Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Still references potentially vulnerable Microsoft.AspNetCore.Authentication.JwtBearer 5.0.0 package #1532

Closed
Peter-Juhasz opened this issue Nov 16, 2021 · 1 comment
Labels
Milestone

Comments

@Peter-Juhasz
Copy link

Which version of Microsoft Identity Web are you using?
1.20.0

Where is the issue?
Package doesn't support .NET 6 yet and references a vulnerable .NET 5 package, and our build breaks on dependency vulnerability scan.

Repro

<PackageReference Include="Microsoft.Identity.Web" Version="1.20.0" />

or

<PackageReference Include="Microsoft.Identity.Web" Version="1.*" />

Expected behavior
No vulnerable transitive dependencies.

Actual behavior
dotnet list App.sln package --vulnerable --include-transitive

Project `App` has the following vulnerable packages
   [net6.0]: 
   Transitive Package                                   Resolved   Severity   Advisory URL                                     
   > Microsoft.AspNetCore.Authentication.JwtBearer      5.0.0      Moderate   https://github.com/advisories/GHSA-q7cg-43mg-qp69

image

Possible solution
Upgrade all references to .NET 6.

@jennyf19
Copy link
Collaborator

Included in 1.21.0 release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants