Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transitive dependencies have high/critical security vulnerabilities #239

Closed
jskeet opened this issue Oct 10, 2022 · 0 comments · Fixed by #240
Closed

Transitive dependencies have high/critical security vulnerabilities #239

jskeet opened this issue Oct 10, 2022 · 0 comments · Fixed by #240

Comments

@jskeet
Copy link
Contributor

jskeet commented Oct 10, 2022

From running dotnet list package --vulnerable --include-transitive in CloudNative.CloudEvents.AspNetCore:

Project `CloudNative.CloudEvents.AspNetCore` has the following vulnerable packages
   [netstandard2.0]:
   Transitive Package               Resolved   Severity   Advisory URL
   > Newtonsoft.Json                9.0.1      High       https://github.com/advisories/GHSA-5crp-9r3c-p9vr
   > System.Text.Encodings.Web      4.5.0      Critical   https://github.com/advisories/GHSA-ghhp-997w-qr28

   [netstandard2.1]:
   Transitive Package               Resolved   Severity   Advisory URL
   > Newtonsoft.Json                9.0.1      High       https://github.com/advisories/GHSA-5crp-9r3c-p9vr
   > System.Text.Encodings.Web      4.5.0      Critical   https://github.com/advisories/GHSA-ghhp-997w-qr28

Both of these come from Microsoft.Extensions.DependencyModel 2.1.0. There's no upgrade in the 2.x line for this. We could potentially upgrade just Newtonsoft.Json and System.Text.Encodings.Web, but we don't really want a Newtonsoft.Json dependency at all.

Upgrading to 3.1.25 would fix this. It does contain a breaking change: DependencyContextJsonReader.ReadTargetLibraryDependencies has been removed.

It looks like we don't actually use the Mvc.Core dependency anyway. Dropping that would fix the Newtonsoft.Json issue, and we can update System.Text.Encodings.Web explicitly.
jskeet added a commit to jskeet/sdk-csharp that referenced this issue Oct 10, 2022
@jskeet
Update dependencies for CloudNative.CloudEvents.AspNetCore
1f42024 
Fixes cloudevents#239
jskeet added a commit to jskeet/sdk-csharp that referenced this issue Oct 10, 2022
@jskeet
Update dependencies for CloudNative.CloudEvents.AspNetCore
1424dde 
Fixes cloudevents#239

Signed-off-by: Jon Skeet <jonskeet@google.com>
This was referenced Oct 10, 2022
Merged
Closed
jskeet added a commit that referenced this issue Oct 15, 2022
@jskeet
Update dependencies for CloudNative.CloudEvents.AspNetCore
ff0d216 
Fixes #239

Signed-off-by: Jon Skeet <jonskeet@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dependencies for CloudNative.CloudEvents.AspNetCore jskeet/sdk-csharp
1 participant
@jskeet