Skip to content

Commit 901e2c4

Browse files
claudiamurialdogusmar1972claude
authored
Backport dependency upgrades to release-1.30 (#1100, #1280, #1281) (#1293)
* Update references Microsoft.Data.SqlClient and System.Drawing.Common (#1100) * Update references: - Updated Microsoft.Data.SqlClient from Version="2.1.7" to Version="5.1.6", which required the following updates: - Replaced System.Drawing.Common with GeneXus.Drawing.Common. - Updated "Microsoft.Identity.Client" from Version="4.60.3" to Version="4.61.3". - Continued using System.Drawing.Common for generating graphic reports sent directly to printers, which is supported only on Windows. * Remove unused System.Drawing.Common package reference. * Update GeneXus.Drawing.Common from 2.0.0 to 2.0.1 Fix an error related to the dispose of a Font instance that raises an exception if the associated FontFamily is null. When running on linux. * Fix Access Violation Exception when saving a Bitmap after disposing of the Graphics object that created it. 203987 * Workaround: Fix inverted rotation in RotateTransform (GeneXus.Drawing.Graphics) until the bug is resolved. * Fix issue with PNG image processing: black background appearing instead of transparency * Removed workaround for Graphics.RotateTransform as the issue is resolved in GeneXus.Drawing.Common 2.0.4 --------- Co-authored-by: Claudia Murialdo <cmurialdo@genexus.com> Co-authored-by: claudiamurialdo <33756655+claudiamurialdo@users.noreply.github.com> * Upgrade log4net 3.3.1 (#1280) * chore: upgrade log4net to 3.3.1 Bump the three csproj references that ship log4net (GxClasses for .NET Framework, GxClasses for .NET Core, and GxPdfReportsCS.Itext4) from 3.3.0 to 3.3.1 to pick up the latest stable release. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump hard-coded log4net assembly redirect to 3.3.1.0 gxconfig.cs has two AssemblyResolve helpers (one for NETCORE, one for .NET Framework) that pin log4net to a specific Version. They were both still pointing at 3.3.0.0, so the runtime would have tried to redirect references to the older assembly even after the package upgrade. Update both branches to 3.3.1.0 to match the package version bumped in the previous commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Upgrade dependencies to address known vulnerabilities (#1281) * Upgrade dependencies to address known vulnerabilities - NPOI 2.7.3 -> 2.8.0 (removes vulnerable SixLabors.ImageSharp transitive); adapt XSSFColor constructor to new API in ExcelCells.cs - Override System.Security.Cryptography.Xml to 8.0.3 (net8.0) / 10.0.6 (net10.0) in GxOffice/dotnetcore to fix NPOI's vulnerable transitive - Override Microsoft.Data.OData to 5.8.4 in DynServiceOData/dotnetcore to fix GeneXus.Odata.Client transitive - Azure.Identity 1.11.4 -> 1.17.1 - Azure.Monitor.OpenTelemetry.Exporter 1.1.0 -> 1.3.0 - OpenTelemetry family 1.7.0 -> 1.8.1 (required by Azure.Monitor 1.3.0) - Microsoft.Identity.Client 4.60.4 / 4.61.3 -> 4.84.0 - Newtonsoft.Json unified to 13.0.3 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix NPOI 2.8.0 pack issues in GxOffice Accept the OSMF EULA NPOI 2.8.0 requires (AcceptNPOIOSMFLicense) and silence NU5100/NU5118 in the dotnetframework target: SkiaSharp native assets on net462 land in content/ instead of runtimes/, but consumers receive SkiaSharp transitively via NPOI anyway. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Revert NPOI to 2.7.3 and override vulnerable SixLabors.ImageSharp NPOI 2.8.0 introduced an Open Source Maintenance Fee EULA that requires payment for revenue-generating users, so step back to the 2.7.3 line. Override the vulnerable SixLabors.ImageSharp transitive directly: 2.1.13 on net462 (3.x doesn't support it) and 3.1.11 on net8.0/net10.0. Restore the previous XSSFColor single-arg constructor calls. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Pin Microsoft.Identity.Client to 4.75.0 on .NET Framework GxMail Microsoft.Identity.Client 4.77+ requires Microsoft.IdentityModel.Abstractions 8.x, while the rest of the .NET Framework stack stays on the 6.35.0 line. NuGet's nearest-wins resolution then forces M.IM.Abstractions 8.x across all net462 consumers and the version mismatch surfaces at runtime. 4.75.0 is the latest 4.x that still depends on M.IM.Abstractions 6.35.0, with no advisory applicable to this project (CVE-2024-27086 only affects Xamarin/MAUI Android). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Migrate to GeneXus.Odata.Client 6.0.1 (resync with upstream simple-odata-client) GeneXus.Odata.Client 6.0.1 is the first release on the 6.0-GX line of the fork, resynced with upstream after 3 years on the 5.2-GX line. It drops two custom extensions on FluentCommand that GxClasses was relying on: * BoundClient.ExpandMap(KeyValuePair<string,string>[]) — replaced by upstream's Expand(IEnumerable<string>) + ODataExpandAssociation. * BoundClient.Filter(ODataExpression) no longer auto-decomposes a cross-entity expression into per-expanded-entity sub-filters. This commit keeps the user-facing behaviour of GXODataClient.Expand and GXODataClient.Filter intact by moving the alias map and the decomposition into the wrapper: - Bump GeneXus.Odata.Client to 6.0.1 in both DynServiceOData csprojs and drop the Microsoft.Data.OData 5.8.4 override on dotnetcore (6.0.1 pins it correctly via the fixed nuspec lower bound). - GXODataClient.Expand: call BoundClient.Expand(mappedNames) and snapshot Command.Details.ExpandAssociations before/after via reflection to capture the ODataExpandAssociation objects upstream just attached. Track them by alias root so later Filter() calls can find them. - GXODataClient.Filter: use the still-supported ODataExpression.ProcessFilter extension to decompose the expression into per-entity buckets. Base-entity bucket goes through BoundClient.Filter; each expanded bucket walks to the leaf of the captured ODataExpandAssociation chain and sets FilterExpression. If decomposition fails or there is no matching expand, fall back to a base filter so the constraint is not silently dropped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Bump GeneXus.Odata.Client to 6.0.2 and drop reflection from GXODataClient.Expand GeneXus.Odata.Client 6.0.2 exposes a public IFluentClient<T,FT>.Expand(IEnumerable<ODataExpandAssociation>) overload, so the wrapper can hand pre-built ODataExpandAssociation objects to BoundClient directly. That removes the need for the reflection chain (BoundClient -> Command -> Details -> ExpandAssociations) that 15cf10e introduced to recover the associations created by the framework. GXODataClient.Expand now constructs each ODataExpandAssociation up front, tracks it in _expansionsByAlias, and passes the whole list to BoundClient.Expand(IEnumerable<ODataExpandAssociation>). Filter() continues to look up the captured associations through the same dict, so behaviour is unchanged. Net: -30 lines, no reflection, no break in the per-expanded-entity filter feature that GeneXus generator code relies on. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use Uri-typed ODataClientSettings constructor in DynServiceOData GeneXus.Odata.Client 6.0.2 inherits upstream's deprecation of ODataClientSettings(string, ICredentials?) — it's flagged with [Obsolete], and with TreatWarningsAsErrors enabled on the repo CS0618 fails the build. Wrap the connection-string-derived URL in 'new Uri(...)' so we hit the Uri-typed overload instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Override WindowsAzure.Storage's vulnerable transitive Newtonsoft.Json on net462 The .NET Framework GXAzureStorage csproj was relying on the transitive Newtonsoft.Json that WindowsAzure.Storage 9.3.3 pins to 10.0.2, which has the moderate-severity advisory GHSA-5crp-9r3c-p9vr (DoS via crafted JSON, fixed in 13.0.1). The dotnetcore counterpart already pinned 13.0.3 explicitly; mirror that on net462 so the resolved version matches the 13.0.3 unification done in aa38e4e. WindowsAzure.Storage itself is deprecated and there is no newer version of that package id (9.3.3 is the last release). Migrating to the successor Azure.Storage.Blobs is a larger refactor; pinning Newtonsoft.Json defensively here closes the immediate transitive vulnerability without touching the storage API surface. