-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities Detected #509
Comments
StrongGrid does not take a direct dependency on any of the three packages on the screenshot you provided. Maybe one of our dependencies does? But which one???? |
I know that Pathoschild.Http.FluentClient is referencing System.Net.Http but only if your project is using .netstandard1.3. Does that seem right to you? Is you project targeting .net standard1.x? If so, can you upgrade to a more recent .net? That's probably to easiest and fastest way of getting rid of the vulnarable System.Net.Http reference. I have no idea where the other two references are coming from though. |
oh and by the way, what lead you to conclude that these dependencies came from StrongGrid in the first place? |
If you open it with Visual Studio, you can easily see this, including where the references come from. |
"Transitively referenced by StrongGrid" this pretty much confirms what I said: we don't directly reference any of these packages, but some of our references do. Like I said, I have a pretty good idea where the System.Net.Http reference comes from but no idea about the other two. And further more, the vulnerable System.Net.Http is used only when you target netstandard1.x Does this apply to your situation? Any chance you can upgrade your platform target(s)? |
im using .net 8.0. not sure if is using this netstandard |
so, its just notify the owner of this component |
When I open the FluentHttp project in Visual Studio and look at their dependencies, I see this: So, while the author of the FluentHttp project might be able to fix the System.Net.Http reference (by dropping support for netstandard1.x, I presume), the other two are being pulled in by even further upstream dependencies. |
FluentHttpClient version 4.4.0 has been released. Upgrading our reference to this new release resolves this warning. |
🎉 This issue has been resolved in version 0.108.0 🎉 The release is available on: Your GitReleaseManager bot 📦🚀 |
The text was updated successfully, but these errors were encountered: