puppeteer-sharp icon indicating copy to clipboard operation
puppeteer-sharp copied to clipboard

Published 20 hours ago verified publisher icon hardkoded

Security vulnerabilities in Puppeteer-Sharp

Open LeonFreriks-calvi opened this issue 3 years ago • 1 comments

Description

Puppeteer sharp uses various transitive packages causing security alerts

image

Complete minimal example reproducing the issue

Run the command: dotnet list package --vulnerable --include-transitive

Expected behavior:

Most likely, transitive packages need to be updated, or alternatives need to be used to reduce security concern

Actual behavior:

Outdated transitive packages are used that contain security issues

The errors can be found using dotnet list package --vulnerable --include-transitive

Which exact package contains the vulnerability is trial and error unfortunately

From my own experience so far:

xunit 2.4.2 -> xunit 2.4.0 (https://devscope.io/code/xunit/xunit/issues/2568)

Microsoft.PowerShell.SDK Microsoft.VisualStudio.Web.CodeGeneration.Design Microsoft.AspNetCore.Authentication

Serilog.Sinks.MSSqlServer (https://github.com/serilog-mssql/serilog-sinks-mssqlserver/issues/417)

AutoFixture AutoFixture.AutoMoq AutoFixture.Xunit2 https://github.com/AutoFixture/AutoFixture/issues/1356

System.ServiceModel.Http System.ServiceModel.Security System.ServiceModel.Duplex System.ServiceModel.NetTcp

Microsoft.AspNetCore.WebUtilities

Castle.Core.AsyncInterceptor https://github.com/JSkimming/Castle.Core.AsyncInterceptor/issues/166

Versions

Version 7.1 .NET 6

Thanks in advance!

LeonFreriks-calvi avatar Sep 22 '22 08:09 LeonFreriks-calvi

Makes sense. Do you want to create a PR for that?

kblok avatar Sep 22 '22 12:09 kblok