Bump Bond.CSharp from 11.0.1 to 13.0.1

[dependabot]

Bumps Bond.CSharp from 11.0.1 to 13.0.1.

Release notes

Sourced from Bond.CSharp's releases.

13.0.1: 2024-10-02

• IDL core version: 3.0
• C++ version: 13.0.1
• C# NuGet version: 13.0.1
• Java version: 13.0.1
• gbc & compiler library: 0.13.0.0

Java

• There were no Java changes in this release.

C++

• InputBuffer throws a StreamException when trying to skip beyond the end of the stream. This mitigates a CPU DoS vulnerability.
• Deserialization from JSON payloads will no longer process very deeply nested structures. Instead, a bond::CoreException will be thrown in order to protect against stack overflows. The depth limit may be changed by calling the function bond::SetDeserializeMaxDepth(uint32_t).
• Breaking change: Protocols must now implement CanReadArray method and Buffers must implement CanRead method. These are used to perform checks that mitigate memory allocation vulnerabilities.
• Breaking change: Custom containers must implement reset_list and list_insert. Standard implementations are provided. This API is used to incrementally fill containers of complex types when preallocation may be unsafe. Expected container size is provided in reset_list, where client code can perform sanity checks before any memory is allocated by Bond.
• bond::CoreException is thrown when the payload has a greater declared size than the backing buffer.
• Known issue: Debug builds with MSVC 14.0 (Visual Studio 2015) may fail at runtime if custom allocators for containers are used. Newer MSVC versions and other compilers are not affected, neither are Release builds with MSVC 14.0. This can be worked around by using newer MSVC version or building in Release configuration.
• Added support for Boost 1.83.

C#

• Fixed compatibility with .NET 9.

Changelog

Sourced from Bond.CSharp's changelog.

13.0.1: 2024-10-02

• IDL core version: 3.0
• C++ version: 13.0.1
• C# NuGet version: 13.0.1
• Java version: 13.0.1
• gbc & compiler library: 0.13.0.0

Java

• There were no Java changes in this release.

C++

• InputBuffer throws a StreamException when trying to skip beyond the end of the stream. This mitigates a CPU DoS vulnerability.
• Deserialization from JSON payloads will no longer process very deeply nested structures. Instead, a bond::CoreException will be thrown in order to protect against stack overflows. The depth limit may be changed by calling the function bond::SetDeserializeMaxDepth(uint32_t).
• Breaking change: Protocols must now implement CanReadArray method and Buffers must implement CanRead method. These are used to perform checks that mitigate memory allocation vulnerabilities.
• Breaking change: Custom containers must implement reset_list and list_insert. Standard implementations are provided. This API is used to incrementally fill containers of complex types when preallocation may be unsafe. Expected container size is provided in reset_list, where client code can perform sanity checks before any memory is allocated by Bond.
• bond::CoreException is thrown when the payload has a greater declared size than the backing buffer.
• Known issue: Debug builds with MSVC 14.0 (Visual Studio 2015) may fail at runtime if custom allocators for containers are used. Newer MSVC versions and other compilers are not affected, neither are Release builds with MSVC 14.0. This can be worked around by using newer MSVC version or building in Release configuration.
• Added support for Boost 1.83.

C#

• Fixed compatibility with .NET 9.

13.0

This version was allocated but never released.

12.0

This version was allocated but never released.

Commits

• b7e0dec Update the release date in change log.
• a17b6ab Merge pull request #1214 from microsoft/jandupej/newboost
• 0fa934e Updated the change log.
• 7227944 Fix random number generation.
• 82aefc3 Add boost 1.83 and vc 14.3 to build CI scripts.
• 4e3a21f Merge pull request #1211 from microsoft/jandupej/net90-fix
• d306ca1 Updated changelog.
• a90a80a Merge branch 'master' into jandupej/net90-fix
• c0fdc49 Merge pull request #1210 from microsoft/jandupej/more-dos-fixes
• f2cfb4a Updating change log with msvc 14.0 information.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

The following labels could not be found: dependencies.