From fc606b537f071f64377eba8fbf8c1e2382a54a70 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 May 2026 01:46:02 +0000
Subject: [PATCH 1/2] Bump the testing group with 1 update

Bumps Verify.NUnit from 31.16.2 to 31.16.3

---
updated-dependencies:
- dependency-name: Verify.NUnit
  dependency-version: 31.16.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: testing
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Directory.Packages.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 00658d4..591d8a0 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -33,7 +33,7 @@
     <PackageVersion Include="Microsoft.CodeAnalysis.Analyzers" Version="5.3.0" />
     <!-- Source Generator Testing -->
     <PackageVersion Include="Verify.SourceGenerators" Version="2.5.0" />
-    <PackageVersion Include="Verify.NUnit" Version="31.16.2" />
+    <PackageVersion Include="Verify.NUnit" Version="31.16.3" />
     <!-- Analyzer Testing (pinned to match Microsoft.CodeAnalysis.CSharp 5.0.0) -->
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Analyzer.Testing" Version="1.1.3" />
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" Version="1.1.3" />

From a4f8d921f0c1ccb1dcc1454136ab046e36111ae2 Mon Sep 17 00:00:00 2001
From: James A Sutherland <j@sutherland.pw>
Date: Sun, 17 May 2026 11:10:11 -0500
Subject: [PATCH 2/2] Pin SharpCompress/Snappier to patched versions

MongoDB.Driver 3.8.0 pulls in vulnerable transitive SharpCompress 0.30.1
(GHSA-6c8g-7p36-r338) and Snappier 1.0.0 (GHSA-pggp-6c3x-2xmx). Pin them
to SharpCompress 1.0.0 and Snappier 1.3.1 via direct references.
---
 Directory.Packages.props                         | 3 +++
 src/SharpDicom.MongoDB/SharpDicom.MongoDB.csproj | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 591d8a0..f1327ec 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -39,5 +39,8 @@
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" Version="1.1.3" />
     <!-- MongoDB Integration (v3.x targets netstandard2.1/net6.0+, NOT netstandard2.0) -->
     <PackageVersion Include="MongoDB.Driver" Version="3.8.0" />
+    <!-- Pin vulnerable transitive deps of MongoDB.Driver (GHSA-6c8g-7p36-r338, GHSA-pggp-6c3x-2xmx) -->
+    <PackageVersion Include="SharpCompress" Version="1.0.0" />
+    <PackageVersion Include="Snappier" Version="1.3.1" />
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/src/SharpDicom.MongoDB/SharpDicom.MongoDB.csproj b/src/SharpDicom.MongoDB/SharpDicom.MongoDB.csproj
index d5f96af..3976de2 100644
--- a/src/SharpDicom.MongoDB/SharpDicom.MongoDB.csproj
+++ b/src/SharpDicom.MongoDB/SharpDicom.MongoDB.csproj
@@ -18,5 +18,8 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Bcl.AsyncInterfaces" />
     <PackageReference Include="MongoDB.Driver" />
+    <!-- Pin vulnerable transitive deps of MongoDB.Driver (GHSA-6c8g-7p36-r338, GHSA-pggp-6c3x-2xmx) -->
+    <PackageReference Include="SharpCompress" />
+    <PackageReference Include="Snappier" />
   </ItemGroup>
 </Project>