roslyn-sdk icon indicating copy to clipboard operation
roslyn-sdk copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Microsoft.CodeAnalysis.SourceGenerators.Testing Indirectly References Package w/ High Severity Vulnerability

Open MooVC opened this issue 11 months ago • 0 comments

Issue

The following warning is received on build when referencing the latest version of Microsoft.CodeAnalysis.SourceGenerators.Testing (1.1.2).

Package 'System.Formats.Asn1' 5.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm

Cause

Version 1.1.2 of Microsoft.CodeAnalysis.SourceGenerators.Testing references Version 6.3.4 of NuGet.Packaging, which in turn references Version 5.0.0 of System.Security.Cryptography.Cng, which in turn references the assembly marked with a High Severity Vulnerability, Version 5.0.0 of System.Formats.Asn1.

Suggested Fix

The issue is addressed in Version 6.12.1 of Nuget.Packaging.

MooVC avatar Nov 21 '24 20:11 MooVC