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Force Azure.Identity 1.17.1 via GxClasses override and align Azure.Core 1.50.0 Fixes the security scan finding 'Azure.Identity.dll v1.11.4 in GxDataInitialization/bin' — the DLL was flowing transitively via Microsoft.Data.SqlClient 5.1.6, which declares 'Azure.Identity >= 1.11.4' in its nuspec to support Microsoft Entra ID authentication. NuGet's default 'lowest-applicable' resolution picked 1.11.4 (vulnerable to advisories including GHSA-wvxc-855f-jvrv). - GxClasses: pin Azure.Identity 1.17.1 explicitly. This propagates through the GeneXus.Classes.Core nupkg to every downstream consumer (including GeneXus-generated apps), not just the projects flagged so far. Bumping Microsoft.Data.SqlClient to 7.x would have removed the transitive but cascades Microsoft.IdentityModel.* to 8.x, which conflicts with the 6.35.0 pin we keep on .NET Framework consumers. - Messaging providers (GXAzureEventGrid, GXAzureQueue, GXAzureServiceBus): bump the direct Azure.Identity reference from 1.11.4 to 1.17.1. - Azure.Core 1.42.0 -> 1.50.0 in DynService.CosmosDB, AzureFunctions.Handlers and AzureFunctionsTest: Azure.Identity 1.17.1 requires Azure.Core >= 1.50, so the previous 1.42.0 explicit references triggered NU1605 downgrade errors once the new Azure.Identity flowed through GxClasses. Verified with 'dotnet nuget why' that GxDataInitialization (net8.0/net10.0) now resolves Azure.Identity to 1.17.1 cleanly; the DLL produced at bin/.../Azure.Identity.dll is v1.17.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Bump OpenTelemetry family to 1.15.3 and Azure.Monitor.OpenTelemetry.Exporter to 1.8.1 Addresses the security review on the chore/security-package-updates PR: the original mail subject mentioned Azure.Monitor.OpenTelemetry.Exporter but the actual recommendation covers the whole OpenTelemetry stack — notably OpenTelemetry.Api which has GHSA-g94r-2vxg-569j (moderate, fixed in 1.15.3). Package bumps: - OpenTelemetry, OpenTelemetry.Exporter.Console, OpenTelemetry.Exporter.OpenTelemetryProtocol, OpenTelemetry.Extensions.Hosting: 1.8.1 -> 1.15.3 across GxClasses, GxNetCoreStartup, GeneXus.OpenTelemetry, GeneXus.OpenTelemetry.Azure.AppInsights, GXOtel.Diagnostics. - Azure.Monitor.OpenTelemetry.Exporter 1.3.0 -> 1.8.1 (latest, released 12 h before the security review). - Azure.Identity 1.17.1 -> 1.21.0. The 1.8.x line of Azure.Monitor.OpenTelemetry.Exporter pulls Azure.Core 1.56, which surfaces a copy of DefaultAzureCredential — Azure.Identity 1.21.0 forwards to the Azure.Core type, resolving the CS0433 ambiguity that 1.17.1 produced. - Azure.Core 1.50.0 -> 1.53.0 in DynService.CosmosDB, AzureFunctions.Handlers and AzureFunctionsTest to satisfy Azure.Identity 1.21.0's '>= 1.53.0' floor. Cascade overrides on GxClasses (no PrivateAssets so they flow to consumers): - System.Diagnostics.DiagnosticSource 10.0.3 - System.Text.Json 10.0.3 - Microsoft.Extensions.DependencyInjection.Abstractions 10.0.3 These three packages are pulled transitively at v10.0 by the new OpenTelemetry and Azure.Identity refs, but the existing OpenTelemetry PackageReferences on GxClasses carry PrivateAssets='All' so the cascade does not propagate. Without these explicit pins, downstream projects (GxClasses.Web, GxMemcached, GxRedis, GeneXus.OpenTelemetry, etc.) only saw the net8.0 in-box 8.0 versions and failed with CS1705 type-mismatch errors against the already-compiled GxClasses.dll. Verified: - dotnet build