Add comment to Microsoft.Bcl.Memory pin explaining transitive dependency source

Copilot · C0nquistadore · Copilot · commit 28904eea888c · 2026-03-12T08:43:51.000Z
Co-authored-by: C0nquistadore &lt;16206104+C0nquistadore@users.noreply.github.com&gt;
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -13,6 +13,11 @@
     <PackageVersion Include="Microsoft.AspNet.WebApi.Core" Version="5.3.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.4" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.3" />
+    <!--
+      Pin to a version without the known high severity vulnerability (CVE-2026-26127).
+      Remove pinned version once the package maintainers updated their reference to Microsoft.Bcl.Memory:
+      - Duende.IdentityModel 8.0.0
+    -->
     <PackageVersion Include="Microsoft.Bcl.Memory" Version="10.0.4" />
     <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="18.4.0" />
     <!--
