumentReader.cs
Received: aichatweb.A_aoai_aais.received/aichatweb/aichatweb.Web/Service
@copilot fix it and run all template tests before pushing any further changes. Ensure they are all passing first!
Fixed in commit 039d4b7. The issue was that |
🎉 Good job! The coverage increased 🎉
Full code coverage report: https://dev.azure.com/dnceng-public/public/_build/results?buildId=1462142&view=codecoverage-tab |
adamsitnik
left a comment
There was a problem hiding this comment.
LGTM, I am going to merge this workaround into the feature branch to unblock my work on Data Ingestion Preview 2.
What we need for a proper fix in main is microsoft/aspire#18204
🎉 Good job! The coverage increased 🎉
Full code coverage report: https://dev.azure.com/dnceng-public/public/_build/results?buildId=1464247&view=codecoverage-tab |
The
AIChatWebExecutionTests.TestAllSupportedConfigurationstest fails because the AppHost project pulls inMessagePack2.5.192 transitively through Aspire packages, which has a known high-severity vulnerability (GHSA-hv8m-jj95-wg3x). The test sandbox setsTreatWarningsAsErrors=true, so NU1903 becomes a build error.Changes
MessagePack2.5.301 toeng/packages/ProjectTemplates.props(first patched version)PackageReferencetoMessagePackinAIChatWeb-CSharp.AppHost.csproj-into override the vulnerable transitive versionMicrosoft Reviewers: Open in CodeFlow