full solution: 0 errors. - dotnet nuget why OpenTelemetry.Api on GxClasses(net8.0) resolves to 1.15.3. - No remaining NU1903/NU1904 (high/critical) warnings. The four NU1902 (moderate) left are the previously documented BouncyCastle 1.8.6.1 transitives in the DotNetCoreUnitTest test project, unrelated to this change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Replace deprecated ActivityExtensions.RecordException with Activity.AddException OpenTelemetry 1.15.3 marks ActivityExtensions.RecordException as [Obsolete] with 'Call Activity.AddException instead this method will be removed in a future version'. With TreatWarningsAsErrors enabled, CS0618 fails the CI build. Drop-in replacement on net8.0 and net10.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Bump OpenTelemetry.Instrumentation.* packages per security review Per the latest review: - OpenTelemetry.Instrumentation.Http and Instrumentation.Runtime to >= 1.15.1 - OpenTelemetry.Instrumentation.AspNetCore and Instrumentation.SqlClient to >= 1.15.2 Bumps in GeneXus.OpenTelemetry.csproj: - Instrumentation.AspNetCore 1.8.1 -> 1.15.2 - Instrumentation.Http 1.8.1 -> 1.15.1 - Instrumentation.Runtime 1.7.0 -> 1.15.1 - Instrumentation.SqlClient 1.0.0-rc9.14 -> 1.15.2 The SqlClient instrumentation 1.15.x removed two options: - EnableConnectionLevelAttributes - SetDbStatementForText Both used to gate behavior that is now emitted by default per the stable OpenTelemetry semantic conventions for SQL client instrumentation (callers who need finer control can use EnrichWithSqlCommand for manual tagging). Drop the two assignments from GxTraceProviderBuilder.AddSqlClientInstrumentation options callback; RecordException stays. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Bump MySqlConnector 2.2.3 -> 2.5.0 Per security review. MySqlConnector 2.2.3 (Mar 2023) was flagged as vulnerable by an external scanner — GitHub Advisory Database does not list an advisory under this id but the package is two minor versions behind. 2.5.0 (Nov 2025) is the current stable; backward-compatible semver minor bump. Bumped in both GxClasses projects: - dotnet/src/dotnetcore/GxClasses/GxClasses.csproj (PrivateAssets='All') - dotnet/src/dotnetframework/GxClasses/GxClasses.csproj Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Bump GeneXus.Odata.Client to 6.0.3 for the net462 asset 6.0.3 re-adds a native net462 target to GXOData.Client.All (genexuslabs/ Simple.OData.Client). .NET Framework consumers — including GeneXus-generated KBs built with the legacy v4.0.30319 MSBuild — were resolving the netstandard2.0 asset and failing with CS0012 (missing netstandard.dll facade for System.Object) cascading into CS1593 against the GXODataClient query delegates. Pointing both DynServiceOData csprojs at 6.0.3 ships the net462 dll in the GeneXus distribution so those KBs compile again. Note: requires GeneXus.Odata.Client 6.0.3 to be published first. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Bump GeneXus.Odata.Client to 6.0.4 and refresh OData binding redirects 6.0.4 of the GXOData fork pins its ODataLib references (Microsoft.Data.OData 5.8.4, Microsoft.OData.Core 7.4.4), so the shipped GXOData.Client.All binary binds to the same versions this project deploys — fixing the ReflectionTypeLoadException raised when 6.0.3 (built against the floating-latest 5.8.5) was loaded against 5.8.4. Also refresh the stale binding redirects in DynServiceOData/app.config to the real deployed assembly versions: Microsoft.Data.* / System.Spatial -> 5.8.4.0, Microsoft.OData.* -> 7.4.4.20330 (were 5.7.0.0 / 6.15.0.0). NOTE: depends on GeneXus.Odata.Client 6.0.4 being published first — do not push until the fork release is on the feed, or CI restore will fail. