XamlStyler
XamlStyler copied to clipboard
Xavalon
Visual Studio reports vulnerability in nuget reference
Describe the bug Visual Studio reports vulnerability in nuget reference.
To Reproduce Steps to reproduce the behavior:
- Checkout the main branch
- Open XamlStyler.sln in Visual Studio 2022 17.9
- See
Expected behavior No vulnerabilities reported
External Configuration If you are using an external configuration, please attach to help reproduce the issue.
Version Info (please complete the following information):
- OS: Windows 11
- Visual Studio: 2022 17.9 Preview 4
- XAML Styler: main branch (https://github.com/Xavalon/XamlStyler/commit/3663f178854bf7a3b7109f225872b39ce63c6f19)
Additional context In general, there are multiple NuGet packages that have updates. The NewtonSoft.Json package in XamlStyler.csproj seems to be the oldest one.
Unfortunately, there are gotchas with Newtonsoft.Json. Updating can lead to unexpected behavior on older versions of Visual Studio (https://github.com/Xavalon/XamlStyler/issues/377), so we are blocked for now, but going to leave this issue open to track. More information here: Using Newtonsoft.Json in a Visual Studio extension.
Is it really needed to keep releasing new XamlStyler updates for old Visual Studio versions? (not sure how long they need to be supported?)
- If it is needed to support them, could that be done from a maintenance branch so that the main branch is not blocked from updating this? I'm not sure about the impact of the vulnerability but keeping a nuget package with a vulnerability in
mainto support old versions sounds not great to me.
After publishing final feature update supporting VS2017 (#480), we will be unblocked form updating Newtonsoft.Json to version 12.0.2 (#481). Using the two referenced issues to track these changes, so closing this.