Nuget.ProjectModel version used in Microsoft.DotNet.Scaffolding.Shared has a high vulnerability

[thompson-tomo]

Describe the bug

All versions of the library are using a version of Nuget.ProjectModel which has an identified vulnerability which has been fixed in newer version of the library

To reproduce

Open nuget package manager with library installed
Look at vulnerabilities of transitive packages and observe warning about vulnerability for Nuget.ProjectModel
Look at dependencies of Microsoft.DotNet.Scaffolding.Shared and observe this is the source of the vulnerable library

Expected behavior

Nuget.ProjectModel is upgraded to a version which doesn't contain vulnerability or dependency removed

Further technical details

GHSA-6qmf-mmc7-6c2p

[Regenhardt]

Microsoft.VisualStudio.Web.CodeGeneration.Design also references NuGet packages (.Common, .Protocol) with that vulnerability, even the recently released version 8.

[thompson-tomo]

You are correct the affected package is a transitive dependency of many packages often many packages deep.

[mcurros2]

Any news on this? Microsoft.VisualStudio.Web.CodeGeneration.Design uses version 6.3.1, and 6.8.0 is available with no vulnerabilities. I think the references could be updated safely and repackage. A severe vulnerability will make us to uninstall this feature, and I don't know if it's possible.

Is there a workaround to update it manually?

[thompson-tomo]

@mcurros2 the workaround is to add the affected package as an explicit dependency which will update the transitive package.

[thompson-tomo]

6.8.0 is now being classified as impacted. Package should be updated to atleast 6.8.1

[tinohager]

Please push a new version of the package with the update of NuGet.* packages

[NotTsunami]

Microsoft.DotNet.Scaffolding.Shared 8.0.2 has released and this was fixed 🥳 Thanks everyone for helping get this out!

[thompson-tomo]

Looks good, hence closing issue.