-
-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability: https://github.com/advisories/GHSA-8g2p-5pqh-5jmc #80
Comments
I need a bit more info than that. This package doesn't use Microsoft.SqlServer.Types - it's an alternatice to that when not running on .net framework |
I believe it's this vulnerability: GHSA-8g2p-5pqh-5jmc. This project references System.Data.SqlClient 4.8.3, which seems to be affected. |
It’s an implicit reference. You can reference a newer version in your application |
Yes. Until the reference is bumped, one can explicitly override the version. Instructions can be found via the link above. |
My point is this library doesn't ship the vulnerable library, so there's no vulnerability in this library. |
We have a dotnet 6 aspnet core project, where we have this package as a transitive dependency. This package shows that it has a dependency on the vulnerable package.
I can see that the System.Data.SqlClient package with that version is in the csproj file. |
Yes it’s a dependency you can override by adding an explicit reference. You’re not using the 2.x release which uses the newer sql client libraries. The 1.x releases are just there for old compat with the older client. |
A direct dependency has a vulnerability. vulnerability
The text was updated successfully, but these errors were encountered: