alensiljak
commented
6 months ago 😱
Do you have plans on updating the dependencies?
Open alensiljak opened 6 months ago
alensiljak
commented
6 months ago 😱
Do you have plans on updating the dependencies?
niemyjski
commented
6 months ago Hello,
We'd be willing to accept any pr's to update this.
alensiljak
commented
6 months ago Microsoft.Azure.ServiceBus is deprecated so it's a bit of a bigger issue than just a PR.
https://www.nuget.org/packages/Microsoft.Azure.ServiceBus
niemyjski
commented
6 months ago We need to get the azure libs updated and it's on our list (pr would be very grateful if you have some time). Problem is they keep coming out with a completely new package of which seems yearly and the one after this one had crazy management libraries, they've since removed due to pushback.
alensiljak
commented
6 months ago Thanks for the feedback! I'd like to help but, as usual, it's a matter of availability of time. I'm waiting for some guidelines on how to proceed.
alensiljak
commented
6 months ago The quickest solution to this particular issue is to force a (currently) safe version of Jwt by adding
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />to the project file. So, no pressure for now, until some other vulnerability is identified. :)
Hi! The Jwt 5.4.0 is flagged as a security risk by SonarQube. It is used by Microsoft.AzureServiceBus.
Upgrading JWT to at least 5.7.0 would fix this.