FAKE icon indicating copy to clipboard operation
FAKE copied to clipboard
verified publisher icon fsprojects

Version 6.1.3 assemblies depend on ancient packages with security warnings

Open SteveGilham opened this issue 2 months ago • 7 comments

Long chain indirections to insecure .Net libraries shown by VS2026. Not sure why System.Drawing.Common gets in everywhere, but there you are.

Image Image

SteveGilham avatar Oct 19 '25 13:10 SteveGilham

I think there's still an unfortunate chain of dependencies where MSBuild.StructuredLogger can't be updated until the build here has moved off .NET 6.0 as the Microsoft.Build deps it needs require newer .NET versions :-(

The NuGet libraries could perhaps be updated to 6.12.4 more easily to fix the issues down that tree though

Numpsy avatar Oct 19 '25 13:10 Numpsy

The NuGet packages should be updated now

Numpsy avatar Oct 21 '25 19:10 Numpsy

@Numpsy should we close with 6.1.4 release?

xperiandri avatar Oct 26 '25 17:10 xperiandri

Not just yet, unless you want to open another issue to track the carry over into 6.1.4

Image

SteveGilham avatar Oct 26 '25 17:10 SteveGilham

There is already https://github.com/fsprojects/FAKE/issues/2744 for updating the default version of MSBuild.StructuredLogger here.

Until then, consumers of the libraries running on newer .NET versions can perhaps pick a newer versions themselves instead of leaving it on the old version.

Numpsy avatar Oct 26 '25 18:10 Numpsy

Maybe it'd be possible to multi-target Fake.DotNet.MSBuild at .NET 6 and .NET 8 using different StructuredLogger versions until the change to a newer base .NET version is done, but I don't know if it's worth it

Numpsy avatar Oct 26 '25 18:10 Numpsy

Another dependency update in https://github.com/fsprojects/FAKE/pull/2886, in case it's worth another update before doing the .NET8+ changes.

Numpsy avatar Nov 30 '25 19:11 Numpsy