Bump AutoMapper from 13.0.1 to 15.1.1

[dependabot]

Updated AutoMapper from 13.0.1 to 15.1.1.

Release notes

Sourced from AutoMapper's releases.

15.1.1

What's Changed

• docs: Document duplicate license message behavior and fixes by @​Copilot in docs: Document duplicate license message behavior and fixes LuckyPennySoftware/AutoMapper#4617

Security

Fixed an issue where certain cyclic or self-referential object graphs could trigger uncontrolled recursion during mapping, potentially resulting in stack exhaustion and denial of service.

Applications that process untrusted or attacker-controlled object graphs through affected mapping paths may be impacted.

Users should upgrade to this release.

Security advisory: GHSA-rvv3-g6hj-g44x

Thanks to @​skdishansachin for responsibly disclosing this issue.

Full Changelog: LuckyPennySoftware/AutoMapper@v16.1.1...v15.1.1

15.1.0

What's Changed

• remove Microsoft.SourceLink.GitHub by @​SimonCropp in remove Microsoft.SourceLink.GitHub LuckyPennySoftware/AutoMapper#4555
• Direct .NET 4.x support by @​jbogard in Direct .NET 4.x support LuckyPennySoftware/AutoMapper#4569
• Bumping the JsonWebTokens because of GHSA-8g4q-xg66-9fp4; fixes #​4575 by @​jbogard in Bumping the JsonWebTokens because of GHSA-8g4q-xg66-9fp4; fixes #4575 LuckyPennySoftware/AutoMapper#4576
• Provide better exceptions for errors when building the mapping plan by @​jbogard in Provide better exceptions for errors when building the mapping plan LuckyPennySoftware/AutoMapper#4577
• Adding docs for license configuration by @​jbogard in Adding docs for license configuration LuckyPennySoftware/AutoMapper#4581
• Updating refs to fix missing method issue by @​jbogard in Updating refs to fix missing method issue LuckyPennySoftware/AutoMapper#4582

New Contributors

• @​SimonCropp made their first contribution in remove Microsoft.SourceLink.GitHub LuckyPennySoftware/AutoMapper#4555

Full Changelog: LuckyPennySoftware/AutoMapper@v15.0.1...v15.1.0

15.0.1

What's Changed

• Removing public signing; fixes #​4545 by @​jbogard in Removing public signing; fixes #4545 LuckyPennySoftware/AutoMapper#4552
• Adding back missing overloads and reverting registering behavior by @​jbogard in Adding back missing overloads and reverting registering behavior LuckyPennySoftware/AutoMapper#4554

Full Changelog: LuckyPennySoftware/AutoMapper@v15.0.0...v15.0.1

This release supersedes the 15.0.0 release, reverting behavior and overloads so that the AddAutoMapper overloads separate the "scanning for maps" from the "scanning for dependencies". Unfortunately it's not really possible to combine these two together.

This also fixes a critical bug in #​4545 that does not work with .NET 4.x applications (as intended).

Because of this, the 15.0.0 will be delisted because of the breaking changes there.

15.0.0

Full Changelog: LuckyPennySoftware/AutoMapper@v14.0.0...v15.0.0

• Added support for .NET Standard 2.0
• Requiring license key
• Moving from MIT license to dual commercial/OSS license

To set your license key:

services.AddAutoMapper(cfg => {
    cfg.LicenseKey = "<License key here>";
});

This also introduced a breaking change with MapperConfiguration requiring an ILoggerFactory for logging purposes:

public MapperConfiguration(MapperConfigurationExpression configurationExpression, ILoggerFactory loggerFactory)

Registering AutoMapper with services.AddAutoMapper will automatically supply this parameter. Otherwise you'll need to supply the logger factory.

You can obtain your license key at AutoMapper.io

14.0.0

What's Changed

• Reverted the nullable annotations by @​lbargaoanu in Reverted the nullable annotations LuckyPennySoftware/AutoMapper#4390
• Fix polymorphic mapping when some derived types have explicit mappings and others do not by @​kev-andrews in Fix polymorphic mapping when some derived types have explicit mappings and others do not LuckyPennySoftware/AutoMapper#4402
• The default naming conventions for a profile should come from the glo… by @​lbargaoanu in The default naming conventions for a profile should come from the glo… LuckyPennySoftware/AutoMapper#4428
• Fix Issue #​4502 - Confusing exception when trying to map types with … by @​Biotronic in Fix Issue #4502 - Confusing exception when trying to map types with … LuckyPennySoftware/AutoMapper#4503
• Target .net 8 and seal more classes by @​lbargaoanu in Target .net 8 and seal more classes LuckyPennySoftware/AutoMapper#4474
• Target .Net 9 in tests by @​lbargaoanu in Target .Net 9 in tests LuckyPennySoftware/AutoMapper#4507
• Changed lock-threads parameters by @​lbargaoanu in Changed lock-threads parameters LuckyPennySoftware/AutoMapper#4516
• Don't throw and catch on validation by @​lbargaoanu in Don't throw and catch on validation LuckyPennySoftware/AutoMapper#4526

