Hangfire icon indicating copy to clipboard operation
Hangfire copied to clipboard

Published 20 hours ago verified publisher icon HangfireIO

System.Text.Encodings.Web 4.4.0

Open ceciliasharp opened this issue 3 years ago • 1 comments
trafficstars

We are using lates hangfire, 1.7.28 and now we have updated our code to .net 6. We now get a new vulnerability critical warning on our code by the Snyk scanner. image

Is it possible to update the Microsoft.AspNetCore.Http.Abstractions reference to latest 2.2.0?

ceciliasharp avatar Feb 25 '22 09:02 ceciliasharp

it complains on Microsoft.AspNetCore.Antiforgery needs to be updated too, 2.2.0 is the latest there

ceciliasharp avatar Feb 25 '22 10:02 ceciliasharp

Still present in 1.7.31

jbgh2 avatar Nov 16 '22 19:11 jbgh2

I'm afraid that issue belongs more to NuGet than to Hangfire and present in other packages as well, for example see the following question on Stack Overflow:

https://stackoverflow.com/questions/56727314/nuget-package-manager-does-not-install-package-with-highest-depencency-version

There was the DependencyVersion switch in the early days of NuGet, but I don't know how to use it with ProjectReference tags. The problem is also described here – https://weblog.west-wind.com/posts/2014/Jun/19/Nuget-Dependencies-and-latest-Versions and there's an issue on GitHub in the NuGet repository that describes this issue in a great detail, but unfortunately I can't find it.

The thing is Hangfire specifies minimum supported version, and actual versions can be specified (Hangfire will work with any of them) in the target application by specifying those dependent packages explicitly:

<ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.2.0" />
    <PackageReference Include="Microsoft.AspNetCore.Antiforgery" Version="2.2.0" />
</ItemGroup>

odinserj avatar Nov 18 '22 10:11 odinserj

@ceciliasharp Maybe this can help you: https://github.com/dotnet/aspnetcore/issues/3756

Davilink avatar Jan 26 '23 01:01 Davilink