Pin Microsoft.Data.OData nuspec dependency to [5.8.4, 6.0.0) and bump to 6.0.1.0

claudiamurialdo · claude · claudiamurialdo · commit b81ee324ff50 · 2026-05-19T15:19:30.000-03:00
The previous nuspec dependency range '[5.*, 6.0.0)' has a subtle bug: in NuGet PackageReferences a '5.*' wildcard floats to the latest 5.x at build time, but inside a .nuspec dependency element it is interpreted as the minimum version of the range, so a fresh restore of GeneXus.Odata.Client picks up Microsoft.Data.OData 5.0.0.50403 — the oldest 5.x with the high-severity advisory GHSA-mv2r-q4g5-j8q5. Pin the lower bound to 5.8.4 (the last vulnerability-free 5.x) so consumers default to that version. Bump AssemblyVersion to 6.0.1.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/GXOData.Client.nuspec b/GXOData.Client.nuspec
@@ -20,15 +20,15 @@
     <tags>odata data rest client netstandard net7 net8 mono android ios</tags>
     <dependencies>
       <group targetFramework="netstandard2.0">
-        <dependency id="Microsoft.Data.OData" version="[5.*, 6.0.0)" />
+        <dependency id="Microsoft.Data.OData" version="[5.8.4, 6.0.0)" />
         <dependency id="Microsoft.OData.Core" version="[7.4.4, 8.0)" />
       </group>
       <group targetFramework="net7.0">
-        <dependency id="Microsoft.Data.OData" version="[5.*, 6.0.0)" />
+        <dependency id="Microsoft.Data.OData" version="[5.8.4, 6.0.0)" />
         <dependency id="Microsoft.OData.Core" version="[7.4.4, 8.0)" />
       </group>
       <group targetFramework="net8.0">
-        <dependency id="Microsoft.Data.OData" version="[5.*, 6.0.0)" />
+        <dependency id="Microsoft.Data.OData" version="[5.8.4, 6.0.0)" />
         <dependency id="Microsoft.OData.Core" version="[7.4.4, 8.0)" />
       </group>
     </dependencies>
diff --git a/src/GXOdata.Client.All/Directory.Build.props b/src/GXOdata.Client.All/Directory.Build.props
@@ -3,7 +3,7 @@
 	<Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)../'))" />
 
 	<PropertyGroup>
-		<AssemblyVersion>6.0.0.0</AssemblyVersion>
+		<AssemblyVersion>6.0.1.0</AssemblyVersion>
 		<FileVersion>$(AssemblyVersion)</FileVersion>
 		<InformationalVersion>$([System.DateTime]::UtcNow.ToString("yyyyMMddHHmmss")).$(GITHUB_SHA)</InformationalVersion>
 		<Company>GeneXus</Company>
