-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nuget.ProjectModel version used in Microsoft.DotNet.Scaffolding.Shared has a high vulnerability #2588
Comments
|
You are correct the affected package is a transitive dependency of many packages often many packages deep. |
Any news on this? Is there a workaround to update it manually? |
@mcurros2 the workaround is to add the affected package as an explicit dependency which will update the transitive package. |
6.8.0 is now being classified as impacted. Package should be updated to atleast 6.8.1 |
Please push a new version of the package with the update of NuGet.* packages |
Microsoft.DotNet.Scaffolding.Shared 8.0.2 has released and this was fixed 🥳 Thanks everyone for helping get this out! |
Looks good, hence closing issue. |
Describe the bug
All versions of the library are using a version of Nuget.ProjectModel which has an identified vulnerability which has been fixed in newer version of the library
To reproduce
Open nuget package manager with library installed
Look at vulnerabilities of transitive packages and observe warning about vulnerability for Nuget.ProjectModel
Look at dependencies of Microsoft.DotNet.Scaffolding.Shared and observe this is the source of the vulnerable library
Expected behavior
Nuget.ProjectModel is upgraded to a version which doesn't contain vulnerability or dependency removed
Further technical details
GHSA-6qmf-mmc7-6c2p
The text was updated successfully, but these errors were encountered: