Bump MessagePack from 3.1.6 to 3.1.7

[dependabot]

Updated MessagePack from 3.1.6 to 3.1.7.

Release notes

Sourced from MessagePack's releases.

3.1.7

What's Changed

• Add scoped to MessagePackWriter.Write(ReadOnlySpan<T>) methods by @​AArnott in Add scoped to MessagePackWriter.Write(ReadOnlySpan<T>) methods MessagePack-CSharp/MessagePack-CSharp#2271
• Fix security issues in master by @​AArnott in Fix security issues in master MessagePack-CSharp/MessagePack-CSharp#2274

Security release details

This release fixes 3 high severity and 9 moderate severity security vulnerabilities.

High severity advisory fixes

• 26d4e743 GHSA-382j-8mxh-c7x2 Reject invalid DateTime ext lengths for CWE-789
• b9cb6050 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674
• 719e690a GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125

Moderage severity advisory fixes

• 2b5a500a GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409
• f093bdc1 GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502
• f077798e GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-1188
• 25a3493e GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407
• b414e6df GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674
• 0555f07c GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789
• 9b5783a7 GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validation
• f96fcf05 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407
• b3af7cf7 GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674
• 66ad0894 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674
• 082ba7da GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674

Fixes with no security advisory

• fb0fe9f0 Honor TypeFormatter options hooks for CWE-470
• c1c06a6f Fix WriteRawX methods to advance by written length
• 46c6a0fe Fix CWE-190 map header length overflow

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.6...v3.1.7

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)