Cherry pick branch 'genexuslabs:chore/security-package-updates' into beta

claudiamurialdo · Beta Bot · commit df7c324399c5 · 2026-05-13T16:44:47.000Z
diff --git a/dotnet/src/dotnetcore/DynService/OData/DynServiceOData.csproj b/dotnet/src/dotnetcore/DynService/OData/DynServiceOData.csproj
@@ -14,6 +14,8 @@
 	<ItemGroup>
 		<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
 		<PackageReference Include="GeneXus.Odata.Client" Version="5.2.3.8" />
+		<!-- Override GeneXus.Odata.Client's vulnerable transitive Microsoft.Data.OData 5.8.3 -->
+		<PackageReference Include="Microsoft.Data.OData" Version="5.8.4" />
 	</ItemGroup>
 	<ItemGroup>
 		<ProjectReference Include="..\..\GxClasses\GxClasses.csproj" />
diff --git a/dotnet/src/dotnetcore/GxClasses/GxClasses.csproj b/dotnet/src/dotnetcore/GxClasses/GxClasses.csproj
@@ -141,10 +141,10 @@
 		  <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
 		</PackageReference>
 		<PackageReference Include="Microsoft.Extensions.Logging.ApplicationInsights" Version="2.22.0" PrivateAssets="ALL" />
-		<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.1.0" PrivateAssets="All" />
+		<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.3.0" PrivateAssets="All" />
 		<PackageReference Include="MimeTypesMap" Version="1.0.9" />
-		<PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.7.0" PrivateAssets="All" />
-		<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.7.0" PrivateAssets="All" />
+		<PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.8.1" PrivateAssets="All" />
+		<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.8.1" PrivateAssets="All" />
 		<PackageReference Include="Pgvector" Version="0.3.0" PrivateAssets="All" />
 		<PackageReference Include="MySqlConnector" Version="2.5.0" PrivateAssets="All" />
 		<PackageReference Include="NetTopologySuite" Version="2.0.0" />
diff --git a/dotnet/src/dotnetcore/GxMail/GxMail.csproj b/dotnet/src/dotnetcore/GxMail/GxMail.csproj
@@ -71,7 +71,7 @@
     <PackageReference Include="MailKit" Version="4.16.0" />
     <PackageReference Include="Microsoft.Exchange.WebServices" Version="2.2.0" />
     <PackageReference Include="MimeKit" Version="4.16.0" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.84.0" />
     <PackageReference Include="OpenPop" Version="2.0.6.2" />
 	<PackageReference Include="Org.Mentalis.Security" Version="1.0.0" />
   </ItemGroup>
diff --git a/dotnet/src/dotnetcore/GxNetCoreStartup/GxNetCoreStartup.csproj b/dotnet/src/dotnetcore/GxNetCoreStartup/GxNetCoreStartup.csproj
@@ -20,13 +20,13 @@
 		<PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.6" />
 		<PackageReference Include="Microsoft.Extensions.Caching.SqlServer" Version="3.1.3" />
 		<PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="8.0.26" />
-		<PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" />
+		<PackageReference Include="Microsoft.Identity.Client" Version="4.84.0" />
 		<PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="6.5.0" />
 
-		<PackageReference Include="Azure.Identity" Version="1.11.4" PrivateAssets="All" />
-		<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.1.0" PrivateAssets="All" />
-		<PackageReference Include="OpenTelemetry" Version="1.7.0" PrivateAssets="All" />
-		<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.7.0" PrivateAssets="All" />
+		<PackageReference Include="Azure.Identity" Version="1.17.1" PrivateAssets="All" />
+		<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.3.0" PrivateAssets="All" />
+		<PackageReference Include="OpenTelemetry" Version="1.8.1" PrivateAssets="All" />
+		<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.8.1" PrivateAssets="All" />
 		<PackageReference Include="Microsoft.Extensions.Logging.ApplicationInsights" Version="2.22.0" PrivateAssets="All" />
 
 		<PackageReference Include="itext7" Version="8.0.0" PrivateAssets="All" />
diff --git a/dotnet/src/dotnetcore/GxOffice/GxOffice.csproj b/dotnet/src/dotnetcore/GxOffice/GxOffice.csproj
@@ -42,8 +42,11 @@
 