New Contributors

• @​kev-andrews made their first contribution in Fix polymorphic mapping when some derived types have explicit mappings and others do not LuckyPennySoftware/AutoMapper#4402
• @​Biotronic made their first contribution in Fix Issue #4502 - Confusing exception when trying to map types with … LuckyPennySoftware/AutoMapper#4503

Full Changelog: LuckyPennySoftware/AutoMapper@v13.0.1...v14.0.0

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nuget/​automapper@​13.0.1 ⏵ 15.1.1		+16			-30

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: nuget automapper under RPL-1.5 License: RPL-1.5 - the applicable license policy does not allow this license (4) (LICENSE.md) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/automapper@15.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/automapper@15.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.dependencyinjection.abstractions under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/automapper@15.1.1 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/autofac.extensions.dependencyinjection@10.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/microsoft.extensions.dependencyinjection.abstractions@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/microsoft.extensions.dependencyinjection.abstractions@10.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.logging.abstractions under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/automapper@15.1.1 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/microsoft.extensions.logging.abstractions@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/microsoft.extensions.logging.abstractions@10.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.options under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/automapper@15.1.1 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/microsoft.extensions.options@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/microsoft.extensions.options@10.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.primitives under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/automapper@15.1.1 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/microsoft.extensions.primitives@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/microsoft.extensions.primitives@10.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget system.diagnostics.diagnosticsource under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/automapper@15.1.1 → nuget/azure.storage.blobs@12.23.0 → nuget/microsoft.data.sqlclient@5.2.2 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/azure.identity@1.13.1 → nuget/autofac.extensions.dependencyinjection@10.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/system.diagnostics.diagnosticsource@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/system.diagnostics.diagnosticsource@10.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security-staging]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nuget/​automapper@​13.0.1 ⏵ 15.1.1		+16			-30

View full report

[socket-security-staging]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: nuget automapper under RPL-1.5 License: RPL-1.5 - the applicable license policy does not allow this license (4) (LICENSE.md) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/automapper@15.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/automapper@15.1.1. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.dependencyinjection.abstractions under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) License: MIT WITH fmt-exception - the applicable license policy does not allow this license exception (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/autofac.extensions.dependencyinjection@10.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/automapper@15.1.1 → nuget/microsoft.extensions.dependencyinjection.abstractions@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/microsoft.extensions.dependencyinjection.abstractions@10.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.logging.abstractions under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) License: MIT WITH fmt-exception - the applicable license policy does not allow this license exception (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/automapper@15.1.1 → nuget/microsoft.extensions.logging.abstractions@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/microsoft.extensions.logging.abstractions@10.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.options under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) License: MIT WITH fmt-exception - the applicable license policy does not allow this license exception (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/automapper@15.1.1 → nuget/microsoft.extensions.options@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/microsoft.extensions.options@10.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget microsoft.extensions.primitives under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) License: MIT WITH fmt-exception - the applicable license policy does not allow this license exception (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/automapper@15.1.1 → nuget/microsoft.extensions.primitives@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/microsoft.extensions.primitives@10.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: nuget system.diagnostics.diagnosticsource under NIST-Software License: NIST-Software - the applicable license policy does not allow this license (4) (THIRD-PARTY-NOTICES.TXT) License: MIT WITH fmt-exception - the applicable license policy does not allow this license exception (THIRD-PARTY-NOTICES.TXT) From: src/Libraries/Nop.Core/Nop.Core.csproj → nuget/microsoft.data.sqlclient@5.2.2 → nuget/azure.storage.blobs@12.23.0 → nuget/azure.extensions.aspnetcore.dataprotection.blobs@1.3.4 → nuget/microsoft.extensions.caching.sqlserver@9.0.0 → nuget/microsoft.extensions.caching.stackexchangeredis@9.0.0 → nuget/autofac.extensions.dependencyinjection@10.0.0 → nuget/azure.identity@1.13.1 → nuget/azure.extensions.aspnetcore.dataprotection.keys@1.2.4 → nuget/automapper@15.1.1 → nuget/system.diagnostics.diagnosticsource@10.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/system.diagnostics.diagnosticsource@10.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report