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Align direct Azure.Core pins to 1.56.0 to resolve MSB3277 conflicts DynService.CosmosDB, the Azure Functions handler and its test pinned Azure.Core 1.53.0 directly, while GxClasses pulls Azure.Core 1.56.0 transitively (via Azure.Identity 1.21.0 / Azure.Monitor.OpenTelemetry.Exporter). Referencing GxClasses then produced MSB3277 "conflicts between different versions of Azure.Core" and the build kept the lower 1.53 (primary). Bump the direct pins to 1.56.0 so the direct reference matches the graph's high-water mark. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Re-export Azure.Core 1.56 from GxClasses to resolve MSB3277 across the solution Azure.Identity 1.21.0 floors Azure.Core at 1.53, while Azure.Monitor.OpenTelemetry. Exporter 1.8.1 floors it at 1.56 — but the latter is PrivateAssets="All", so its higher floor doesn't flow to consumers. GxClasses itself resolved 1.56, but every project referencing GxClasses.dll fell back to Azure.Identity's 1.53, causing MSB3277 "conflicts between different versions of Azure.Core" across ~58 projects. Re-export Azure.Core 1.56.0 explicitly from GxClasses (same pattern already used for the OpenTelemetry cascade), so consumers resolve the same 1.56 GxClasses was built against. After this, 0 projects resolve 1.53 (was 58). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Suppress BouncyCastle 1.8.6.1 advisories in DotNetCoreUnitTest (NU1902) The test pulls the abandoned BouncyCastle 1.8.6.1 transitively via legacy iTextSharp 5.5.13.2 (iText 5, EOL). The advisories are only fixed in BouncyCastle.Cryptography 2.x, which iText 5 is not compatible with — there is no upgrade path while iTextSharp 5.x is referenced. Since this is a test-only, non-shipped dependency, suppress these specific advisories via NuGetAuditSuppress (surgical: keeps NuGet audit active for everything else). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Backport adaptation: drop stale Microsoft.Extensions.* 8.0.0 pins for the Azure.Core 1.56 cascade PR #1281 brings Azure.Core 1.56.0 into GxClasses, whose dependency graph floors System.Diagnostics.DiagnosticSource and Microsoft.Extensions.Logging.Abstractions at 10.0.3. release-1.30 still carried explicit 8.0.0 pins (master had already dropped them), producing NU1605 downgrade-as-error across ~58 consumers, plus a CS1061 on Activity.AddException (only available in DiagnosticSource 9.0+). Mirror master by removing the superseded explicit pins so the cascade resolves cleanly: - GxClasses (core): drop Microsoft.Extensions.Logging / Logging.Abstractions 8.0.0 - GxClasses.Web: drop Microsoft.Extensions.Logging / Logging.Abstractions 8.0.0 - GxNetCoreStartup: drop System.Diagnostics.DiagnosticSource 8.0.0 - GXOtel.Diagnostics: drop System.Diagnostics.DiagnosticSource 8.0.0 (lets OpenTelemetry 1.15.3 supply 9.0+ with Activity.AddException) DotNetStandardClasses.sln now builds with 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Backport adaptation: align crypto package versions to fix ProjectHealthTest PR #1281's GxOffice crypto overrides raised transitive System.Security.Cryptography.* versions, exposing older direct pins in release-1.30 that master had already bumped. ProjectHealthTest.PackageVersionTest flagged the incoherence: - GxExcel: System.Security.Cryptography.Pkcs 8.0.0 -> 8.0.1 (was below the 8.0.1 transitive now pulled via GxOffice; matches master). - GeneXusXmlSignatureNetCore: System.Security.Cryptography.Xml 8.0.0 -> 8.0.3 (matches master and GxOffice's net8.0 override). - GxOffice: drop the net10.0-conditional System.Security.Cryptography.Xml 10.0.6 reference. release-1.30 targets net6.0;net8.0 (literal TFMs, not $(NetVersions)), so the net10.0 override never builds here but the consistency test still read it as a second, divergent direct version. ProjectHealthTest.PackageVersionTest now passes (3/3); solution builds with 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gustavo Martínez <48455055+gusmar1972@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 3e2bdc1 commit 901e2c4

