Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force update Microsoft.CSharp transitive dependency #19514

Merged
merged 1 commit into from Apr 18, 2023
Merged

Force update Microsoft.CSharp transitive dependency #19514

merged 1 commit into from Apr 18, 2023

Conversation

TravisEz13
Copy link
Member

@TravisEz13 TravisEz13 commented Apr 14, 2023
edited by daxian-dbw

PR Summary

  • Force update Microsoft.CSharp transitive dependency
    • NJsonSchema uses Namotion.Reflection, which uses Microsoft.CSharp 4.3.0 which has a security issue
    • The SDK automatically upgrades this, but some security scanners cannot tell because the assets.json and deps.json doesn't show evidence of this upgrading behavior.
    • Forcing the upgrade, so that assets.json and deps.json show 4.7.0, which is sufficient for the vulnerability scanning to work correctly.
  • CGManifest looks simpler because we are reading the same data that the scanners are using and now that we only ask for what the SDK has, it does not add the packages to the manifest.

PR Context

This was done is 7.2: 28514a7
This was done in 7.3: af8d716

PR Checklist

@ghost ghost assigned daxian-dbw Apr 14, 2023
@TravisEz13 TravisEz13 marked this pull request as ready for review April 14, 2023 19:18
daxian-dbw
daxian-dbw previously approved these changes Apr 14, 2023
View reviewed changes
Copy link
Member

@daxian-dbw daxian-dbw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@daxian-dbw daxian-dbw dismissed their stale review April 18, 2023 00:05

posted a concern

daxian-dbw
daxian-dbw approved these changes Apr 18, 2023
View reviewed changes
Copy link
Member

@daxian-dbw daxian-dbw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@daxian-dbw daxian-dbw merged commit e05a097 into PowerShell:master Apr 18, 2023
45 checks passed
@daxian-dbw daxian-dbw added the CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log label Apr 19, 2023
@ghost
Copy link

ghost commented Apr 20, 2023

🎉v7.4.0-preview.3 has been released which incorporates this pull request.:tada:

Handy links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daxian-dbw daxian-dbw daxian-dbw approved these changes

@adityapatwardhan adityapatwardhan Awaiting requested review from adityapatwardhan adityapatwardhan is a code owner

@anmenaga anmenaga Awaiting requested review from anmenaga anmenaga is a code owner

@PaulHigin PaulHigin Awaiting requested review from PaulHigin

Assignees

@daxian-dbw daxian-dbw

Labels
CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@TravisEz13 @daxian-dbw