Vulnerabilities Detected #509
Comments
|
StrongGrid does not take a direct dependency on any of the three packages on the screenshot you provided. Maybe one of our dependencies does? But which one???? |
|
I know that Pathoschild.Http.FluentClient is referencing System.Net.Http but only if your project is using .netstandard1.3. Does that seem right to you? Is you project targeting .net standard1.x? If so, can you upgrade to a more recent .net? That's probably to easiest and fastest way of getting rid of the vulnarable System.Net.Http reference. I have no idea where the other two references are coming from though. |
|
oh and by the way, what lead you to conclude that these dependencies came from StrongGrid in the first place? |
|
|
|
If you open it with Visual Studio, you can easily see this, including where the references come from. |
|
"Transitively referenced by StrongGrid" this pretty much confirms what I said: we don't directly reference any of these packages, but some of our references do. Like I said, I have a pretty good idea where the System.Net.Http reference comes from but no idea about the other two. And further more, the vulnerable System.Net.Http is used only when you target netstandard1.x Does this apply to your situation? Any chance you can upgrade your platform target(s)? |
|
As it turns out, all three references are being pulled in by our dependency on Pathoschild.Http.FluentClient:
|
|
im using .net 8.0. not sure if is using this netstandard |
|
so, its just notify the owner of this component |
|
When I open the FluentHttp project in Visual Studio and look at their dependencies, I see this:
So, while the author of the FluentHttp project might be able to fix the System.Net.Http reference (by dropping support for netstandard1.x, I presume), the other two are being pulled in by even further upstream dependencies. |
|
Turns out, I was wrong about one specific detail: the FluentHttpClient project is already referencing the patched System.Net.Http package (which is version 4.3.4) as evidenced by:
So they may have to go upstream to get this transitive reference upgraded. |
|
FluentHttpClient version 4.4.0 has been released. Upgrading our reference to this new release resolves this warning. |
Jericho
added
Enhancement
|
🎉 This issue has been resolved in version 0.108.0 🎉 The release is available on: Your GitReleaseManager bot 📦🚀 |
The text was updated successfully, but these errors were encountered: