Security Vulnerability: https://github.com/advisories/GHSA-8g2p-5pqh-5jmc

[iduras3]

A direct dependency has a vulnerability. vulnerability

[dotMorten]

I need a bit more info than that. This package doesn't use Microsoft.SqlServer.Types - it's an alternatice to that when not running on .net framework

[bjorngadde]

I believe it's this vulnerability: GHSA-8g2p-5pqh-5jmc.

This project references System.Data.SqlClient 4.8.3, which seems to be affected.

[dotMorten]

It’s an implicit reference. You can reference a newer version in your application

[bjorngadde]

Yes. Until the reference is bumped, one can explicitly override the version. Instructions can be found via the link above.

[dotMorten]

My point is this library doesn't ship the vulnerable library, so there's no vulnerability in this library.

[iduras3]

We have a dotnet 6 aspnet core project, where we have this package as a transitive dependency. This package shows that it has a dependency on the vulnerable package.

"dotMorten.Microsoft.SqlServer.Types": { "type": "Transitive", "resolved": "1.4.0", "contentHash": "MYxVbuBguObk8QFNTuBZ+ZEC/m1zbvG774FbFvwiDZjc0RYq/co27THrHN5Dyd52ie0R5bt2uxSZj4tIb3lYFg==", "dependencies": { "System.Data.SqlClient": "4.8.3", "System.Memory": "4.5.4" }

I can see that the System.Data.SqlClient package with that version is in the csproj file.

[dotMorten]

Yes it’s a dependency you can override by adding an explicit reference. You’re not using the 2.x release which uses the newer sql client libraries. The 1.x releases are just there for old compat with the older client.