Bump MongoDB.Driver + fix vulnerable dependencies (#5070)

Kielek · web-flow · commit 371efe60a722 · 2026-05-18T07:10:29.000Z
diff --git a/build/LibraryVersions.g.cs b/build/LibraryVersions.g.cs
@@ -108,7 +108,7 @@ public static partial class LibraryVersion
                 new("3.0.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),
                 new("3.5.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),
                 new("3.7.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),
-                new("3.8.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),
+                new("3.8.1", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),
             ]
         },
         {
diff --git a/test/Directory.Packages.props b/test/Directory.Packages.props
@@ -33,7 +33,7 @@
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.7" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="10.0.7" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.5.1" />
-    <PackageVersion Include="MongoDB.Driver" Version="3.8.0" />
+    <PackageVersion Include="MongoDB.Driver" Version="3.8.1" />
     <PackageVersion Include="NSubstitute" Version="5.3.0" />
     <PackageVersion Include="MySql.Data" Version="9.7.0" />
     <PackageVersion Include="MySqlConnector" Version="2.5.0" />
@@ -51,6 +51,7 @@
     <PackageVersion Include="Quartz.Extensions.DependencyInjection" Version="3.18.1" />
     <PackageVersion Include="Quartz.Extensions.Hosting" Version="3.18.1" />
     <PackageVersion Include="RabbitMQ.Client" Version="7.2.1" />
+    <PackageVersion Include="SharpCompress" Version="0.48.1" />
     <PackageVersion Include="Snappier" Version="1.3.1" />
     <PackageVersion Include="StackExchange.Redis" Version="3.0.2-preview" />
     <PackageVersion Include="StrongNamer" Version="0.2.5" />
diff --git a/test/IntegrationTests/LibraryVersions.g.cs b/test/IntegrationTests/LibraryVersions.g.cs
@@ -226,7 +226,7 @@ public static TheoryData<string> MongoDB
                 "3.7.0",
 #endif
 #if NET10_0 || NET9_0 || NET8_0 || NET462
-                "3.8.0",
+                "3.8.1",
 #endif
 #endif
             ];
diff --git a/test/test-applications/integrations/TestApplication.MongoDB/TestApplication.MongoDB.csproj b/test/test-applications/integrations/TestApplication.MongoDB/TestApplication.MongoDB.csproj
@@ -13,7 +13,10 @@
     <PackageReference Include="MongoDB.Driver" VersionOverride="$(LibraryVersion)" />
     <!-- Snappier is transitive dependency of MongoDB.Driver. All versions up to 3.8.0 references v1.0.0
     All versions pruor to 1.3.1 are vulnerable for https://github.com/advisories/GHSA-pggp-6c3x-2xmx -->
-    <PackageReference Include="Snappier" />
+    <PackageReference Include="Snappier"  Condition="'$(OS)' == 'Windows_NT' and '$(LibraryVersion)' != '' and $([MSBuild]::VersionLessThan('$(LibraryVersion)', '3.8.1'))" />
+    <!-- SharpCompress is a transitive dependency of MongoDB.Driver. Version up to 0.47.4 are vulnerable.
+    for https://github.com/advisories/GHSA-6c8g-7p36-r338 -->
+    <PackageReference Include="SharpCompress" />
   </ItemGroup>
 
 </Project>

Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ public static partial class LibraryVersion`
`108`	`108`	`new("3.0.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),`
`109`	`109`	`new("3.5.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),`
`110`	`110`	`new("3.7.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),`
`111`		`- new("3.8.0", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),`
	`111`	`+ new("3.8.1", supportedFrameworks: [ "net10.0", "net9.0", "net8.0", "net472" ]),`
`112`	`112`	`]`
`113`	`113`	`},`
`114`	`114`	`{`