47 files changed

Lines changed: 652 additions & 449 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

dotnet/src/dotnetcore/DynService/Cosmos/DynService.CosmosDB.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
</ItemGroup>
1414

1515
<ItemGroup>
16-
<PackageReference Include="Azure.Core" Version="1.36.0" />
16+
<PackageReference Include="Azure.Core" Version="1.56.0" />
1717
<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.36.0" />
1818
<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
1919
</ItemGroup>

dotnet/src/dotnetcore/DynService/OData/DynServiceOData.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
</ItemGroup>
1414
<ItemGroup>
1515
<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
16-
<PackageReference Include="GeneXus.Odata.Client" Version="5.2.3.8" />
16+
<PackageReference Include="GeneXus.Odata.Client" Version="6.0.4" />
1717
</ItemGroup>
1818
<ItemGroup>
1919
<ProjectReference Include="..\..\GxClasses\GxClasses.csproj" />

dotnet/src/dotnetcore/GxClasses.Web/GxClasses.Web.csproj

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,6 @@
2929
</ItemGroup>
3030

3131
<ItemGroup>
32-
<PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.0" />
33-
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
3432
<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
3533
</ItemGroup>
3634

dotnet/src/dotnetcore/GxClasses/GxClasses.csproj

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@
6363
<Compile Include="..\..\dotnetframework\GxClasses\Model\URLRouter.cs" Link="Model\URLRouter.cs" />
6464
<Compile Include="..\..\dotnetframework\GxClasses\Model\SdtGridState.cs" Link="Model\SdtGridState.cs" />
6565
<Compile Include="..\..\dotnetframework\GxClasses\Model\SdtGridState_InputValuesItem.cs" Link="Model\SdtGridState_InputValuesItem.cs" />
66+
<Compile Include="..\..\dotnetframework\GxClasses\Printer\GxPrinterDevice.cs" Link="Printer\GxPrinterDevice.cs" />
6667
<Compile Include="..\..\dotnetframework\GxClasses\Security\WebSecurity.cs" Link="Security\WebSecurity.cs" />
6768
<Compile Include="..\..\dotnetframework\GxClasses\Services\Caching\GxCache.cs" Link="Services\Caching\GxCache.cs" />
6869
<Compile Include="..\..\dotnetframework\GxClasses\Domain\GxCollections.cs" Link="Domain\GxCollections.cs" />
@@ -150,22 +151,35 @@
150151
</ItemGroup>
151152
<ItemGroup>
152153
<PackageReference Include="Experimental.System.Messaging.Signed" Version="1.0.0" />
153-
<PackageReference Include="log4net" Version="2.0.15" />
154-
<PackageReference Include="Microsoft.Data.SqlClient" Version="2.1.7" />
154+
<PackageReference Include="log4net" Version="3.3.1" />
155+
<PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.6" />
156+
<!-- Override Microsoft.Data.SqlClient's vulnerable transitive Azure.Identity 1.11.4. Without
157+
this, every consumer of the GeneXus.Classes.Core nupkg (generated GeneXus apps included)
158+
inherits the 1.11.4 transitive and ships it in their bin. -->
159+
<PackageReference Include="Azure.Identity" Version="1.21.0" />
160+
<!-- OpenTelemetry 1.15.3 + Azure.Monitor.OpenTelemetry.Exporter 1.8.1 cascade these to v10.0
161+
transitively. The OpenTelemetry refs below carry PrivateAssets="All" so the cascade does
162+
not flow to consumers, which would then build against the net8.0 in-box 8.0 versions and
163+
hit CS1705 type-mismatch with this assembly. Re-export the cascade transitive packages so
164+
consumers resolve to the same 10.0 versions GxClasses was compiled against. -->
165+
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.3" />
166+
<PackageReference Include="System.Diagnostics.DiagnosticSource" Version="10.0.3" />
167+
<PackageReference Include="System.Text.Json" Version="10.0.3" />
168+
<!-- Azure.Monitor.OpenTelemetry.Exporter (PrivateAssets=All above) floors Azure.Core at 1.56,
169+
but the public Azure.Identity floors it at 1.53. Without re-exporting 1.56, consumers
170+
resolve 1.53 and hit MSB3277 against this assembly's 1.56. Pin it so the cascade flows. -->
171+
