efcore icon indicating copy to clipboard operation
efcore copied to clipboard
verified publisher icon dotnet

Update Azure.Identity

Open LeviateK opened this issue 1 year ago • 2 comments

Resolve alerts on a dependency vulnerability within microsoft.entityframeworkcore.sqlserver --> Azure.Identity v1.10.4 Ref: https://github.com/advisories/GHSA-wvxc-855f-jvrv

Upgrade to Azure.Identity version 1.11.0 or higher

LeviateK avatar May 03 '24 04:05 LeviateK

Azure.Identity is a dependency of SqlClient, not of EF; SqlClient 5.1.6 is planned to depend on a new version of Azure.Identity that doesn't have the security issue. Once that's out, EF can update its own dependency on SqlClient.

In the meantime, you can simply take a direct dependency on a newer version of Azure.Identity in your csproj.

roji avatar May 03 '24 08:05 roji

Thanks for the update/nfo - I was going off the Advanced Security detections in DevOps - The other root dependency, Microsoft.Identity.Web, has a merge in-flight to address already.

image

LeviateK avatar May 06 '24 02:05 LeviateK

Any update on this? SqlClient 5.2.1 is out that uses Azure.Identity 1.11.3

stevehansen avatar Jun 10 '24 08:06 stevehansen

@stevehansen what are you expecting? You can just depend on 5.2.1. EF Core 8 uses 5.1.x as it is LTS, so the upcoming 5.1.6 will fix this.

ErikEJ avatar Jun 10 '24 08:06 ErikEJ

@ErikEJ thanks for letting me know, it wasn't obvious that 5.1 is an LTS and 5.2 not, had to dig deep in the support links for any mention of that. 5.1 had updates until end of January and 5.2 was released in the beginning of February so I just assumed it was the logical latest version.

stevehansen avatar Jun 10 '24 09:06 stevehansen