Closed yellowpanda closed 2 years ago
SabotageAndi
commented
2 years ago Thanks for letting us know. It will be fixed with SpecFlow 4. As our dependency is set to >= 1.03, you can manually install a later version to be not affected by this issue
304NotModified
commented
2 years ago Specflow 4? I guess people need a patch for 3. Isnt Specflow 3 supported for security issues?
SabotageAndi
commented
2 years ago @304NotModified to be able to patch it, we need to remove .NET Core 2.1 support, because the packages we need to update don't let you use them with .NET Core 2.1. And this triggers at least a minor version change. Believe me, if I could, I would do only a patch version.
About support for security issues: Please check our license. It is BSD 3 clause (https://github.com/SpecFlowOSS/SpecFlow/blob/master/LICENSE.txt#L20)
THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL TRICENTIS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
And it is a dependency of a dependency. We aren't even using it directly. And the user can still install a higher version manually to the project. If NuGet would not by default resolve the min version, we would have this talk at all.
304NotModified
commented
2 years ago Newtonsoft.Json 13.0.1 is available for .NET Core 2.1?
See https://www.nuget.org/packages/Newtonsoft.Json/13.0.1#dependencies-body-tab
I guess only updating the reference is good enough and it's just a patch
304NotModified
commented
2 years ago Please check our license. It is BSD 3 clause (https://github.com/SpecFlowOSS/SpecFlow/blob/master/LICENSE.txt#L20)
Yes I know BSD. And I also know that (larger) companies need security policies. Maybe fill https://github.com/SpecFlowOSS/SpecFlow/security/policy?
PS: this is not a bug ;) (label bug on this issue)
SabotageAndi
commented
2 years ago Until now, nobody yet had asked about it.
SabotageAndi
commented
2 years ago This is fixed with https://github.com/SpecFlowOSS/SpecFlow/pull/2611
github-actions[bot]
commented
2 years ago This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
SpecFlow Version
3.9.74
Which test runner are you using?
xUnit
Test Runner Version Number
2.4.1
.NET Implementation
.NET 5.0
Project Format of the SpecFlow project
Sdk-style project format
.feature.cs files are generated using
SpecFlowSingleFileGenerator custom tool
Test Execution Method
Visual Studio Test Explorer
SpecFlow Section in app.config or content of specflow.json
No response
Issue Description
SpecFlow 3.9.74 nuget package reference Microsoft.Extensions.DependencyModel 1.0.3 and it reference Newtonsoft.Json 9.0.1.
Newtonsoft.Json 9.0.1 has a high security vulnerability: https://www.nuget.org/packages/Newtonsoft.Json/9.0.1
Microsoft.Extensions.DependencyModel 1.0.3 is also marked as deprecated: https://www.nuget.org/packages/Microsoft.Extensions.DependencyModel/1.0.3
Same issue for Specflow 3.10.2-beta.
Consider upgrading to Microsoft.Extensions.DependencyModel 6.0.0.
Steps to Reproduce
Traverse dependencies on https://www.nuget.org/packages/SpecFlow/3.9.74#dependencies-body-tab.
Or use a tool like Mend (previously known as WhiteSource)
Link to Repro Project
No response