Bump the github-actions group across 2 directories with 1 update#562
Open
dependabot[bot] wants to merge 1 commit into
Open
Bump the github-actions group across 2 directories with 1 update#562dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
the
github_actions
🤖 GitHub commentsJust comment with:
|
|
@elastic/observablt-ci should we discard this upgrade? See |
v1v
approved these changes
Apr 28, 2026
mallendem
approved these changes
May 6, 2026
Contributor
|
waiting for #564 |
Mpdreamz
pushed a commit
that referenced
this pull request
May 11, 2026
…564) CI was failing at restore with `NU1902` (warnings-as-errors) due to `log4net` 2.0.17 carrying [GHSA-4f7c-pmjv-c25w](GHSA-4f7c-pmjv-c25w). There is no 2.0.18 — the patch ships in the 3.x line, with 3.3.1 being the first release to explicitly address this advisory. ### Changes - **`src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj`** — bump `log4net` from `2.0.17` to `3.3.1` ```xml - <PackageReference Include="log4net" Version="2.0.17" /> + <PackageReference Include="log4net" Version="3.3.1" /> ``` The 3.x public API surface used by this project (`LayoutSkeleton`, `LoggingEvent`, `ThreadContextStack`, `LogicalThreadContextStack`, `SystemStringFormat`) is unchanged, so no source modifications are required. <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> The GitHub Actions job failed in repository `elastic/ecs-dotnet` on PR #562 due to a restore-time package vulnerability being treated as an error (`NU1902`). Failure details: - Workflow: `.github/workflows/test.yml` - Failing job: run `24968209539`, job `74593383050` - Commit/ref associated with the failure: `ee4b7df118fbf98a3e435fb6f1018a1222dee28f` - Error from logs: - `src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj : error NU1902: Warning As Error: Package 'log4net' 2.0.17 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-4f7c-pmjv-c25w` - `tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj : error NU1902` as a consequence of referencing the affected project Relevant files: - `.github/workflows/test.yml` — Linux build job runs `./build.sh build -s true`, which fails during restore/build. - `src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj` currently contains: - `<PackageReference Include="log4net" Version="2.0.17" />` - `tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj` references the Log4net source project and should not need a direct package change. Requested fix: 1. Update the vulnerable `log4net` dependency in `src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj` from `2.0.17` to a patched non-vulnerable version (for example `2.0.18`, or the latest safe compatible version available). 2. Keep the fix minimal and focused on resolving the CI failure. 3. If necessary, update any lock files or related dependency metadata so restore succeeds in CI. 4. Do not suppress `NU1902`; fix the underlying vulnerable dependency instead. 5. Open a pull request with a concise explanation that this resolves the failing restore caused by the vulnerable `log4net` package. Acceptance criteria: - The repository no longer references vulnerable `log4net` 2.0.17 in the affected project. - Restore/build for the failing workflow path should no longer fail with `NU1902` for `log4net`. - The PR is limited to the dependency fix and any necessary supporting file updates. The following is the prior conversation context from the user's chat exploration (may be truncated): User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate. Assistant: The failure is caused by restore treating a package vulnerability warning as an error: - `src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj#L13` pins `log4net` to `2.0.17` - restore fails with `NU1902` for advisory `GHSA-4f7c-pmjv-c25w` - the test project fails as a consequence because it references the affected project: `tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj#L9` The failing workflow step is the Linux build job in `.github/workflows/test.yml#L70-L80`, where `./build.sh build -s true` restores and builds the solution. ### Fix Upgrade `log4net` in `src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj#L13` to a non-vulnerable version. Suggested change: ```xml <ItemGroup> <PackageReference Include="log4net" Version="2.0.18" /> </ItemGroup> ``` If a newer patched release is available in your dependency policy, prefer the latest safe version instead of `2.0.18`. ### Patch ```diff --- a/src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj +++ b/src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj @@ - <PackageReference Include="log4net" Version="2.0.17" /> + <PackageReference Include="log4net" Version="2.0.18" /> ``` ### Why this solves it