High severity vulnerabilities identified with the dependency package used in Moq 4.16.1 #1169
Comments
|
Thanks for the notification. Our (Moq's) hands are bound however, since there currently isn't any newer version of Castle.Core targeting a more recent .NET Standard. Work is currently underway at https://github.com/castleproject/Core towards a new major release that will target .NET Standard 2.x, though that release hasn't happened yet. I suppose in the meantime, you could try manually adding a dependency on a newer version of the System.Text.RegularExpressions package. /cc @jonorossi (who manages the Castle.Core release process) |
|
Thanks @stakx - I've manually added a dependency to use the latest version of System.Text.RegularExpressions.That has resolved the issue for now. And thanks for the update. :) |
|
@Rashmi-nw, since you found a solution, I am going to close this issue. The only course of action for us will be to update our dependency on Castle.Core, and that'll happen anyway as soon as it becomes available. |
Sounds like a good solution. |
We are using Moq@4.16.1 which has a dependency on Castle.Core@4.4.0 . This has a dependency on NETStandard.Library@1.6.1.
NETStandard.Library@1.6.1 has a dependency on System.Text.RegularExpressions@4.3.0 which has a high severity vulnerability.
Info on High severity vulnerability : Description: Regular Expression Denial of Service (ReDoS) - https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708
The text was updated successfully, but these errors were encountered: