dotnet · dotnet/aspire · v13.4.5Critical

dotnet/aspire v13.4.5: Patch for StreamJsonRpc/MessagePack CVE, SemVer validation, telemetry update

Patch release v13.4.5 bumps StreamJsonRpc to 2.25.29 to clear transitive MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory; adds strict SemVer va

17 Jun 2026Read 1 minSeverity: act now

What changed

Patch release v13.4.5 bumps StreamJsonRpc to 2.25.29 to clear transitive MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory; adds strict SemVer validation for playwrightCliVersion; adds coding-agent detection to CLI telemetry.

Who it affects

All users of Aspire.Hosting package consuming StreamJsonRpc/MessagePack; users configuring Playwright CLI version; CLI telemetry consumers.

What to do today

Update to Aspire 13.4.5 to clear the NU1903 advisory and benefit from improved validation and telemetry.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Releases · dotnet/aspire

dotnet/aspire v13.4.5: Patch for StreamJsonRpc/MessagePack CVE, SemVer validation, telemetry update

What changed

Who it affects

What to do today

More on dotnet/aspire

Microsoft.NETCore.App.Runtime.linux-x64 Symlink Traversal in TarFile.ExtractToDirectory

Microsoft.AspNetCore.App.Runtime.linux-x64 Denial of Service via MessagePack Hub Protocol