<PackageReference Include="Azure.Core" Version="1.56.0" />
155172
<PackageReference Include="Microsoft.Data.Sqlite" Version="3.0.0" PrivateAssets="All" />
156173
<PackageReference Include="Microsoft.DotNet.Analyzers.Compatibility" Version="0.2.12-alpha">
157174
<PrivateAssets>all</PrivateAssets>
158175
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
159176
</PackageReference>
160-
<PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.0" />
161-
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
162177
<PackageReference Include="Microsoft.Extensions.Logging.ApplicationInsights" Version="2.22.0" PrivateAssets="ALL" />
163-
<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.1.0" PrivateAssets="All" />
164-
<PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.7.0" PrivateAssets="All" />
165-
<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.7.0" PrivateAssets="All" />
166-
<PackageReference Include="System.Diagnostics.DiagnosticSource" Version="8.0.0" />
178+
<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.8.1" PrivateAssets="All" />
179+
<PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.3" PrivateAssets="All" />
180+
<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.15.3" PrivateAssets="All" />
167181
<PackageReference Include="Microsoft.Win32.Registry" Version="4.7.0" />
168-
<PackageReference Include="MySqlConnector" Version="2.2.3" />
182+
<PackageReference Include="MySqlConnector" Version="2.5.0" />
169183
<PackageReference Include="NetTopologySuite" Version="2.0.0" />
170184
<PackageReference Include="NodaTime" Version="3.1.9" />
171185
<PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.3.1" />
@@ -174,7 +188,7 @@
174188
<PackageReference Include="Stubble.Core" Version="1.8.4" />
175189
<PackageReference Include="System.DirectoryServices" Version="4.7.0" />
176190
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
177-
<PackageReference Include="System.Drawing.Common" Version="4.7.2" />
191+
<PackageReference Include="GeneXus.Drawing.Common" Version="2.0.4" />
178192
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />
179193
<PackageReference Include="NUglify" Version="1.16.4" />
180194
</ItemGroup>

dotnet/src/dotnetcore/GxExcel/GxExcel.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
<ItemGroup>
1919
<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
2020
<PackageReference Include="EPPlus" Version="4.5.3.2" />
21-
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="8.0.0" />
21+
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
2222
</ItemGroup>
2323

2424
<ItemGroup>

dotnet/src/dotnetcore/GxMail/GxMail.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@
7070
<PackageReference Include="MailKit" Version="3.1.1" />
7171
<PackageReference Include="Microsoft.Exchange.WebServices" Version="2.2.0" />
7272
<PackageReference Include="MimeKit" Version="3.1.1" />
73-
<PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
73+
<PackageReference Include="Microsoft.Identity.Client" Version="4.84.0" />
7474
<PackageReference Include="OpenPop" Version="2.0.6.2" />
7575
<PackageReference Include="Org.Mentalis.Security" Version="1.0.0" />
7676
</ItemGroup>

dotnet/src/dotnetcore/GxNetCoreStartup/GxNetCoreStartup.csproj

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,17 +11,16 @@
1111

1212
<ItemGroup>
1313
<PackageReference Include="Microsoft.AspNetCore.DataProtection.StackExchangeRedis" Version="8.0.3" />
14-
<PackageReference Include="Microsoft.Data.SqlClient" Version="2.1.7" />
14+
<PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.6" />
1515
<PackageReference Include="Microsoft.Extensions.Caching.SqlServer" Version="3.1.3" />
1616
<PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="8.0.3" />
17-
<PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
17+
<PackageReference Include="Microsoft.Identity.Client" Version="4.84.0" />
1818
<PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="6.5.0" />
19-
<PackageReference Include="System.Diagnostics.DiagnosticSource" Version="8.0.0" />
2019