The logs show the only restore errors are: - `src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj : error NU1902` - `tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj : error NU1902` Since the test project references the Log4net project rather than directly referencing `log4net`, updating the package in the source project removes the vulnerable dependency for both restore paths. ### Files involved - Workflow: [`.github/workflows/test.yml`](https://github.com/elastic/ecs-dotnet/blob/ee4b7df118fbf98a3e435fb6f1018a1222dee28f/.github/workflows/test.yml) - Failing package reference: [`src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj#L13`](https://github.com/elastic/ecs-dotnet/blob/ee4b7df118fbf98a3e435fb6f1018a1222dee28f/src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj#L13) - Referencing test project: [`tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj#L9`](https://github.com/elastic/ecs-dotnet/blob/ee4b7df118fbf98a3e435fb6f1018a1222dee28f/tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj#L9) If compatibility with a patched `log4net` release is a concern, the onl... </details> <!-- START COPILOT CODING AGENT SUFFIX --> *This pull request was created from Copilot chat.* > --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mallendem <105422197+mallendem@users.noreply.github.com>
Bumps the github-actions group with 1 update in the / directory: [NuGet/login](https://github.com/nuget/login). Bumps the github-actions group with 1 update in the /.github/workflows directory: [NuGet/login](https://github.com/nuget/login). Updates `NuGet/login` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/nuget/login/releases) - [Commits](NuGet/login@d22cc5f...8d19675) Updates `NuGet/login` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/nuget/login/releases) - [Commits](NuGet/login@d22cc5f...8d19675) Updates `NuGet/login` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/nuget/login/releases) - [Commits](NuGet/login@d22cc5f...8d19675) Updates `NuGet/login` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/nuget/login/releases) - [Commits](NuGet/login@d22cc5f...8d19675) --- updated-dependencies: - dependency-name: NuGet/login dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: NuGet/login dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-48a13287fe
branch
from
ee4b7df to
41541f7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 1 update in the / directory: NuGet/login.
Bumps the github-actions group with 1 update in the /.github/workflows directory: NuGet/login.
Updates
NuGet/loginfrom 1.1.0 to 1.2.0Release notes
Sourced from NuGet/login's releases.
Commits
8d19675Updated to node246f53280Merge branch 'main' into releases/v15e9ea94Merge pull request #22 from NuGet/hotfix-nodejs311e1f3Fix988d6f4Hotfix5e93942Merge pull request #21 from baywet/ci/auto-update-floating-tagsed24280ci: adds a workflow to update floating tags1205360Merge pull request #15 from NuGet/lpar-update-node-gh-action4c6623bMerge pull request #12 from NuGet/lpar-logging-fix8099027Add workflow to update Node.js version automaticallyUpdates
NuGet/loginfrom 1.1.0 to 1.2.0Release notes
Sourced from NuGet/login's releases.
Commits
8d19675Updated to node246f53280Merge branch 'main' into releases/v15e9ea94Merge pull request #22 from NuGet/hotfix-nodejs311e1f3Fix988d6f4Hotfix5e93942Merge pull request #21 from baywet/ci/auto-update-floating-tagsed24280ci: adds a workflow to update floating tags1205360Merge pull request #15 from NuGet/lpar-update-node-gh-action4c6623bMerge pull request #12 from NuGet/lpar-logging-fix8099027Add workflow to update Node.js version automaticallyUpdates
NuGet/loginfrom 1.1.0 to 1.2.0Release notes
Sourced from NuGet/login's releases.
Commits
8d19675Updated to node246f53280Merge branch 'main' into releases/v15e9ea94Merge pull request #22 from NuGet/hotfix-nodejs311e1f3Fix988d6f4Hotfix5e93942Merge pull request #21 from baywet/ci/auto-update-floating-tagsed24280ci: adds a workflow to update floating tags1205360Merge pull request #15 from NuGet/lpar-update-node-gh-action4c6623bMerge pull request #12 from NuGet/lpar-logging-fix8099027Add workflow to update Node.js version automaticallyUpdates
NuGet/loginfrom 1.1.0 to 1.2.0Release notes
Sourced from NuGet/login's releases.
Commits
8d19675Updated to node246f53280Merge branch 'main' into releases/v15e9ea94Merge pull request #22 from NuGet/hotfix-nodejs311e1f3Fix988d6f4Hotfix5e93942Merge pull request #21 from baywet/ci/auto-update-floating-tagsed24280ci: adds a workflow to update floating tags1205360Merge pull request #15 from NuGet/lpar-update-node-gh-action4c6623bMerge pull request #12 from NuGet/lpar-logging-fix8099027Add workflow to update Node.js version automatically