intility · Erlend Ellefsen (erlendellefsen) · May 8, 2026 · May 7, 2026 · May 8, 2026 · May 8, 2026
@@ -1,5 +1 @@
-# Default owner for everything
 * @erlendellefsen
-
-# Security-sensitive files require extra review
-.github/workflows/** @erlendellefsen
@@ -3,10 +3,6 @@ description: File a basic issue.
 type: Task
 projects: ['intility/56']
 body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this issue!
   - type: textarea
     attributes:
       label: What's the issue?

@@ -4,35 +4,17 @@ labels: ['enhancement']
 type: Feature
 projects: ['intility/56']
 body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to request a new feature or enhancement. Please fill out the form below to help us understand your request.
   - type: textarea
     id: feature-request
     attributes:
       label: Feature request
-      description: Please describe the feature you would like to see.
-      placeholder: I would like to see...
+      description: What would you like to see?
     validations:
       required: true
   - type: textarea
     id: use-case
     attributes:
       label: Use case
-      description: Please describe the use case for this feature.
-      placeholder: This feature would be useful for...
-    validations:
-      required: false
-  - type: dropdown
-    id: priority
-    attributes:
-      label: Priority
-      description: Please select the priority of this feature request.
-      options:
-        - Low
-        - Medium
-        - High
-      default: 2
+      description: What problem does this solve? Why is the current behavior insufficient?
     validations:
       required: true
@@ -4,32 +4,38 @@ labels: ['bug']
 type: Bug
 projects: ['intility/56']
 body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this bug report!
   - type: textarea
     id: what-happened
     attributes:
       label: What happened?
-      description: Also tell us, what did you expect to happen?
-      placeholder: Tell us what you see!
-      value: 'A bug happened!'
+      description: What did you observe, and what did you expect instead?
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      description: Minimal repro steps. Code snippet, request, or test case if possible.
+      render: csharp
     validations:
       required: true
-  - type: dropdown
-    id: browsers
+  - type: input
+    id: toolkit-version
     attributes:
-      label: What browsers are you seeing the problem on?
-      multiple: true
-      options:
-        - Firefox
-        - Chrome
-        - Safari
-        - Microsoft Edge
+      label: JsonApiToolkit version
+      placeholder: e.g. 2.1.0
+    validations:
+      required: true
+  - type: input
+    id: dotnet-version
+    attributes:
+      label: .NET version
+      placeholder: e.g. 10.0
+    validations:
+      required: true
   - type: textarea
     id: logs
     attributes:
-      label: Relevant log output
-      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      label: Relevant logs
+      description: Optional. Paste relevant log output. Formatting is automatic.
       render: shell
@@ -0,0 +1,5 @@
+name: "JsonApiToolkit CodeQL"
+
+paths-ignore:
+  - "**/bin/**"
+  - "**/obj/**"
@@ -14,7 +14,6 @@ updates:
     commit-message:
       prefix: "build(nuget)"
     groups:
-      # Group minor/patch updates to reduce PR noise
       microsoft:
         patterns:
           - "Microsoft.*"

@@ -0,0 +1,7 @@
+## Summary
+
+<!-- What does this change and why? -->
+
+## Related issues
+
+<!-- Closes #123, Refs #456 -->
@@ -2,7 +2,8 @@ name: CodeQL
 
 on:
   schedule:
-    - cron: "0 6 * * 1" # Monday 6am UTC
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -32,6 +33,7 @@ jobs:
         with:
           languages: csharp
           queries: security-and-quality
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Restore
         run: dotnet restore --locked-mode

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3
         id: app-token
         with:
-          app-id: ${{ vars.RELEASE_BOT_APP_ID }}
+          client-id: ${{ vars.RELEASE_BOT_APP_ID }}
           private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
 
       - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7

@@ -17,5 +17,5 @@ Set `"JsonApiToolkit": "Debug"` in appsettings.json to enable detailed query pro
 - **Pagination clamping**: Invalid page numbers are silently clamped (negative/zero -> page 1, overflow -> last page).
 - **Malformed query params**: Bad filter/sort/include syntax is logged and skipped, not thrown as exceptions.
 - **Filtered includes**: Dot notation in filters (e.g. `filter[author.name]=John`) applies to included resources when `include=author` is also set.
-- **Include whitelisting**: `AllowedIncludesAttribute` on controller actions restricts which relationships can be requested via `include=`, preventing unauthorized data exposure.
+- **Include allowlisting**: `AllowedIncludesAttribute` on controller actions restricts which relationships can be requested via `include=`, preventing unauthorized data exposure.
 - **Sparse fieldsets**: `fields[type]=field1,field2` works for both primary and included resources. `id` and `type` are always returned.
@@ -10,7 +10,7 @@ namespace JsonApiToolkit.Attributes;
 
 /// <summary>
 /// Restricts which relationships can be included in responses.
-/// Returns 403 Forbidden if requested includes don't match the whitelist.
+/// Returns 403 Forbidden if requested includes don't match the allowlist.
 /// </summary>
 [AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
 public class AllowedIncludesAttribute : ActionFilterAttribute

@@ -34,11 +34,11 @@ List<string> requestedFieldsCamelCase
             requestedFieldsCamelCase,
             StringComparer.OrdinalIgnoreCase
         );
-        foreach (PropertyInfo prop in EntityMapper.GetAttributeProperties(sourceType))
-        {
-            if (fieldSet.Contains(EntityMapper.GetAttributeName(prop)))
-                result.Add(prop);
-        }
+        result.AddRange(
+            EntityMapper
+                .GetAttributeProperties(sourceType)
+                .Where(prop => fieldSet.Contains(EntityMapper.GetAttributeName(prop)))
+        );
 
         return result;
     }

@@ -15,8 +15,8 @@ internal static class ReflectionMethodCache
     private static MethodInfo? s_enumerableContains;
     private static MethodInfo? s_enumerableWhere;
     private static MethodInfo? s_efCoreIncludeExpression;
-    private static MethodInfo? s_thenIncludeCollection;
-    private static MethodInfo? s_thenIncludeReference;
+    private static volatile MethodInfo? s_thenIncludeCollection;
+    private static volatile MethodInfo? s_thenIncludeReference;
     private static MethodInfo? s_queryableSelect;
     private static readonly ConcurrentDictionary<
         (Type Source, Type Projection),
@@ -50,7 +50,7 @@ internal static MethodInfo GetEnumerableAnyWithPredicate(Type elementType)
                     ?? throw new InvalidOperationException(
                         "Could not find Enumerable.Any<T>(IEnumerable<T>, Func<T, bool>) method. "
                             + "This is a core .NET method that should always exist. "
-                            + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                            + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                     );
             }
         }
@@ -74,7 +74,7 @@ internal static MethodInfo GetEnumerableContains(Type elementType)
                     ?? throw new InvalidOperationException(
                         "Could not find Enumerable.Contains<T>(IEnumerable<T>, T) method. "
                             + "This is a core .NET method that should always exist. "
-                            + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                            + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                     );
             }
         }
@@ -98,7 +98,7 @@ internal static MethodInfo GetEnumerableWhere(Type elementType)
                     ?? throw new InvalidOperationException(
                         "Could not find Enumerable.Where<T>(IEnumerable<T>, Func<T, bool>) method. "
                             + "This is a core .NET method that should always exist. "
-                            + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                            + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                     );
             }
         }
@@ -126,7 +126,7 @@ Type propertyType
             ?? throw new InvalidOperationException(
                 $"Could not find Queryable.{methodName} method. "
                     + "This is a core .NET method that should always exist. "
-                    + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                    + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
             );
 
