Fable.Remoting icon indicating copy to clipboard operation
Fable.Remoting copied to clipboard
verified publisher icon Zaid-Ajaj

High severity vulnerabilities - Newtonsoft, System.Security.Cryptography.Pkcs

Open martinbryant opened this issue 1 year ago • 6 comments

Package 'Newtonsoft.Json' 12.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr

Package 'System.Security.Cryptography.Pkcs' 6.0.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-555c-2p6r-68mm

It looks like Giraffe needs updating to 6.x to be able to get Newtonsoft 13.x

martinbryant avatar Feb 23 '24 11:02 martinbryant

will there be an update to this? Mend scanner is also recognizing this.

image

RicoSaupe avatar May 23 '24 05:05 RicoSaupe

I'm not sure how this is a Fable.Remoting concern. There is nothing preventing you from bumping Giraffe as far as I can see. And for that matter, Giraffe 5 doesn't restrict you to Newtonsoft.Json 12 either.

kerams avatar May 23 '24 06:05 kerams

In my case its not about giraffe. its about fable remoting using the "older" Newtonsoft library and the request to bump this up to the latest version

RicoSaupe avatar May 23 '24 06:05 RicoSaupe

Sorry, but the argument still stands. You can use 13 if you want - Remoting does not hold you back.

image

kerams avatar May 23 '24 07:05 kerams

Yes. I understand that i can use a higher version. Just wondering about the reason of the 12.x version. Is it for compatibility?

RicoSaupe avatar May 26 '24 11:05 RicoSaupe

Just wondering about the reason of the 12.x version. Is it for compatibility?

@RicoSaupe We can update it, I don't think there is a reason not to

Zaid-Ajaj avatar Jul 11 '24 21:07 Zaid-Ajaj