v1.6.0

Author: StefH

Diff for: CHANGELOG.md

@@ -1,3 +1,7 @@
+# v1.6.0 (26 January 2025)
+- [#884](https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/884) - By default the RestrictOrderByToPropertyOrField is now set to true in the ParsingConfig [feature] contributed by [StefH](https://github.com/StefH)
+- [#867](https://github.com/zzzprojects/System.Linq.Dynamic.Core/issues/867) - CVE-2024-51417: System.Linq.Dynamic.Core allows remote access to properties on reflection types and static properties/fields [bug]
+
 # v1.6.0-preview-03 (25 January 2025)
 - [#876](https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/876) - Update and Fix SecurityTests [test] contributed by [mariusz96](https://github.com/mariusz96)
 - [#882](https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/882) - ExpressionParser: add 2nd ctor with an extra non-optional parameter [feature] contributed by [StefH](https://github.com/StefH)

Diff for: Generate-ReleaseNotes.bat

@@ -1,5 +1,5 @@
 rem https://github.com/StefH/GitHubReleaseNotes
 
-SET version=v1.6.0-preview-03
+SET version=v1.6.0
 
 GitHubReleaseNotes --output CHANGELOG.md --exclude-labels invalid question documentation wontfix environment duplicate --language en --version %version% --token %GH_TOKEN%

Diff for: README.md

@@ -49,16 +49,17 @@ public class MyCustomClass
 If it's not possible to add that attribute, you need to implement a custom [CustomTypeProvider](https://dynamic-linq.net/advanced-configuration#customtypeprovider) and set this to the `ParsingConfig` and provide that config to all dynamic calls.
 Or provide a list of addtional types in the [DefaultDynamicLinqCustomTypeProvider.cs](https://github.com/zzzprojects/System.Linq.Dynamic.Core/blob/master/src/System.Linq.Dynamic.Core/CustomTypeProviders/DefaultDynamicLinqCustomTypeProvider.cs).
 
-### v1.6.0-preview-01, 02, 03
+### v1.6.0
 #### Change 1
 It's not allowed anymore to call any methods on the `object` type. By default also the `ToString` and `Equals` methods are not allowed.
-To allow these methods set `AllowEqualsAndToStringMethodsOnObject` to `true` in the `ParsingConfig` and provide that config to all dynamic calls.
 This is done to mitigate the risk of calling methods on the `object` type which could lead to security issues (CVE-2024-51417).
+To allow these methods set `AllowEqualsAndToStringMethodsOnObject` to `true` in the `ParsingConfig` and provide that config to all dynamic calls.
 
 #### Change 2
 By default the `RestrictOrderByToPropertyOrField` is now set to `true` in the `ParsingConfig`. 
 Which means that only properties and fields can be used in the `OrderBy` / `ThenBy`.
 This is done to mitigate the risk of calling methods or other expressions in the `OrderBy` / `ThenBy` which could lead to security issues.
+To allow these methods set `RestrictOrderByToPropertyOrField` to `false` in the `ParsingConfig` and provide that config to all dynamic calls.
 
 ---
 

Diff for: version.xml

@@ -1,5 +1,5 @@
 <Project>
   <PropertyGroup>
-    <PatchVersion>0-preview-03</PatchVersion>
+    <PatchVersion>0</PatchVersion>
   </PropertyGroup>
 </Project>