fix: resolve Dependency Review summary failure by patching MessagePack vulnerability

[dependabot]

Description

This PR fixes the failing GitHub Actions job Dependency Review / Review Summary (pull_request) by addressing the root cause in the Vulnerability Check job.

The failure was caused by a transitive vulnerable dependency: MessagePack 2.5.192 (GHSA-hv8m-jj95-wg3x).
To remediate this, PokManager.AppHost now explicitly references a patched version: MessagePack 2.5.301.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test update
• Other (please describe):

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Related Issues

N/A

Screenshots (if applicable)

Not applicable.

Testing

• dotnet build PokManager.sln
• dotnet test PokManager.sln
• dotnet list package --vulnerable --include-transitive

Verified that no vulnerable packages are reported after pinning MessagePack to 2.5.301.

Test Configuration:

• OS: Ubuntu 24.04
• .NET Version: .NET SDK 10.x
• Build Configuration: Debug

Additional Notes

Only one file was changed:

• src/Hosting/PokManager.AppHost/PokManager.AppHost.csproj

A direct PackageReference was added to override the vulnerable transitive MessagePack version.

Breaking Changes

None.

[dependabot]

Assignees

The following users could not be added as assignees: PokManagerApi/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: area: build, dependencies, nuget. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 5 package(s) with unknown licenses.

See the Details below.

License Issues

src/Core/PokManager.Application/PokManager.Application.csproj

Package	Version	License	Issue Type
Microsoft.Extensions.DependencyInjection.Abstractions	10.0.9	Null	Unknown License

src/Hosting/PokManager.AppHost/PokManager.AppHost.csproj

Package	Version	License	Issue Type
MessagePack	2.5.301	Null	Unknown License

src/Hosting/PokManager.ServiceDefaults/PokManager.ServiceDefaults.csproj

Package	Version	License	Issue Type
Microsoft.Extensions.Http.Resilience	10.7.0	Null	Unknown License
Microsoft.Extensions.ServiceDiscovery	10.7.0	Null	Unknown License

src/Infrastructure/PokManager.Infrastructure/PokManager.Infrastructure.csproj

Package	Version	License	Issue Type
Microsoft.Extensions.Hosting.Abstractions	10.0.9	Null	Unknown License

Allowed Licenses:

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD

OpenSSF Scorecard

Package	Version	Score	Details
nuget/Microsoft.Extensions.DependencyInjection.Abstractions	10.0.9	Unknown	Unknown
nuget/MessagePack	2.5.301	Unknown	Unknown
nuget/Microsoft.Extensions.Http.Resilience	10.7.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 10 no binaries found in the repo Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.ServiceDiscovery	10.7.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 10 no binaries found in the repo Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.Hosting.Abstractions	10.0.9	Unknown	Unknown

Scanned Files

• src/Core/PokManager.Application/PokManager.Application.csproj
• src/Hosting/PokManager.AppHost/PokManager.AppHost.csproj
• src/Hosting/PokManager.ServiceDefaults/PokManager.ServiceDefaults.csproj
• src/Infrastructure/PokManager.Infrastructure/PokManager.Infrastructure.csproj

[JerrettDavis]

@dependabot rebase