-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Infra] Amend pipeline to use newer NuGet version #1274
Comments
This should be safe in terms of dependency confusion because we filter based on authors. |
The filtering is done in the |
Description
Microsoft recently announced a CVE that affects current versions of NuGet. Patched versions are available.
Although the scanner pipeline is using a vulnerable version of NuGet, it is not directly impacted by the CVE as we do not push/publish packages from the pipeline.
However, there are two small improvements we could make:
Regarding the second point, the pipeline is currently specifying a fixed three-part version for NuGet. If we used a two-part version with a wildcard, then the pipeline would automatically pick up security fixes without any additional work on our part.
The text was updated successfully, but these errors were encountered: