Bump MessagePack from 2.5.198 to 2.5.302

[dependabot]

Updated MessagePack from 2.5.198 to 2.5.302.

Release notes

Sourced from MessagePack's releases.

2.5.302

This is a merge release, combining the security fix from the https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases/tag/v2.5.205 release with the several security fixes from the https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases/tag/v2.5.301 release.

2.5.301

Security release

This release fixes 2 high severity and 9 moderate severity security vulnerabilities as listed below.

This release is missing #​2269 from the v2.5.205 release. We recommend folks adopt the v2.5.302 release which has all the security fixes combined.

High severity advisory fixes

• 696b4a76 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674
• 3538bc11 GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125

Moderage severity advisory fixes

• 853429a0 GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409
• 826f17c7 GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502
• c98d31f2 GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-1188
• ae90f2b1 GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407
• 940b8508 GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674
• e01f07cf GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789
• dc6f6324 GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validation
• e97f71e7 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407
• 7b12e5b5 GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674
• a3c8a183 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674
• 96743523 GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674

Fixes with no security advisory

• 814bc4c1 Honor TypeFormatter options hooks for CWE-470
• b0f8c5e2 Fix WriteRawX methods to advance by written length
• 0124048c Fix CWE-190 map header length overflow

2.5.205

What's Changed

• Fix repo url by @​tomap in Fix repo url MessagePack-CSharp/MessagePack-CSharp#2065
• Update DynamicAssembly usage to honor different AssemblyLoadContext's by @​BertanAygun in Update DynamicAssembly usage to honor different AssemblyLoadContext's MessagePack-CSharp/MessagePack-CSharp#2183
• Add more types to the default disallow list of named types to be deserialized by @​AArnott in Add more types to the default disallow list of named types to be deserialized MessagePack-CSharp/MessagePack-CSharp#2263
• Add several known unsafe 'gadgets' to the disallow list by @​AArnott in Add several known unsafe 'gadgets' to the disallow list MessagePack-CSharp/MessagePack-CSharp#2269

New Contributors

• @​tomap made their first contribution in Fix repo url MessagePack-CSharp/MessagePack-CSharp#2065

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v2.5.192...v2.5.205

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)