21-
<PackageReference Include="Azure.Identity" Version="1.11.0" PrivateAssets="All" />
22-
<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.1.0" PrivateAssets="All" />
23-
<PackageReference Include="OpenTelemetry" Version="1.7.0" PrivateAssets="All" />
24-
<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.7.0" PrivateAssets="All" />
20+
<PackageReference Include="Azure.Identity" Version="1.21.0" PrivateAssets="All" />
21+
<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.8.1" PrivateAssets="All" />
22+
<PackageReference Include="OpenTelemetry" Version="1.15.3" PrivateAssets="All" />
23+
<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.15.3" PrivateAssets="All" />
2524
<PackageReference Include="Microsoft.Extensions.Logging.ApplicationInsights" Version="2.22.0" PrivateAssets="All" />
2625

2726
<PackageReference Include="itext7" Version="8.0.0" PrivateAssets="All" />

dotnet/src/dotnetcore/GxOffice/GxOffice.csproj

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,9 @@
3737
<ItemGroup>
3838
<PackageReference Include="NPOI" Version="2.5.6" />
3939
<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
40+
<!-- Override NPOI's vulnerable transitives (NPOI 2.7.x still depends on these older versions) -->
41+
<PackageReference Include="SixLabors.ImageSharp" Version="3.1.11" />
42+
<PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.3" Condition="'$(TargetFramework)' == 'net8.0'" />
4043
</ItemGroup>
4144

4245
<ItemGroup>

dotnet/src/dotnetcore/GxPdfReportsCS.Itext4/GxPdfReportsCS.Itext4.csproj

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,14 @@
1515
</ItemGroup>
1616

1717
<ItemGroup>
18-
<PackageReference Include="log4net" Version="2.0.15" />
18+
<PackageReference Include="log4net" Version="3.3.1" />
1919
<PackageReference Include="Microsoft.DotNet.Analyzers.Compatibility" Version="0.2.12-alpha">
2020
<PrivateAssets>all</PrivateAssets>
2121
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
2222
</PackageReference>
2323
<PackageReference Include="Microsoft.Win32.Registry" Version="4.7.0" />
24-
<PackageReference Include="System.Drawing.Common" Version="4.7.2" />
25-
<PackageReference Include="System.Text.Encoding.CodePages" Version="4.7.0" />
24+
<PackageReference Include="System.Drawing.Common" Version="6.0.0" />
25+
<PackageReference Include="System.Text.Encoding.CodePages" Version="6.0.0" />
2626
</ItemGroup>
2727

2828
<ItemGroup>

dotnet/src/dotnetcore/GxPdfReportsCS/GxPdfReportsCS.csproj

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
<EmbeddedResource Include="..\..\dotnetframework\GxPdfReportsCS\sRGB Color Space Profile.icm" Link="sRGB Color Space Profile.icm" />
1717
</ItemGroup>
1818
<ItemGroup>
19-
<PackageReference Include="PdfPig" Version="0.1.8" PrivateAssets="All"/>
19+
<PackageReference Include="PdfPig" Version="0.1.8" PrivateAssets="All" />
2020
</ItemGroup>
2121

2222
<ItemGroup>
@@ -31,8 +31,8 @@
3131
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
3232
</PackageReference>
3333
<PackageReference Include="Microsoft.Win32.Registry" Version="4.7.0" />
34-
<PackageReference Include="System.Drawing.Common" Version="4.7.2" />
35-
<PackageReference Include="System.Text.Encoding.CodePages" Version="4.7.0" />
34+
<PackageReference Include="GeneXus.Drawing.Common" Version="2.0.4" />
35+
<PackageReference Include="System.Text.Encoding.CodePages" Version="6.0.0" />
3636
</ItemGroup>
3737

3838
<ItemGroup>

0 commit comments

Comments
 (0)