 	<ItemGroup>
 		<PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
-		<PackageReference Include="NPOI" Version="2.7.3" />
+		<PackageReference Include="NPOI" Version="2.8.0" />
 		<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
+		<!-- Override NPOI's vulnerable transitive System.Security.Cryptography.Xml -->
+		<PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.3" Condition="'$(TargetFramework)' == 'net8.0'" />
+		<PackageReference Include="System.Security.Cryptography.Xml" Version="10.0.6" Condition="'$(TargetFramework)' == 'net10.0'" />
 	</ItemGroup>
 
 	<ItemGroup>
diff --git a/dotnet/src/dotnetcore/Providers/OpenTelemetry/Diagnostics/GXOtel.Diagnostics/GXOtel.Diagnostics.csproj b/dotnet/src/dotnetcore/Providers/OpenTelemetry/Diagnostics/GXOtel.Diagnostics/GXOtel.Diagnostics.csproj
@@ -12,7 +12,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-	<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.7.0" />  
+	<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.8.1" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/dotnet/src/dotnetcore/Providers/OpenTelemetry/OpenTelemetry/GeneXus.OpenTelemetry.csproj b/dotnet/src/dotnetcore/Providers/OpenTelemetry/OpenTelemetry/GeneXus.OpenTelemetry.csproj
@@ -9,9 +9,9 @@
 	</PropertyGroup>
 
   <ItemGroup>
-	  <PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.7.0" />
-	  <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.7.0" />
-	  <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.7.0" />
+	  <PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.8.1" />
+	  <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.8.1" />
+	  <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.8.1" />
 	  <PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.8.1" />
 	  <PackageReference Include="OpenTelemetry.Instrumentation.Http" Version="1.8.1" />
 	  <PackageReference Include="OpenTelemetry.Instrumentation.Runtime" Version="1.7.0" />
diff --git a/dotnet/src/dotnetcore/Providers/OpenTelemetry/OpenTelemetryAzureMonitor/GeneXus.OpenTelemetry.Azure.AppInsights.csproj b/dotnet/src/dotnetcore/Providers/OpenTelemetry/OpenTelemetryAzureMonitor/GeneXus.OpenTelemetry.Azure.AppInsights.csproj
@@ -11,13 +11,13 @@
 	</PropertyGroup>
 	<ItemGroup>
 		
-		<PackageReference Include="Azure.Identity" Version="1.11.4" />
-		<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.1.0" />
+		<PackageReference Include="Azure.Identity" Version="1.17.1" />
+		<PackageReference Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.3.0" />
 		<PackageReference Include="log4net.Ext.Json" Version="3.0.3" />
 		<PackageReference Include="Microsoft.ApplicationInsights.Log4NetAppender" Version="2.22.0" />
-		
-		<PackageReference Include="OpenTelemetry" Version="1.7.0" />
-		<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.7.0" />
+
+		<PackageReference Include="OpenTelemetry" Version="1.8.1" />
+		<PackageReference Include="OpenTelemetry.Exporter.Console" Version="1.8.1" />
 		
 	</ItemGroup>
 	<ItemGroup>
diff --git a/dotnet/src/dotnetframework/GxMail/GxMail.csproj b/dotnet/src/dotnetframework/GxMail/GxMail.csproj
@@ -11,7 +11,7 @@
 	<ItemGroup>
 		<PackageReference Include="MailKit" Version="4.16.0" />
 		<PackageReference Include="MimeKit" Version="4.16.0" />
-		<PackageReference Include="Microsoft.Identity.Client" Version="4.60.4" />
+		<PackageReference Include="Microsoft.Identity.Client" Version="4.84.0" />
 		<PackageReference Include="OpenPop.NET" Version="2.0.6.1120" />
 		<PackageReference Include="Org.Mentalis.Security" Version="1.0.0" />
 		<PackageReference Condition="'$(SignAssembly)'=='true'" Include="StrongNamer" Version="0.2.5" />
diff --git a/dotnet/src/dotnetframework/GxOffice/GxOffice.csproj b/dotnet/src/dotnetframework/GxOffice/GxOffice.csproj
@@ -9,7 +9,7 @@
 	<ItemGroup>
 		<PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
 		<PackageReference Include="EPPlus" Version="4.5.3.2" />
-		<PackageReference Include="NPOI" Version="2.7.3" />
+		<PackageReference Include="NPOI" Version="2.8.0" />
 		<PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
 	</ItemGroup>
 
diff --git a/dotnet/src/dotnetframework/GxOffice/poi/xssf/ExcelCells.cs b/dotnet/src/dotnetframework/GxOffice/poi/xssf/ExcelCells.cs
@@ -2,6 +2,7 @@
 using System;
 using GeneXus.MSOffice.Excel.Style;
 using GeneXus.Utils;
+using NPOI.OOXML.XSSF.UserModel;
 using NPOI.OpenXmlFormats.Spreadsheet;
 using NPOI.SS.UserModel;
 using NPOI.SS.Util;
@@ -795,7 +796,7 @@ public void SetColor(long value)
 									rgb = new byte[] { (byte)red, (byte)green, (byte)blue }
 								};
 
