You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We need to update the version of Microsoft.IdentityModel.Tokens referenced by the host whenever a new version of the package is released. At the very least, any release of ours should also upgrade the version referenced by the host to the current latest. But we should also identify when a new version has been released and line up the appropriate changes out of band. Some coordination with the owners of https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet may be appropriate.
Please note that the intent for this is separate from CVE response. We already have processes in place for taking security updates here.
This is an assembly which frequently is referenced by user code, but it is removed during the build under the assumption that the host will be providing it. This means that if a project updates to a newer version than what the host references, an error will occur. See #7878. There is a workaround to that using _FunctionsSkipCleanOutput and FunctionsPreservedDependencies. With this work, we would reduce the encounter rate for that issue, and it should only appear if the application is referencing one version higher than what the host has, and only while a release is rolling with the newer version.
The text was updated successfully, but these errors were encountered:
We need to update the version of Microsoft.IdentityModel.Tokens referenced by the host whenever a new version of the package is released. At the very least, any release of ours should also upgrade the version referenced by the host to the current latest. But we should also identify when a new version has been released and line up the appropriate changes out of band. Some coordination with the owners of https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet may be appropriate.
Please note that the intent for this is separate from CVE response. We already have processes in place for taking security updates here.
This is an assembly which frequently is referenced by user code, but it is removed during the build under the assumption that the host will be providing it. This means that if a project updates to a newer version than what the host references, an error will occur. See #7878. There is a workaround to that using
_FunctionsSkipCleanOutput
andFunctionsPreservedDependencies
. With this work, we would reduce the encounter rate for that issue, and it should only appear if the application is referencing one version higher than what the host has, and only while a release is rolling with the newer version.The text was updated successfully, but these errors were encountered: