Skip to content

[FEATURE] Upgrade AutoMapper from 14.x to 16.x to resolve high-severity security vulnerability #414

Closed
#415
Closed
[FEATURE] Upgrade AutoMapper from 14.x to 16.x to resolve high-severity security vulnerability#414
#415
Labels
dotnetPull requests that update .NET codeenhancementNew feature or requestpriority:criticalBlocking dependency or production issue. Must be addressed before other work.
@nanotaboada

Description

@nanotaboada
nanotaboada
opened on Mar 16, 2026

Problem

A high-severity Dependabot security alert (GHSA-rvv3-g6hj-g44x) has been raised against the AutoMapper 14.x dependency. The package was intentionally pinned to the 14.x line ([14.0.0,15.0.0) in the .csproj and via ignore rules in dependabot.yml) due to concerns about the commercial licensing introduced in AutoMapper 15.x.

Investigation shows that:

  • The vulnerability (GHSA-rvv3-g6hj-g44x) affects the entire 14.x and 15.x lines, as well as 16.0.0 — the first clean version is 16.1.1.
  • AutoMapper 15.x+ uses a dual-license model: free for open-source and non-commercial projects. As this is an open-source proof-of-concept with no commercial purpose, the licensing restriction does not apply.
  • AutoMapper 16.x introduced a breaking API change: the AddAutoMapper(Type) / AddAutoMapper(Assembly) DI overloads were removed in favour of AddAutoMapper(Action<IMapperConfigurationExpression>).

Reference: AutoMapper and MediatR Licensing Update – Jimmy Bogard

Proposed Solution

Upgrade AutoMapper from the pinned 14.x line to 16.x (minimum 16.1.1), remove the Dependabot ignore rules that prevented the major-version update, adapt the DI registration call to the new API, and verify that all existing mappings and tests continue to work correctly.

Suggested Approach

  1. Update .csproj — change the version constraint for AutoMapper from [14.0.0,15.0.0) to [16.1.1,17.0.0) in src/Dotnet.Samples.AspNetCore.WebApi/Dotnet.Samples.AspNetCore.WebApi.csproj.

  2. Update dependabot.yml — remove the ignore entries that pin AutoMapper to the 14.x major version from both NuGet entries (.github/dependabot.yml).

  3. Fix DI registration — update AddMappings() in src/Dotnet.Samples.AspNetCore.WebApi/Extensions/ServiceCollectionExtensions.cs:

    // Before (AutoMapper ≤15.x)
services.AddAutoMapper(typeof(PlayerMappingProfile));

// After (AutoMapper 16.x)
services.AddAutoMapper(cfg => cfg.AddProfile<PlayerMappingProfile>());

  4. Verify PlayerMappingProfile.cs — confirm src/Dotnet.Samples.AspNetCore.WebApi/Mappings/PlayerMappingProfile.cs needs no further changes (standard CreateMap/ForMember/MapFrom/Ignore APIs are unaffected).

  5. Run the test suitedotnet test --settings .runsettings — all tests must pass before closing this issue.

  6. Update CHANGELOG.md — add an entry under [Unreleased] > Changed.

Acceptance Criteria

  • AutoMapper package version updated to [16.1.1,17.0.0) in the .csproj
  • Dependabot ignore rules for AutoMapper major-version updates removed from dependabot.yml
  • High-severity Dependabot security alert GHSA-rvv3-g6hj-g44x is resolved (dotnet restore produces no NU1903 warning)
  • AddAutoMapper registration updated to the 16.x config-action API
  • dotnet build --configuration Release succeeds with 0 warnings and 0 errors
  • dotnet test --settings .runsettings — all tests pass
  • CHANGELOG.md updated under [Unreleased]

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    dotnetPull requests that update .NET codeenhancementNew feature or requestpriority:criticalBlocking dependency or production issue. Must be addressed before other work.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions