Closed WParr3 closed 5 months ago
Gabriel2048
commented
5 months ago I am seeing the same issue error NU1903: Package 'SixLabors.ImageSharp' 2.1.7 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7r on .NET 8
jizc
commented
5 months ago I believe this will be resolved by this PR: https://github.com/github/advisory-database/pull/3936
kendallb
commented
5 months ago Same issue. Cannot migrate to 3.x as we are still on .NET 4.8. I assume we just upgrade to 2.1.7 and wait for the advisory to be fixed in GitHub/NuGet?
JimBobSquarePants
commented
5 months ago We had to wait for the advisory update to be merged. Should be fine now.
Prerequisites
DEBUGandRELEASEmodeImageSharp version
2.1.7
Other ImageSharp packages and versions
2.1.6
Environment (Operating system, version and so on)
Windows 10
.NET Framework version
6.0
Description
We are unable to run our build pipelines because when running the NuGet Restore command we are confronted with the error:
##[error]The nuget command failed with exit code(1) and error(NU1903: Warning As Error: Package 'SixLabors.ImageSharp' 2.1.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7rUpon inspecting the vulnerability GitHub we found the advisory page for the v2 package, informing that this issue has been patched in version 2.1.7 (we are currently on 2.1.6): https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-65x7-c272-7g7r
However, upon updating the package using Visual Studio's NuGet Package Manager, it fails as version 2.1.7 is marked with the tag "Vulnerable", causing a rollback to occur during the update attempt.
Could this tag be removed from v2.1.7 so that we can proceed to update the package and subsequently run our CI/CD pipelines successfully once more?
Steps to Reproduce
Images