Jon

Seems like we have a clear path forward using urls from the package index as the canonical source of truth for "package names" and semver 2.0.0 as the implicit versioning...

Hey @skofman1, sorry for the delay, but we're now live-ish 🎉 A few notes. Your list has CVE-2019-0545 as affecting `Microsoft.NETCore.App` in `>= 2.1.0, < 2.1.7` with `2.1.7` as the...

Hey @leecow, the question I had about that one was with respect to @skofman1's list has `Microsoft.NETCore.App` rather than `System.Net.Http`. I assumed that meant https://www.nuget.org/packages/Microsoft.NETCore.App, but maybe that's incorrect. @NickCraver...

@NickCraver Ah gotcha. Our advisory isn't blocking you on that though is it? I couldn't find the Owin reference so, I left it off of that. @leecow our namespace is...

@NickCraver and CG is breaking the build because the it detects `Microsoft.Owin` in the offending range listed above?

@NickCraver that's not going to be us (github database) then. I suspect that someone may have changed something on the CG side when this list got put together. @skofman1 might...

>the advisory [CVE-2019-0545](https://github.com/advisories/GHSA-2xjx-v99w-gqf3) for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http. Ok, just to double check you mean a change of...

> Yes, exactly. Thank you much. We're updated 👍

@leecow many thanks 👍 Those two advisories are now updated on our end.

@skofman1 many thanks for the update. Am I right in reading that last line that `Microsoft.AspNetCore.Owin` does not have a fix version at `2.1.22`?