perfview icon indicating copy to clipboard operation
perfview copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Vulnerability in the dependency tree

Open lidvarko opened this issue 1 year ago • 1 comments

There is a vulnerability in the library dependency tree. system.net.request 4.3.0 has a dependency to system.net.http 4.3.0 that has a High severity vulnerability.

lidvarko avatar May 03 '24 12:05 lidvarko

You mean system.net.http?It is a transient, but it is annoying...

Is it possible to lock system.net.http to 4.3.4? Thanks!

image

SymbioticKilla avatar May 06 '24 07:05 SymbioticKilla

@brianrob why does TraceEvent still require those old .net Standard 1.x libs when the TraceEvent lib is .net standard 2.0?

For example System.Diagnostics.Process is part of .net standard 2.0

image

and only required for .net standard 1.x projects which doesn't apply to TraceEvent

image

Best is to remove all those old ns1.x support libs.

MagicAndre1981 avatar May 24 '24 07:05 MagicAndre1981

That's a goodo callout @MagicAndre1981. I've posted #2037 for this.

brianrob avatar May 24 '24 21:05 brianrob