search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.36k stars 4.79k forks source link

[BUG]: CG Alert: Upgrade System.IdentityModel.Tokens.Jwt to latest version on Microsoft.Azure.WebJobs.Extensions.SignalRService namespace #44015

Open srini3793 opened 4 months ago

srini3793 commented 4 months ago

Library name and version

Microsoft.Azure.WebJobs.Extensions.SignalRService 1.13.0

Describe the bug

I've received cg alert on following package reference coming through latest version of Microsoft.Azure.WebJobs.Extensions.SignalRService Upgrade System.IdentityModel.Tokens.Jwt from 6.5.0 to 6.34.0 to fix the vulnerability.

Kindly upgrade the dependecy to latest version and release the newer version for downstream consumption

Expected behavior

Security vulnerability fix by upgrading mentioning package

Actual behavior

Older version of System.IdentityModel.Tokens.Jwt is used which seems to be flagged with security issue

Reproduction Steps

Check the dependent packages versions

Environment

No response

github-actions[bot] commented 4 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @chenkennt @sffamily @Y-Sindo.