RazorLight icon indicating copy to clipboard operation
RazorLight copied to clipboard
verified publisher icon toddams

Upgrade the project to .net 8.0 and fix high security vulnerabilities (one failing test remaining)

Open DamirTomic opened this issue 1 year ago • 7 comments

Hi, I wanted to fix a dependency that is rated a high-security vulnerability, but in order to do that I had to make significant upgrades to the project, such as upgrading it to .net 8.0. I hope you're ok with that, if not, we can discuss.

There is 1 test that's failing but I think the test is incorrectly written. I can fix it we agree on a solution a) test shouldn't throw an exception if you pass a valid string but the file doesn't exist b) test should throw a filenotfound exception or something like that if the string exists but the file path doesn't c) other ?

DamirTomic avatar Dec 20 '24 11:12 DamirTomic

Hey Damir

Thans for your PR, it's very valuable missing piece we had. However, because you replaced tabs with spaces on certain files (but not all of them, though) - it completely messed up the diff, and it's hard to tell what was changed without going line by line.

Also, dropping netstandard is going to make library unusable for some people, which I'd like to avoid. Are you sure there is no way to have updated packages without vulnerabilities without dropping it?

I also noticed, that #if directives for runtime-specific areas were not changed image

toddams avatar Dec 23 '24 10:12 toddams

Ok, let me see if I can make this work with .net standard, and I'll fix the other things as well.

DamirTomic avatar Dec 23 '24 12:12 DamirTomic

Any plans to merge this?

gumbarros avatar Feb 01 '25 20:02 gumbarros

Of course, as soon as all PR comments will be addressed

toddams avatar Feb 10 '25 17:02 toddams

Of course, as soon as all PR comments will be addressed

Hi, why the package has to have net standard since the net standard is deprecated? We are now in .net and this library is getting old. Please move to the latest net version, however, we will be forced to move to another library or create a new one. Also, this library has security vulnerabilities.

Elinares-82 avatar Mar 04 '25 20:03 Elinares-82

This is an open source project, mainly driven by the community PRs at this point. There are ways to achieve what library offers using official API. Yet you are acting like you are paying for it and demanding some actions. If you are unsatisfied, or project doesn’t meet your needs - feel free to submit a PR or fork it and adjust accordingly. But don’t get it twisted, we are not obliged to anything here.

toddams avatar Mar 04 '25 20:03 toddams

But don’t get it twisted, we are not obliged to anything here.

Hi, my apologies if my comment was taken as a rude one, but this is just a comment or suggestion, since the net is now in version 9. I'm not paying and also, I'm using the package and thanks for that, but as a maintainer the community is asking for a package update. And finally, yes you are not obliged to anything here, but it is not necessary to say it.

Elinares-82 avatar Mar 04 '25 21:03 Elinares-82