search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.47k stars 4.81k forks source link

[SECURITY] new version of Azure.Extensions.AspNetCore.DataProtection.Blobs to combat dependency security vulnerability please #47176

Open robrich opened 2 hours ago

robrich commented 2 hours ago

Library name and version

Azure.Extensions.AspNetCore.DataProtection.Blobs 1.3.4

Describe the bug

Azure.Extensions.AspNetCore.DataProtection.Blobs depends on ... depends on System.Drawing.Common 4.7.0 which has a critical vulnerability, causing a build warning. Can we get a new build of Azure.Extensions.AspNetCore.DataProtection.Blobs that depends on the recently released version of Microsoft.AspNetCore.DataProtection that doesn't have this vulnerability?

Expected behavior

Build succeeds without warnings.

Actual behavior

Build fails when "Treat warnings as Errors" is enabled, and NuGet package restore fails.

Reproduction Steps

  1. Add Azure.Extensions.AspNetCore.DataProtection.Blobs NuGet package
  2. See NuGet security error
  3. Cry

Environment

ASP.NET 9, VS 2022

github-actions[bot] commented 2 hours ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.