From de909c665a4ebc4f8aaf31a60671bb22c72882ff Mon Sep 17 00:00:00 2001
From: Paul Mcilreavy <p.mcilreavy@vald.com>
Date: Tue, 31 Mar 2026 18:52:55 +1000
Subject: [PATCH] Fix CVE vulnerabilities in transitive NuGet dependencies
 (#1204)

Pin vulnerable transitive dependencies to their fixed versions:
  - System.Formats.Asn1 6.0.0 -> 6.0.1 (CVE-2024-38095)
  - System.Security.Cryptography.Pkcs 6.0.1 -> 6.0.3 (CVE-2023-29331)
  - System.Security.Cryptography.X509Certificates 4.1.0 -> 4.3.2 (CVE-2017-11770)
  - System.Net.Http 4.1.0 -> 4.3.4 (CVE-2018-8292)
  - System.Private.Uri 4.3.0 -> 4.3.2 (CVE-2019-0657, CVE-2019-0980, CVE-2019-0981)
  - System.Text.RegularExpressions 4.3.0 -> 4.3.1 (CVE-2019-0820)
---
 source/Octopus.Tentacle/Octopus.Tentacle.csproj | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source/Octopus.Tentacle/Octopus.Tentacle.csproj b/source/Octopus.Tentacle/Octopus.Tentacle.csproj
index 7ea884e6b..831bcb4b4 100644
--- a/source/Octopus.Tentacle/Octopus.Tentacle.csproj
+++ b/source/Octopus.Tentacle/Octopus.Tentacle.csproj
@@ -105,6 +105,18 @@
 		<PackageReference Include="System.Diagnostics.EventLog" Version="8.0.0" />
 		<PackageReference Include="System.Security.Cryptography.ProtectedData" Version="8.0.0" />
 	</ItemGroup>
+	<!-- Pin transitive dependencies to fix known CVEs (net6.0+ only, these packages don't support net48) -->
+	<ItemGroup Condition=" '$(TargetFrameworkIdentifier)' != '.NETFramework' ">
+		<PackageReference Include="System.Formats.Asn1" Version="6.0.1" />
+		<PackageReference Include="System.Security.Cryptography.Pkcs" Version="6.0.3" />
+	</ItemGroup>
+	<!-- Pin transitive dependencies to fix known CVEs (all frameworks) -->
+	<ItemGroup>
+		<PackageReference Include="System.Security.Cryptography.X509Certificates" Version="4.3.2" />
+		<PackageReference Include="System.Net.Http" Version="4.3.4" />
+		<PackageReference Include="System.Private.Uri" Version="4.3.2" />
+		<PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+	</ItemGroup>
 	<ItemGroup Condition=" '$(TargetFrameworkIdentifier)' == '.NETFramework' ">
 		<PackageReference Include="System.Runtime" Version="4.3.0" />
 		<Reference Include="System.Security" />