[Bug Report] Upgrade dependency on Microsoft.Rest.ClientRuntime to Azure.Core

Azure / azure-iot-sdk-csharp

A C# SDK for connecting devices to Microsoft Azure IoT services

Other

463 stars 493 forks source link

[Bug Report] Upgrade dependency on Microsoft.Rest.ClientRuntime to Azure.Core #3396

Closed kristofferpagels closed 8 months ago

kristofferpagels commented 9 months ago

Description of the issue

The Microsoft.Azure.Devices version 1.39 depends on the Microsoft.Rest.ClientRuntime version 2.3.21, which has a security vulnerability (https://github.com/advisories/GHSA-whph-446h-6m9v).

Furthermore, this package has been deprecated, see https://www.nuget.org/packages/Microsoft.Rest.ClientRuntime/

Microsoft.Rest.ClientRuntime will no longer receive security fixes after September 2023. The dependency should probably be updated to Azure.Core.

timtay-microsoft commented 9 months ago

We have upgraded this dependency via #3400 to fix the security vulnerability.

We do plan on removing the dependency on this deprecated library in the v2 of this SDK, but we don't have a timeline on when that will be released. We can't remove it from our v1 client without causing breaking changes, unfortunately.

timtay-microsoft commented 8 months ago

Given that we can't remove/replace the Microsoft.Rest.ClientRuntime in the v1 of this SDK, I'll close this issue since the latest release contains the security fixes relevant to that library.

We still plan on making the switch to Azure.Core in our v2 SDK, though.