dotnet
System.CommandLine.Hosting vulnerable transitive dependency
Any chance for a release refresh of System.CommandLine.Hosting?
I'm getting a transitive dep vulnerability warning for the latest 0.4.0-alpha.. version, and AFAIK there aren't newer releases.
@jonsequitur / @adamsitnik / @Keboo sorry for the direct ping, any chance this could be looked into?
I know we're in PREVIEW waters, but this shouldn't be a big issue to fix.
Note: if you have TreatWarningsAsErrors, with the newest Visual Studio Update, any Build will be blocked, even if you will accept the vulnerability (for most CLI Apps this can maybe be tolerated at the moment)
you can disable them individually, still get the warnings ,but the build will succeed.
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
message in the build:
warning NU1903: Package 'System.Text.Json' 6.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
I would like to highlight, that he way this is currently solved is not satisfactory, and that this solution is since years in preview state is not very good solution for a project that is "from Microsoft". Also please consider following the standard in implementing hosting support in the future, instead of this (working, but rather unconventional) solution, see here for more details: https://github.com/dotnet/command-line-api/issues/918
Easy fix: add System.Text.Json version 6.0.11 (or whatever v6 version is current/secure) directly to the project.
