Pin Microsoft.Bcl.Memory to remediate CVE-2026-26127 (#26)

Copilot · C0nquistadore · web-flow · commit 466add8bef33 · 2026-03-12T11:18:04.000+01:00
* Initial plan * Pin Microsoft.Bcl.Memory to 10.0.4 to fix CVE-2026-26127 Co-authored-by: C0nquistadore <16206104+C0nquistadore@users.noreply.github.com> * Add comment to Microsoft.Bcl.Memory pin explaining transitive dependency source Co-authored-by: C0nquistadore <16206104+C0nquistadore@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: C0nquistadore <16206104+C0nquistadore@users.noreply.github.com>
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -13,6 +13,12 @@
     <PackageVersion Include="Microsoft.AspNet.WebApi.Core" Version="5.3.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.4" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.3" />
+    <!--
+      Pin to a version without the known high severity vulnerability (CVE-2026-26127).
+      Remove pinned version once the package maintainers updated their reference to Microsoft.Bcl.Memory:
+      - Duende.IdentityModel 8.0.0
+    -->
+    <PackageVersion Include="Microsoft.Bcl.Memory" Version="10.0.4" />
     <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="18.4.0" />
     <!--
       Be careful to update this package, because it might require a newer version of the compiler:
