Download Latest Version
3.6.2 source code.tar.gz (25.2 MB)
Get an email when there's a new version of Elsa Workflows
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| 3.6.2 source code.tar.gz | 2026-05-08 | 25.2 MB | |
| 3.6.2 source code.zip | 2026-05-08 | 27.4 MB | |
| README.md | 2026-05-08 | 1.3 kB | |
| Totals: 3 Items | 52.5 MB | 0 | |
Elsa 3.6.2 is a patch release that addresses a NuGet security warning caused by a vulnerable transitive dependency.
Security
- Fixed
NU1903warnings/errors forSnappier1.2.0, which has a known high-severity vulnerability: GHSA-pggp-6c3x-2xmx. - Elsa did not reference
Snappierdirectly; it was introduced transitively through:
text
Elsa.Common -> IronCompress 1.7.0 -> Snappier 1.2.0
- Elsa now explicitly pins
Snappierto1.3.1, the first patched version.
Notes
- We investigated replacing
IronCompress, but it is used by Elsa’s Zstd compression codec. - Factoring out
IronCompresswould require changing compression behavior and validating compatibility with already persisted compressed workflow data. - For a patch release, overriding the vulnerable transitive dependency is the safest and least disruptive fix.
Validation
- Confirmed that
dotnet list Elsa.sln package --include-transitiveresolvesSnappierto1.3.1. - Confirmed that
NU1903is no longer reported forSnappier. - Confirmed that
Elsa.Commonbuilds successfully.
Full Changelog: https://github.com/elsa-workflows/elsa-core/compare/3.6.1...3.6.2
