Closed ebjornset closed 1 year ago
This issue was reported already in the past: https://github.com/SpecFlowOSS/SpecFlow/issues/2609
No, there will be no 3.x version with an updated dependency as updating it needed a lot of additional changes. As we depend on it with a >=, you can simply update the package manually in your project.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
SpecFlow Version
3.9.74
Which test runner are you using?
xUnit
Test Runner Version Number
3.9.74
.NET Implementation
.NET 6.0
Project Format of the SpecFlow project
Sdk-style project format
.feature.cs files are generated using
SpecFlow.Tools.MsBuild.Generation NuGet package
Test Execution Method
Visual Studio Test Explorer
SpecFlow Section in app.config or content of specflow.json
{ "$schema": "https://specflow.org/specflow-config.json", "allowDebugGeneratedFiles": true, "livingDocGenerator": { "enabled": true, "filepath": ".specflow.livingdoc.data.json" }, "stepAssemblies": [ { "assembly": "DryGen.DevUtils" } ] }
Issue Description
We uses SpecFlow to write our tests, and are quite happy with it. We also uses Bolt Mend as a Github check and it suddenly reported that specflow.tools.msbuild.generation.3.9.74.nupkg is vulnerable to WS-2022-0161, with a link to this Github commit in Newtonsoft.Json https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66. So our PR build is failing at the moment.
From what I can see the security issue is caused by the dependency to Microsoft.Extensions.DependencyModel v 1.0.3 in SpecFlow it self, since this version is dependent on Newtonsoft.Json v9.0.1.
I've noticed that you've updated the version in the dependency to Microsoft.Extensions.DependencyModel in v4.0.7-beta, but when I upgraded I got a warning that the SpecFlow version is out of range due to us also using the SpecFlow.Plus.LivingDocPlugin v 3.9.57 (the latest I can find on Nuget).
I don't think WS-2022-0161 is a real issue for us, since SpecFlow is only used for our test. The problem is that the Bolt Mend Github check prevent us from merging new PRs without using SpecFlow v4.0.7-beta. But when using this version we get the version range warnings.
So the question is if there will be a new SpecFlow v3.x where the version of the Microsoft.Extensions.DependencyModel dependency is bumped, or if there will be a new SpecFlow.Plus.LivingDocPlugin version that depends on SpecFlow v4.x soon?
Steps to Reproduce
I guess you'll need a Github-project where the Mend Bolt check is enabled that references specflow.tools.msbuild.generation v3.9.74. When you create a PR in this repo the check should fail.
You can look at our report from the check that failed our last PR here: https://github.com/ebjornset/DryGen/pull/54/checks?check_run_id=11283496811
Link to Repro Project
No response