search

AvaloniaCommunity / Prism.Avalonia

Prism Avalonia UI framework. Super charge your cross-platform apps with IoC, navigation, and more! Sponsored by Suess Labs. Prism is based on Microsoft patterns and practices.
https://www.nuget.org/packages/Prism.Avalonia/
MIT License
302 stars 38 forks source link

Critical vulnerability in dependency chain #213

Open the-black-wolf opened 1 month ago

the-black-wolf commented 1 month ago

Description

Prism.Avalonia (including prerelease) has a versioned dependency chain starting with System.Configuration.ConfigurationManager 4.7.0 which ends in package System.Drawing.Common 4.7.0 which has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj

Reference should be upgraded to the latest 8.0.0 version.

Environment

Severity (1-5)

3 its annoying, but also causes errors in TreatWarningsLikeErrors build configs.

Steps To Reproduce

Steps to reproduce the behavior: Just add the package and build under latest toolkit, warning should popup:

` C:\projects\Foo\Fai\Fo\Fam.csproj : warning NU1904: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj

Expected Behavior

Updated references

Screenshots

n/a

Additional context

n/a

DamianSuess commented 1 month ago

Wonderful catch, thank you for the heads up

the-black-wolf commented 3 weeks ago

Wonderful catch, thank you for the heads up

Hm, not to be a stickler but can we expect a nuget release with the updated references. We are kind of getting our ears pulled by CI.

DamianSuess commented 3 weeks ago

@the-black-wolf, just a heads up, The 9.0 release was pulled as we are moving to be fully integrated with the Prism project. All new releases starting with 9.0 will be created over there moving forward.

the-black-wolf commented 3 weeks ago

@DamianSuess hi, can you please point me as I dont see Avalonia in the main Prism project?

DamianSuess commented 3 weeks ago

We're still working on the migration to get things published.

What's the best way to reach you to get the support you need?

the-black-wolf commented 3 weeks ago

@DamianSuess its not that big of a deal that I would want to waste your time. I am happy to just track the progression of this, if there is an issue or a pull request I can follow. For now I added a v8 reference into project, overriding transitive one from Prism.Avalonia, to get us through the CI. I have no way of knowing if this will causes us any regression issues, but for now we are into development and not yet into CD. There is still some time left before we have to roll it out.