Explicitly reference newer versions of libraries with CVEs #42
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ries to latest version that doesn't have an active CVE.
|
|
killnine
commented
Apr 17, 2024
| @@ -5,6 +5,10 @@ | |||
| <PackageReference Include="Microsoft.Azure.ServiceBus" Version="5.2.0" /> | |||
|
|
|||
| <PackageReference Include="Foundatio" Version="10.7.1" Condition="'$(ReferenceFoundatioSource)' == '' OR '$(ReferenceFoundatioSource)' == 'false'" /> | |||
|
|
|||
| <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" /> | |||
There was a problem hiding this comment.
Suggested change
| <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" /> | |
| <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="(2.3.24,)" /> |
Maybe to allow future versions but at least get up to this version?
killnine
commented
Apr 17, 2024
|
|
||
| <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" /> | ||
|
|
||
| <PackageReference Include="Newtonsoft.Json" Version="13.0.3" /> |
There was a problem hiding this comment.
Suggested change
| <PackageReference Include="Newtonsoft.Json" Version="13.0.3" /> | |
| <PackageReference Include="Newtonsoft.Json" Version="(13.0.3,)" /> |
Maybe to allow future versions but at least get up to this version?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
I've explicitly referenced two nuget packages to prevent the implicit versions from being referenced:
This is because the implicit versions (10.0.3 for Newtonsoft, 2.3.20.0 for ClientRuntime) have active CVEs that's triggering my build pipeline checks:
Other Notes
Both of these referenced libraries are due to the dependency on the now-deprecated
Microsoft.Azure.Management.ServiceBuslibrary. Rather than replacing it with itsAzure.ResourceManager.ServiceBusalternative that's still under support, I am just doing this in hopes it wont create a bunch more downstream work.If there's appetite, I could replace Management.ServiceBus instead but I am not familiar with the test environment of this package at all.