From 88f06560a5f6ed2d768a1f8ff92875e0a9288a1d Mon Sep 17 00:00:00 2001
From: "Calvin A. Allen" <calvin@codingwithcalvin.net>
Date: Tue, 16 Jun 2026 15:14:01 -0400
Subject: [PATCH] fix(server): pin MessagePack to remediate GHSA-hv8m-jj95-wg3x

StreamJsonRpc 2.20.20 transitively pulls MessagePack 2.5.187, which has
a known high severity vulnerability (NU1903). With warnings-as-errors
enabled, this fails restore/build in CI. Pin MessagePack to 2.5.302,
the latest patched 2.5.x release.
---
 .../CodingWithCalvin.MCPServer.Server.csproj                   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/CodingWithCalvin.MCPServer.Server/CodingWithCalvin.MCPServer.Server.csproj b/src/CodingWithCalvin.MCPServer.Server/CodingWithCalvin.MCPServer.Server.csproj
index d814bd4..430eee7 100644
--- a/src/CodingWithCalvin.MCPServer.Server/CodingWithCalvin.MCPServer.Server.csproj
+++ b/src/CodingWithCalvin.MCPServer.Server/CodingWithCalvin.MCPServer.Server.csproj
@@ -18,6 +18,9 @@
     <PackageReference Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
     <PackageReference Include="ModelContextProtocol.AspNetCore" Version="0.8.0-preview.1" />
     <PackageReference Include="StreamJsonRpc" Version="2.20.20" />
+    <!-- Pin MessagePack above the transitive 2.5.187 pulled in by StreamJsonRpc to
+         remediate GHSA-hv8m-jj95-wg3x (high severity, NU1903). -->
+    <PackageReference Include="MessagePack" Version="2.5.302" />
   </ItemGroup>
 
   <ItemGroup>