Skip to content

Replace AutoMapper with Mapperly#123

Open
adamhathcock with Copilot wants to merge 5 commits into
masterfrom
copilot/replace-automapper-with-mapperly
Open

Replace AutoMapper with Mapperly#123
adamhathcock with Copilot wants to merge 5 commits into
masterfrom
copilot/replace-automapper-with-mapperly

Conversation

Copilot AI commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

AutoMapper has a known high-severity vulnerability (GHSA-rvv3-g6hj-g44x) and requires a commercial license. This replaces it with Mapperly — a source-generator-based mapper with no runtime reflection and no licensing restrictions.

Changes

  • Removed AutoMapper from Directory.Packages.props and Conduit.csproj; added Riok.Mapperly v4.3.1
  • Deleted Features/Users/MappingProfile.cs and Features/Profiles/MappingProfile.cs
  • Added src/Conduit/Features/ConduitMapper.cs — a single Mapperly [Mapper] partial class covering both mappings:
[Mapper]
public partial class ConduitMapper
{
    [MapperIgnoreSource(nameof(Person.PersonId))]
    // ... other ignored source members (Hash, Salt, etc.)
    [MapperIgnoreTarget(nameof(User.Token))]
    public partial User PersonToUser(Person person);

    [MapperIgnoreSource(nameof(Person.PersonId))]
    // ... other ignored source members
    [MapperIgnoreTarget(nameof(Profile.IsFollowed))]
    public partial Profile PersonToProfile(Person person);
}
  • Updated ServicesExtensions.cs: services.AddAutoMapper(typeof(Program))services.AddSingleton<Features.ConduitMapper>()
  • Updated all handlers (Login, Create, Edit, Details, ProfileReader) to inject ConduitMapper directly and call mapper.PersonToUser(person) / mapper.PersonToProfile(person) instead of mapper.Map<,>()

Copilot AI linked an issue Apr 15, 2026 that may be closed by this pull request
Copilot AI and others added 2 commits April 15, 2026 15:29
Copilot AI changed the title [WIP] Replace Automapper with Mapperly to remove dependency Replace AutoMapper with Mapperly Apr 15, 2026
Copilot AI requested a review from adamhathcock April 15, 2026 15:39
@adamhathcock adamhathcock marked this pull request as ready for review April 15, 2026 16:33
@adamhathcock adamhathcock requested a review from Copilot April 15, 2026 16:33

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Replaces AutoMapper with Mapperly to eliminate the GHSA-rvv3-g6hj-g44x vulnerability risk and remove AutoMapper’s licensing constraints by switching to source-generated mappings.

Changes:

  • Swap package dependencies: remove AutoMapper and add Riok.Mapperly (incl. lockfile updates).
  • Replace per-feature AutoMapper profiles with a single source-generated ConduitMapper.
  • Update affected handlers/services to inject ConduitMapper and use PersonToUser / PersonToProfile.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/Conduit.IntegrationTests/packages.lock.json Updates transitive dependencies to drop AutoMapper and include Mapperly.
src/Conduit/packages.lock.json Updates direct dependency set to remove AutoMapper and add Mapperly.
src/Conduit/ServicesExtensions.cs Replaces AutoMapper service registration with ConduitMapper singleton registration.
src/Conduit/Features/Users/MappingProfile.cs Deletes AutoMapper profile previously used for Person -> User mapping.
src/Conduit/Features/Users/Login.cs Switches from IMapper.Map to ConduitMapper.PersonToUser.
src/Conduit/Features/Users/Edit.cs Switches from IMapper.Map to ConduitMapper.PersonToUser.
src/Conduit/Features/Users/Details.cs Switches from IMapper.Map to ConduitMapper.PersonToUser.
src/Conduit/Features/Users/Create.cs Switches from IMapper.Map to ConduitMapper.PersonToUser.
src/Conduit/Features/Profiles/ProfileReader.cs Switches from IMapper.Map to ConduitMapper.PersonToProfile.
src/Conduit/Features/Profiles/MappingProfile.cs Deletes AutoMapper profile previously used for Person -> Profile mapping.
src/Conduit/Features/ConduitMapper.cs Adds the new Mapperly [Mapper] partial class with explicit ignore configuration.
src/Conduit/Conduit.csproj Replaces AutoMapper package reference with Riok.Mapperly.
Directory.Packages.props Removes AutoMapper central version and adds Riok.Mapperly version.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/Conduit/Features/Profiles/ProfileReader.cs Outdated
@adamhathcock

Copy link
Copy Markdown
Collaborator

@copilot resolve the conflicts

- Keep Mapperly, drop AutoMapper (including updated 16.1.1 from master)
- Pick up global.json SDK 10.0.201 update from master
- Pick up GitHub Actions workflow update from master
- Pick up SliceFixture.cs AddLogging() fix from master
- Remove redundant duplicate null check in ProfileReader.cs

Agent-Logs-Url: https://github.com/gothinkster/aspnetcore-realworld-example-app/sessions/00567f7d-07a5-41b8-b841-f2512c22ee3f

Co-authored-by: adamhathcock <527620+adamhathcock@users.noreply.github.com>

Copilot AI commented Apr 16, 2026

Copy link
Copy Markdown
Contributor Author

@copilot resolve the conflicts

Conflicts resolved in a4cd454. The merge picks up master's SDK 10.0.201 update, GitHub Actions workflow change, and SliceFixture.cs AddLogging() fix, while keeping Mapperly in place of AutoMapper. Also removed the redundant duplicate null check in ProfileReader.cs flagged during review.

@adamhathcock

Copy link
Copy Markdown
Collaborator

@copilot update from master and see if more conflicts need to be resolved

Copilot AI commented Apr 16, 2026

Copy link
Copy Markdown
Contributor Author

@copilot update from master and see if more conflicts need to be resolved

Checked against the latest master — no new commits since the previous merge. The branch already includes all master changes (SDK 10.0.201, Actions workflow update, SliceFixture.cs AddLogging() fix). The only remaining differences vs master are intentional: Mapperly replacing AutoMapper. Build is clean.

…omapper-with-mapperly

# Conflicts:
#	Directory.Packages.props
#	src/Conduit/ServicesExtensions.cs
#	src/Conduit/packages.lock.json
#	tests/Conduit.IntegrationTests/packages.lock.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Replace Automapper with Mapperly

3 participants