NCBC-4026: Upgrade Grpc.Net.Client (and other required)

emilienbev · emilienbev · commit 27386b9c08cb · 2025-05-21T08:04:09.000Z
Motivation ---------- BlackDuck isn’t reporting the vulnerability, but according to OSV - Open Source Vulnerabilities Grpc.Net.CLient 2.5.0.o used in Couchbase.csproj and Couchbase.Stellar.CodeGen.csproj present a vulnerability. Changes ------- - Upgrade Grpc dependencies and other required transitive dependencies Change-Id: Ie2c15fb3fc1800921a848ceaf55182e104756158 Reviewed-on: https://review.couchbase.org/c/couchbase-net-client/+/227979 Tested-by: Build Bot <build@couchbase.com> Reviewed-by: David Kelly <davidmichaelkelly@gmail.com>
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -4,19 +4,22 @@
   </PropertyGroup>
   <!-- General dependencies -->
   <ItemGroup>
-    <PackageVersion Include="Google.Protobuf" Version="3.25.0" />
-    <PackageVersion Include="Grpc.Net.Client" Version="2.50.0" />
-    <PackageVersion Include="Grpc.Net.ClientFactory" Version="2.50.0" />
-    <PackageVersion Include="Google.Api.CommonProtos" Version="2.13.0" />
-    <PackageVersion Include="Grpc.Tools" Version="2.51.0" />
+    <PackageVersion Include="Google.Protobuf" Version="3.31.0" />
+    <PackageVersion Include="Grpc.Net.Client" Version="2.71.0" />
+    <PackageVersion Include="Grpc.Net.ClientFactory" Version="2.71.0" />
+    <PackageVersion Include="Google.Api.CommonProtos" Version="2.16.0" />
+    <PackageVersion Include="Grpc.Tools" Version="2.72.0">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageVersion>
     <PackageVersion Include="DnsClient" Version="1.8.0" />
     <PackageVersion Include="Microsoft.Bcl.TimeProvider" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Configuration" Version="3.1.21" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="3.1.21" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="6.0.1" />
     <PackageVersion Include="Microsoft.Extensions.ObjectPool" Version="6.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Options" Version="3.1.21" />
+    <PackageVersion Include="Microsoft.Extensions.Options" Version="6.0.0" />
     <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageVersion Include="OpenTelemetry" Version="1.2.0" />
     <PackageVersion Include="OpenTelemetry.Api" Version="1.2.0" />
@@ -28,8 +31,8 @@
     <PackageVersion Include="System.Runtime.CompilerServices.Unsafe" Version="6.1.0" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     <PackageVersion Include="System.Threading.Channels" Version="5.0.0" />
-    <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="5.0.0" />
-    <PackageVersion Include="System.Diagnostics.DiagnosticSource" Version="6.0.0" />
+    <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="6.0.0" />
+    <PackageVersion Include="System.Diagnostics.DiagnosticSource" Version="6.0.1" />
   </ItemGroup>
   <!-- Dependencies only allowed for .NET Standard 2.0 -->
   <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' ">
@@ -60,4 +63,4 @@
     <PackageVersion Include="Xunit.SkippableFact" Version="1.4.13" />
     <PackageVersion Include="coverlet.collector" Version="3.1.0" />
   </ItemGroup>
-</Project>
+</Project>
