FluentAssertions.Web icon indicating copy to clipboard operation
FluentAssertions.Web copied to clipboard

Published 20 hours ago verified publisher icon adrianiftode

Update packages references

Open cremor opened this issue 1 year ago • 2 comments

Could you please update the references to 3rd party packages? Currently those old package versions are either vulnerable/deprecated themselves or bring in some other transient dependencies which are vulnerable/deprecated.

  • System.Text.Json 5.0.2 is deprecated
  • Microsoft.AspNet.WebApi.Client 5.2.4 -> Newtonsoft.Json.Bson 1.0.1 -> NETStandard.Library 1.6.1 -> multiple vulnerable packages

Output for a new xUnit test project with FluentAssertions.Web:

> dotnet list package --include-transitive --vulnerable
   Transitive Package                    Resolved   Severity   Advisory URL
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

> dotnet list package --include-transitive --deprecated
   Transitive Package      Resolved   Reason(s)      Alternative
   > System.Text.Json      5.0.2      Other,Legacy

cremor avatar Jan 16 '24 08:01 cremor

I don't want to add constraints, unless there is a security issue. The dependencies are not strict, so clients can reference newer versions that are non-deprecated versions.

adrianiftode avatar Jan 16 '24 12:01 adrianiftode

I've updated the initial post with additional information that shows that there are also security issues.

Also, how would package update add constraints? All those references packages still support .NET Standard 2.0 (your only target framework) in their latest version.

cremor avatar Jan 17 '24 06:01 cremor