         return method.MakeGenericMethod(entityType, propertyType);
@@ -154,7 +154,7 @@ internal static MethodInfo GetEfCoreIncludeMethod(Type entityType, Type property
                     ?? throw new InvalidOperationException(
                         "Could not find EntityFrameworkQueryableExtensions.Include<TEntity, TProperty> method. "
                             + "Ensure Microsoft.EntityFrameworkCore is properly referenced. "
-                            + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                            + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                     );
             }
         }
@@ -195,7 +195,7 @@ internal static MethodInfo GetQueryableSelectMethod(Type sourceType, Type projec
                             ?? throw new InvalidOperationException(
                                 "Could not find Queryable.Select<TSource, TResult>(IQueryable<TSource>, Expression<Func<TSource, TResult>>) method. "
                                     + "This is a core .NET method that should always exist. "
-                                    + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                                    + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                             );
                     }
                 }
@@ -232,7 +232,7 @@ internal static MethodInfo GetEfCoreToListAsyncMethod(Type elementType)
                             ?? throw new InvalidOperationException(
                                 "Could not find EntityFrameworkQueryableExtensions.ToListAsync<T>(IQueryable<T>, CancellationToken) method. "
                                     + "Ensure Microsoft.EntityFrameworkCore is properly referenced. "
-                                    + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                                    + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                             );
                     }
                 }
@@ -297,7 +297,7 @@ Type newPropertyType
                         throw new InvalidOperationException(
                             "Could not find EntityFrameworkQueryableExtensions.ThenInclude method. "
                                 + "Ensure Microsoft.EntityFrameworkCore is properly referenced. "
-                                + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                                + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                         );
 
                     foreach (var candidate in candidates)
@@ -322,7 +322,7 @@ Type newPropertyType
                         ?? throw new InvalidOperationException(
                             "Could not find EntityFrameworkQueryableExtensions.ThenInclude method. "
                                 + "Ensure Microsoft.EntityFrameworkCore is properly referenced. "
-                                + "Please report this issue at https://github.com/Intility/Intility.JsonApiToolkit/issues"
+                                + "Please report this issue at https://github.com/intility/json-api-toolkit/issues"
                         );
                     s_thenIncludeReference ??= s_thenIncludeCollection;
                 }

@@ -11,7 +11,7 @@
     <Company>Intility</Company>
     <Description>A toolkit for implementing JSON:API specification in .NET applications</Description>
     <PackageTags>jsonapi;api;rest;dotnet</PackageTags>
-    <RepositoryUrl>https://github.com/intility/Intility.JsonApiToolkit</RepositoryUrl>
+    <RepositoryUrl>https://github.com/intility/json-api-toolkit</RepositoryUrl>
     <RepositoryType>git</RepositoryType>
     <PackageReadmeFile>README.md</PackageReadmeFile>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>

@@ -413,6 +413,18 @@
         "resolved": "4.7.0",
         "contentHash": "ehYW0m9ptxpGWvE4zgqongBVWpSDU/JCFD4K7krxkQwSz/sFQjEXCUqpvencjy6DYDbn7Ig09R8GFffu8TtneQ=="
       }
+    },
+    "net10.0/linux-musl-x64": {
+      "System.Security.Cryptography.Pkcs": {
+        "type": "Transitive",
+        "resolved": "10.0.0",
+        "contentHash": "UPWqLSygJlFerRi9XNIuM0a1VC8gHUIufyP24xQ0sc+XimqUAEcjpOz9DhKpyDjH+5B/wO3RpC0KpkEeDj/ddg=="
+      },
+      "System.Security.Cryptography.ProtectedData": {
+        "type": "Transitive",
+        "resolved": "4.7.0",
+        "contentHash": "ehYW0m9ptxpGWvE4zgqongBVWpSDU/JCFD4K7krxkQwSz/sFQjEXCUqpvencjy6DYDbn7Ig09R8GFffu8TtneQ=="
+      }
     }
   }
 }