fix: upgrade log4net 2.0.17 → 3.3.1 to resolve NU1902 vulnerability

[Copilot]

CI was failing at restore with NU1902 (warnings-as-errors) due to log4net 2.0.17 carrying GHSA-4f7c-pmjv-c25w. There is no 2.0.18 — the patch ships in the 3.x line, with 3.3.1 being the first release to explicitly address this advisory.

Changes

• src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj — bump log4net from 2.0.17 to 3.3.1

- <PackageReference Include="log4net" Version="2.0.17" />
+ <PackageReference Include="log4net" Version="3.3.1" />

The 3.x public API surface used by this project (LayoutSkeleton, LoggingEvent, ThreadContextStack, LogicalThreadContextStack, SystemStringFormat) is unchanged, so no source modifications are required.

Original prompt

The GitHub Actions job failed in repository elastic/ecs-dotnet on PR #562 due to a restore-time package vulnerability being treated as an error (NU1902).

Failure details:

• Workflow: .github/workflows/test.yml
• Failing job: run 24968209539, job 74593383050
• Commit/ref associated with the failure: ee4b7df118fbf98a3e435fb6f1018a1222dee28f
• Error from logs:
  • src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj : error NU1902: Warning As Error: Package 'log4net' 2.0.17 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-4f7c-pmjv-c25w
  • tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj : error NU1902 as a consequence of referencing the affected project

Relevant files:

• .github/workflows/test.yml — Linux build job runs ./build.sh build -s true, which fails during restore/build.
• src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj currently contains:
  • <PackageReference Include="log4net" Version="2.0.17" />
• tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj references the Log4net source project and should not need a direct package change.

Requested fix:

1. Update the vulnerable log4net dependency in src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj from 2.0.17 to a patched non-vulnerable version (for example 2.0.18, or the latest safe compatible version available).
2. Keep the fix minimal and focused on resolving the CI failure.
3. If necessary, update any lock files or related dependency metadata so restore succeeds in CI.
4. Do not suppress NU1902; fix the underlying vulnerable dependency instead.
5. Open a pull request with a concise explanation that this resolves the failing restore caused by the vulnerable log4net package.

Acceptance criteria:

• The repository no longer references vulnerable log4net 2.0.17 in the affected project.
• Restore/build for the failing workflow path should no longer fail with NU1902 for log4net.
• The PR is limited to the dependency fix and any necessary supporting file updates.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The failure is caused by restore treating a package vulnerability warning as an error:

• src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj#L13 pins log4net to 2.0.17
• restore fails with NU1902 for advisory GHSA-4f7c-pmjv-c25w
• the test project fails as a consequence because it references the affected project: tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj#L9

The failing workflow step is the Linux build job in .github/workflows/test.yml#L70-L80, where ./build.sh build -s true restores and builds the solution.

Fix

Upgrade log4net in src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj#L13 to a non-vulnerable version.

Suggested change:

<ItemGroup>
  <PackageReference Include="log4net" Version="2.0.18" />
</ItemGroup>

If a newer patched release is available in your dependency policy, prefer the latest safe version instead of 2.0.18.

Patch

--- a/src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj
+++ b/src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj
@@
-    <PackageReference Include="log4net" Version="2.0.17" />
+    <PackageReference Include="log4net" Version="2.0.18" />

Why this solves it

The logs show the only restore errors are:

• src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj : error NU1902
• tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj : error NU1902

Since the test project references the Log4net project rather than directly referencing log4net, updating the package in the source project removes the vulnerable dependency for both restore paths.

Files involved

• Workflow: .github/workflows/test.yml
• Failing package reference: src/Elastic.CommonSchema.Log4net/Elastic.CommonSchema.Log4net.csproj#L13
• Referencing test project: tests/Elastic.CommonSchema.Log4net.Tests/Elastic.CommonSchema.Log4net.Tests.csproj#L9

If compatibility with a patched log4net release is a concern, the onl...

This pull request was created from Copilot chat.

[Copilot]

Pull request overview

This PR upgrades the log4net dependency used by Elastic.CommonSchema.Log4net from 2.0.17 to 3.3.1 to resolve a restore-time NU1902 vulnerability failure (warnings-as-errors) tied to advisory GHSA-4f7c-pmjv-c25w.

Changes:

• Bump log4net package reference in the Log4net formatter project from 2.0.17 to 3.3.1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.