build(deps): bump BouncyCastle.Cryptography 2.0.0 -> 2.6.2, drop redundant prune-flagged refs

spbsoluble · spbsoluble · commit 507325f77912 · 2026-05-21T11:51:09.000-07:00
NU1902 — Keyfactor.PKI 5.5.0 brings in BouncyCastle.Cryptography 2.0.0 transitively, which carries three known-moderate CVEs: * GHSA-8xfc-gm6g-vgpv (DH timing attack) * GHSA-m44j-cfrm-g8qc (Pkcs5S2ParametersGenerator weakness) * GHSA-v435-xc8x-wvr9 (X.509 cert verification bypass) All three are fixed in 2.4.0+; bump to the current stable 2.6.2 on both the main plugin csproj (explicit override of the transitive) and the integration tests csproj (which has a direct ref). NU1510 — System.Text.Json and System.Text.Encodings.Web were pinned explicit PackageReferences. Both .NET 8/10 SDKs now flag them as unnecessary because they're bundled or provided transitively in a form that satisfies our usage; removed both refs from CERTInext.csproj. Build + 146/146 unit tests still pass after the removal, so no real dependency was being satisfied by those direct refs. Verified live: Ping/GetProductDetails/ListOrders all PASS against the sandbox after the bump — the new BouncyCastle 2.6.2 SHA-256 path still produces a valid authKey. Remaining warnings after this commit (deferred for separate triage): seven CS8602/CS8604 nullable-deref warnings in test code only — all sit behind FluentAssertions .Should().NotBeNull() guards, so they won't actually NRE at runtime. Worth a follow-up to add `!` suppressions but not a blocker.
diff --git a/CERTInext.IntegrationTests/CERTInext.IntegrationTests.csproj b/CERTInext.IntegrationTests/CERTInext.IntegrationTests.csproj
@@ -21,7 +21,7 @@
     </PackageReference>
     <PackageReference Include="FluentAssertions" Version="6.12.0" />
     <PackageReference Include="Xunit.SkippableFact" Version="1.4.13" />
-    <PackageReference Include="BouncyCastle.Cryptography" Version="2.0.0" />
+    <PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
     <!-- Suppress TFM support build warnings for transitive dependencies -->
     <PackageReference Include="Microsoft.Bcl.AsyncInterfaces" Version="8.0.0" />
     <PackageReference Include="System.IO.Pipelines" Version="8.0.0" />
diff --git a/CERTInext/CERTInext.csproj b/CERTInext/CERTInext.csproj
@@ -14,12 +14,14 @@
     <PackageReference Include="Keyfactor.Logging" Version="1.1.2" />
     <PackageReference Include="Keyfactor.PKI" Version="5.5.0" />
     <PackageReference Include="RestSharp" Version="112.1.0" />
-    <PackageReference Include="System.Text.Json" Version="8.0.5" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <!-- Explicit override of the transitive BouncyCastle.Cryptography 2.0.0 pulled in by
+         Keyfactor.PKI 5.5.0. 2.0.0 has three known-moderate CVEs (GHSA-8xfc-gm6g-vgpv,
+         GHSA-m44j-cfrm-g8qc, GHSA-v435-xc8x-wvr9), all fixed in 2.4.0+. -->
+    <PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
     <!-- Suppress TFM support build warnings for transitive dependencies of RestSharp 112.x -->
     <PackageReference Include="Microsoft.Bcl.AsyncInterfaces" Version="8.0.0" />
     <PackageReference Include="System.IO.Pipelines" Version="8.0.0" />
-    <PackageReference Include="System.Text.Encodings.Web" Version="8.0.0" />
   </ItemGroup>
 
   <ItemGroup>
