In the recent round of November 2023 updates, there was a vulnerability fixed in Microsoft.AspNetCore.Components. Blazored.LocalStorage depends on Microsoft.AspNetCore.Components.Web, which transitively depends on the Microsoft.AspNetCore.Components package, which is vulnerable if it is not updated. Blazored.LocalStorage depends on the x.0.0 versions of these packages:
My understanding is (correct me if I'm wrong), if someone creates a simple blazor project and just adds a Blazored.LocalStorage reference, then nuget will install the oldest specified versions of the transitive dependencies (e.g. 6.0.0 for net6.0 targets and 7.0.0 for net7.0), which are vulnerable. To fix, the developer might be able to manually reference the transitive dependencies in updated versions. However, he needs to notice the need first (which isn't made obvious by any standard tooling). This probably requires a understanding of "how nuget works" beyond what a beginner would have. Thus, it might be worth considering to publish an update to Blazored.LocalStorage that depends on the fixed versions of these packages.
Not the same topic, but maybe that's also a possibility to add net8.0 as a target framework?
I'd consider creating a PR if you want to. However, I wasn't sure if I understood all the nuances of "Which dependency in which version would be best?" in enough detail, or: "What are the consequences if I just replace 7.0.0 with 7.0.14?" Also, I have no relevant experience with the code base of Blazored.LocalStorage.
Sorry for not using any of the templates, but I thought this doesn't really fit any of them.
In the recent round of November 2023 updates, there was a vulnerability fixed in Microsoft.AspNetCore.Components. Blazored.LocalStorage depends on Microsoft.AspNetCore.Components.Web, which transitively depends on the
Microsoft.AspNetCore.Components
package, which is vulnerable if it is not updated. Blazored.LocalStorage depends on thex.0.0
versions of these packages:My understanding is (correct me if I'm wrong), if someone creates a simple blazor project and just adds a
Blazored.LocalStorage
reference, then nuget will install the oldest specified versions of the transitive dependencies (e.g. 6.0.0 for net6.0 targets and 7.0.0 for net7.0), which are vulnerable. To fix, the developer might be able to manually reference the transitive dependencies in updated versions. However, he needs to notice the need first (which isn't made obvious by any standard tooling). This probably requires a understanding of "how nuget works" beyond what a beginner would have. Thus, it might be worth considering to publish an update to Blazored.LocalStorage that depends on the fixed versions of these packages.Not the same topic, but maybe that's also a possibility to add
net8.0
as a target framework?I'd consider creating a PR if you want to. However, I wasn't sure if I understood all the nuances of "Which dependency in which version would be best?" in enough detail, or: "What are the consequences if I just replace 7.0.0 with 7.0.14?" Also, I have no relevant experience with the code base of Blazored.LocalStorage.
Sorry for not using any of the templates, but I thought this doesn't really fit any of them.