search

EPPlusSoftware / EPPlus

EPPlus-Excel spreadsheets for .NET
https://epplussoftware.com
Other
1.82k stars 277 forks source link

Vulnerabilities in transitive dependencies #1589

Closed Tsingis closed 2 months ago

Tsingis commented 2 months ago

EPPlus usage

Personal use

Environment

Windows/Linux

Epplus version

7.3.1

Spreadsheet application

No response

Description

Usage of vulnerable transitive dependencies of System.Text.Json and System.Formats.Asn1.

swmal commented 2 months ago

To fix this vulnerability we most likely need to take direct dependencies on the latest version of these two Nuget packages which are indirect dependencies today. System.Text.Json is referenced via Microsoft.Extensions.Configuration.Json and SystemFormats.Asn1 is referenced via System.Security.Cryptography.Pkcs. See the following discussions: https://github.com/dotnet/runtime/issues/107342 and https://github.com/dotnet/runtime/issues/105028

We will provide a patch for this.