Open alensiljak opened 6 months ago
😱
Do you have plans on updating the dependencies?
Hello,
We'd be willing to accept any pr's to update this.
Microsoft.Azure.ServiceBus is deprecated so it's a bit of a bigger issue than just a PR.
We need to get the azure libs updated and it's on our list (pr would be very grateful if you have some time). Problem is they keep coming out with a completely new package of which seems yearly and the one after this one had crazy management libraries, they've since removed due to pushback.
Thanks for the feedback! I'd like to help but, as usual, it's a matter of availability of time. I'm waiting for some guidelines on how to proceed.
The quickest solution to this particular issue is to force a (currently) safe version of Jwt by adding
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />
to the project file. So, no pressure for now, until some other vulnerability is identified. :)
Hi! The Jwt 5.4.0 is flagged as a security risk by SonarQube. It is used by Microsoft.AzureServiceBus.
Upgrading JWT to at least 5.7.0 would fix this.