deps: Pin Microsoft.Bcl.Memory 10.0.5 to fix CVE-2026-26127

decriptor · decriptor · commit 02b4c8981caa · 2026-03-16T00:55:41.000-06:00
System.Memory 4.6.3 transitively depends on Microsoft.Bcl.Memory 9.0.0 which has a high-severity DoS vulnerability (GHSA-73j8-2gch-69rq). Add an explicit PackageReference to the patched version for netstandard targets where System.Memory is used.
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -6,6 +6,7 @@
     <!-- Polyfills for older frameworks -->
     <PackageVersion Include="PublicApiGenerator" Version="11.5.4" />
     <PackageVersion Include="System.Memory" Version="4.6.3" />
+    <PackageVersion Include="Microsoft.Bcl.Memory" Version="10.0.5" />
     <PackageVersion Include="Microsoft.Bcl.HashCode" Version="6.0.0" />
     <PackageVersion Include="IndexRange" Version="1.1.0" />
     <PackageVersion Include="Nullable" Version="1.3.1" />
diff --git a/src/TagLibSharp2/TagLibSharp2.csproj b/src/TagLibSharp2/TagLibSharp2.csproj
@@ -34,6 +34,7 @@
 	<!-- Polyfills for older frameworks -->
 	<ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' Or '$(TargetFramework)' == 'netstandard2.1'">
 		<PackageReference Include="System.Memory" />
+		<PackageReference Include="Microsoft.Bcl.Memory" />
 		<PackageReference Include="Microsoft.Bcl.HashCode" />
 	</ItemGroup>
 