-								newColor = new XSSFColor(ctColor);
+								newColor = new XSSFColor(ctColor, new DefaultIndexedColorMap());
 
 								newFont = (XSSFFont)pWorkbook.CreateFont();
 								CopyPropertiesFont(newFont, fontCell);
@@ -822,7 +823,7 @@ public void SetColor(long value)
 										rgb = new byte[] { (byte)red, (byte)green, (byte)blue }
 									};
 
-									newColor = new XSSFColor(ctColor);
+									newColor = new XSSFColor(ctColor, new DefaultIndexedColorMap());
 
 
 									newFont = (XSSFFont)pWorkbook.CreateFont();
@@ -1073,7 +1074,7 @@ private XSSFColor ToColor(ExcelColor color)
 				rgb = new byte[] { (byte)color.Red, (byte)color.Green, (byte)color.Blue }
 			};
 
-			return new XSSFColor(ctColor);
+			return new XSSFColor(ctColor, new DefaultIndexedColorMap());
 		}
 		private XSSFCellStyle ApplyNewCellStyle(XSSFCellStyle cellStyle, ExcelStyle newCellStyle)
 		{
diff --git a/dotnet/src/dotnetframework/Projects/StoreManager/StoreManager.csproj b/dotnet/src/dotnetframework/Projects/StoreManager/StoreManager.csproj
@@ -10,7 +10,7 @@
 	</PropertyGroup>
 	<ItemGroup>
 		<PackageReference Include="Google.Apis.AndroidPublisher.v3" Version="1.55.0.2582" />
-		<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+		<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
 		<PackageReference Include="Zlib.Portable.Signed" Version="1.11.0" />
 	</ItemGroup>
 	<ItemGroup>
diff --git a/dotnet/src/dotnetframework/Providers/Storage/GXGoogleCloud/GXGoogleCloud.csproj b/dotnet/src/dotnetframework/Providers/Storage/GXGoogleCloud/GXGoogleCloud.csproj
@@ -9,7 +9,7 @@
 	
   <ItemGroup>
     <PackageReference Include="Google.Cloud.Storage.V1" Version="3.7.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
   <ItemGroup>
     <Reference Include="System" />
diff --git a/dotnet/src/extensions/SecurityAPI/dotnet/dotnetframework/GeneXusJWT/GeneXusJWT.csproj b/dotnet/src/extensions/SecurityAPI/dotnet/dotnetframework/GeneXusJWT/GeneXusJWT.csproj
@@ -20,7 +20,7 @@
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.35.0" />
     <PackageReference Include="Microsoft.IdentityModel.Logging" Version="6.35.0" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />
   </ItemGroup>
 
diff --git a/dotnet/src/extensions/gam/src/DotNetFramework/GamUtils/GamUtils.csproj b/dotnet/src/extensions/gam/src/DotNetFramework/GamUtils/GamUtils.csproj
@@ -12,7 +12,7 @@
   <ItemGroup>
     <PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
     <PackageReference Include="jose-jwt" Version="5.0.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="StrongNamer" Version="0.2.5" Condition="'$(AssemblyOriginatorKeyFile)'!=''" />
   </ItemGroup>
 
diff --git a/dotnet/src/extensions/kafka/src/Core.Messaging.csproj b/dotnet/src/extensions/kafka/src/Core.Messaging.csproj
@@ -6,12 +6,9 @@
 		<AssemblyName>GeneXus.Messaging.Kafka</AssemblyName>
 		<PackageId>GeneXus.Messaging.Kafka</PackageId>
 	</PropertyGroup>
-	<ItemGroup Condition="'$(TargetFramework)'!='net462'">
+	<ItemGroup>
 		<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
 	</ItemGroup>
-	<ItemGroup Condition="'$(TargetFramework)'=='net462'">
-		<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
-	</ItemGroup>
 	<ItemGroup>
 		<PackageReference Include="Confluent.Kafka" Version="2.10.0" />
 		<PackageReference Include="StrongNamer" Version="0.2.5" />
