Windows-Auto-Night-Mode icon indicating copy to clipboard operation
Windows-Auto-Night-Mode copied to clipboard

Published 20 hours ago verified publisher icon AutoDarkMode

Code: check dependencies

Open Jay-o-Way opened this issue 8 months ago • 3 comments

System.Drawing.Common

Under AutoDarkModeSvc

Image

https://github.com/advisories/GHSA-rxg9-xrhp-64gj

Visual Studio suggests me to install the following. Note that version 7 is out of support. Image

Community Toolkit > New release: Version 8.2

Jay-o-Way avatar Mar 29 '25 07:03 Jay-o-Way

That is potentially due to an old package dependency we might no longer need?

I've hopefully upped the SDK target to Net9 on all projects, so I'm not entirely sure why it's asking for NET7

Spiritreader avatar Apr 13 '25 20:04 Spiritreader

When opening a fresh clone, Visual Studio gives the suggestion.

Image

Also, see a security warning for System.Drawing.Common under AutoDarkModeSvc.

Jay-o-Way avatar Apr 16 '25 09:04 Jay-o-Way

I tried to remove. NET 7 from VSInstaller. When I entered the solution, I was still prompted to install. NET 7. I guess there should be some outdated nuget package.

ChenYiLins avatar May 08 '25 09:05 ChenYiLins

I've updated the dependency in question to a non-vulnerable version. Not sure why Visual Studio asks for NET7. I don't have this dependency installed.

Image

Please also note that a fresh clone on the master branch will result in the old dependencies to be loaded. And they indeed might have backrefs to .NET7. But it shouldn't happen on a clean version of the winui3 branch.

Spiritreader avatar Aug 23 '25 20:08 Spiritreader

@Jay-o-Way Do you still see the security warning on the winui3 branch? If not, we can close.

Spiritreader avatar Sep 07 '25 21:09 Spiritreader

Do you still see the security warning on the winui3 branch?

Nope. Just an update available.

Image

If not, we can close.

Unfortunately not:

Image

fresh clone a few minutes ago

Jay-o-Way avatar Sep 08 '25 10:09 Jay-o-Way

Please also note that a fresh clone on the master branch will result in the old dependencies to be loaded. And they indeed might have backrefs to .NET7. But it shouldn't happen on a clean version of the winui3 branch.

I don't think it's possible to clone a branch, only a repository? 🤔

Jay-o-Way avatar Sep 08 '25 11:09 Jay-o-Way

Please also note that a fresh clone on the master branch will result in the old dependencies to be loaded. And they indeed might have backrefs to .NET7. But it shouldn't happen on a clean version of the winui3 branch.

I don't think it's possible to clone a branch, only a repository? 🤔

Yes, but the question is "is it fixed on the winui3 branch"

You clone, then check out winui3, then open visual studio. If everything is fine then, the issue is resolved because it will eventually be merged to master.

I don't have .net7 installed and I don't get any warnings. So I wonder where yours come from.

Spiritreader avatar Sep 08 '25 13:09 Spiritreader

Just now, I tried to install a new VS2026. When I opened the project, the system gave me some tips because the installation components were incomplete, which still contained. NET 7.

Image

But I did not choose to install. NET 7. I opened the solution again and didn't receive any warning.

ChenYiLins avatar Sep 11 '25 05:09 ChenYiLins

I think I found it

// file: .vsconfig
{
  "version": "1.0",
  "components": [
    "Microsoft.Component.MSBuild",
    "Microsoft.NetCore.Component.Runtime.7.0",

Jay-o-Way avatar Sep 19 '25 15:09 Jay-o-Way